How many zones are there in defense in depth framework?

Defense in depth uses layered protections across distinct zones that reflect trust boundaries. In this framework, there are three zones: the outside network (untrusted), the boundary or DMZ zone (semi-trusted, hosting public-facing services), and the inside network (trusted, where sensitive systems and data reside). Each zone implements its own controls, so if something gets past the outer boundary, it must still get through the DMZ’s protections before reaching the internal network. This separation helps limit the blast radius of breaches and makes it harder for an attacker to move laterally. While some architectures can be further subdivided for more granular control, the common three-zone model captures the essential structure and is why three is the standard answer.