I like rule "less is more" and your idea of 3 layers...that's enough to compose wise and effective security combo. But for me 3 layers would be rather:The maximum number of security apps you need is 3 (because there is 3 main attack vectors) for single purpose apps and only 1 for suites.
- Browsers = sandbox or AV (with webfilter) .
- Binaries (exe, etc...) = SRP or Anti-exe or HIPS or AV
- Exploits = anti-exploits
On Win10, you have already an AV and an anti-exploit, so unless you are picky you just need a binary monitor.
When it comes to suites, find one that covers all 3 vectors.
I don't count apps that just automatize manual tweaks like SysHardener or ConfigDefender, they don't have permanent processes.
* network = firewall
* binaries = signatureless - sandbox/SRP/HIPS/BB/Anti-exe or based on signatures - AV
* file/system reverting = backup/snapshots/synch apps/LV.