Making security has been Leviathan's home turf and its prime responsibility. Yet, while security states in advanced democracies share this uniform purpose, there is vast variation in how they legitimize and how they make security policies. First, the political authority of elected policy‐makers is sometimes superseded by the epistemic authority of experts. Second, states make security, in some instances, by drawing on their own capacities, whereas in other fields they rely on rules to manage non‐state actors. Based on this variation in authority foundations and policy instruments, we disentangle Leviathan into different types of (i) positive, (ii) managing, (iii) technocratic, and (iv) regulatory security states. Our typology helps better understand contemporary security policy‐making; it advances regulatory governance theory by conceptualizing the relationship between expertise and rules in a complex and contested issue area; and it provides insights into the “new economic security state” and the domestic underpinnings of weaponized interdependence.