In a recent webinar, Mythos and Daybreak: What Boards Are Asking and What to Actually Do About It, Zero Networks Field CTOs Chris Boehm and Albert Estevez explored why containment – not speed – is the only reliable advantage for defenders in the AI era. When lateral movement is blocked by default, it doesn't matter how fast an attacker finds a vulnerability or how quickly your team can patch. The breach is contained before it can spread into a crisis. 

We’ll unpack key insights from the session and walk through best practices for protecting your network against AI.  

Mythos and Daybreak: What They Are and Why They Matter for Security Teams  

Anthropic’s Mythos and OpenAI’s Daybreak are frontier AI models capable of finding, analyzing, and generating exploits for vulnerabilities at a speed and scale no human team can match. 

For example, Mythos found over 10,000 previously unknown vulnerabilities in seven weeks, including bugs that had evaded automated detection for decades. In a UK AI Security Institute evaluation, it successfully took over a simulated corporate network in 3 out of 10 attempts using only legitimate access paths.  

“In controlled evaluations where Mythos Preview was explicitly directed and given network access to do so, we observed that it could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously – tasks that would take human professionals days of work.”  

AI Security Institute  

Daybreak delivers a similar class of capabilities; while OpenAI’s model is also capable of delivering candidate patches, it’s still not possible to deploy every critical patch quickly enough to prevent exploitation.  

Chris Boehm: These are two frontier models that are so cutting edge, they're keeping them contained behind a wall. And one of the prime examples Anthropic brought up was finding 300+ vulnerabilities on Firefox in a very short period of time. The concern is: how do I stay on top of patch management and operations when this is happening? 

Frontier AI models didn't invent new attack techniques; lateral movement, credential abuse, and privilege escalation are well-known tactics. What has changed is the speed at which those techniques can now be applied against vulnerabilities that already exist in the environment – and the scale at which a capable attacker can identify them.  

Gartner noted after Mythos launched that "CIOs must tell their boards they will have to recalibrate their risk appetite for vulnerabilities because faster patch cycles won't be enough." Boards heard that message before most security teams had formed a response to it, leaving CISOs to face an evolving set of questions. 

AI Security Questions: What Are Boards Asking CISOs?  

As models like Mythos and Daybreak continue to dominate headlines, board-level questions for security leaders are increasingly focused on AI-era business resilience. 

Albert Estevez: The most common question I get when I visit customers is: as a company, how do we stop this type of attack inside our network? How will Mythos impact our infrastructure? And then there's the unbudgeted board mandate – go secure us against Mythos. 

Chris Boehm: If AI can find vulnerabilities in our environment at warp speed, how do we protect ourselves? And can you prove our investment is actually reducing the risk? Those are the questions security teams don't always have a crisp answer for. 

Security leaders that come back to the board with a patch acceleration plan are going to have a harder conversation than those who can explain why speed is no longer the variable that matters. 

Why Patching Faster Won’t Solve AI Threats  

According to the 2026 Verizon Data Breach Investigations Report, only 26% of critical vulnerabilities were fully remediated by organizations in 2025, and the median time for full resolution increased by nearly two weeks year-over-year.  

In other words, even before AI-enabled vulnerability discovery and exploitation burst onto the threat landscape, security teams have been struggling to keep up with patching. Frontier models have made traditional patching workflows an untenable solution.  

Albert Estevez: We cannot patch Mythos or Daybreak away. Discovery is infinite now. We can find thousands or even millions of new vulnerabilities every day. And the patching time we have is finite – it's impossible to digest all those patches, validate that a new patch isn't generating a business impact, and move fast enough. Even with prioritization, it will always be late. Because the time AI needs to generate an exploit will always be faster than the time you need to prioritize, test, and apply the patch. 

So, organizations now face an impossible tradeoff: patch immediately and manage updates that contain thousands of fixes at a time, or wait and prioritize while accepting risk exposure. In either case, operational continuity is at risk.  

OT and legacy systems can't always be patched on short notice without planning significant change windows that risk production impact. But leaving vulnerabilities uncovered is just as risky. Attackers can begin moving laterally in as little as 27 seconds, yet the mean time to identify a breach via vulnerability exploitation is 180 days. As AI accelerates exploit generation, that gap will only grow wider.  

Chris Boehm: Even if you have 90% detection, 90% analyst accuracy, 24/7 coverage, and fast response times – when you multiply all those numbers together, you still have a compounding failure rate. We're not blocking, we're not preventing. We're allowing attacks to go through even though we have most of what's necessary. The standard stack isn't enough anymore. 

There is no version of “respond faster” that gives defenders a reliable advantage over AI-enabled attackers. Instead, security teams need an architecture designed for containment to make speed irrelevant. 

Real-Time Threat Containment: Proactive Network Security   

Lateral movement is how attackers escalate a minor foothold into a business-disrupting breach – whether they get in via vulnerability exploitation, credential abuse, or any other initial access vector. The key to making an attacker’s speed irrelevant is building lateral movement prevention into the network architecture.  

Albert Estevez: We need to make the speed of detection and remediation totally irrelevant. How? By building an infrastructure that prevents lateral movement by design. If everything is locked down, it doesn't matter how fast you discover new vulnerabilities or how fast you need to patch them – your system will not allow any new connection that isn't already allowed. Stop running. Contain first. 

With this approach, attacker's speed advantage doesn't translate into business impact because there's nowhere to move in the first place. In a network where lateral movement is blocked by default and privileged ports are closed to all but explicitly authorized identities, a single compromised asset gives attackers very little access.  

Chris Boehm: If you actually contain and isolate appropriately, a hundred vulnerabilities discovered today wouldn't matter. You can go through your standard patch channels, do your testing and validation on your timeline, not theirs. You don't have to be in fear of a thousand patches dropping tomorrow. 

This same principle applies to the second distinct AI challenge organizations are navigating alongside attack acceleration: vulnerabilities created by AI already running inside the network. Employees are using unsanctioned tools, agents are operating with permissions nobody explicitly scoped, and every new connection represents a path attackers can exploit if it isn't governed. 

Albert Estevez: Shadow AI expands the attack surface. You need to govern those tools. Don't let users start using AI tools you haven't provided – you can't stop the adoption, but you can control what's sanctioned and what reaches what. Every agent needs an identity, scoped access, and defined communication paths. If you allow your AI agent to write to your database, the first question you should be asking is why. 

How to Measure AI Security: Metrics That Matter for Resilience  

Security teams have spent years reporting on alert volume, mean time to detect, and mean time to respond. In the context of AI-accelerated attacks, Estevez and Boehm argue those metrics are measuring the wrong thing. 

Albert Estevez: A year ago, customers were all talking about mean time to detect, mean time to respond. I would say ‘okay, mean time to be hacked. What is that time?’ Changing the mindset to contain first means asking: can my business keep running while I'm receiving an attack? The CEO and CIO don't care how long it took to identify something if they're already in the news. 

The metrics that map to board-level concerns include blast radius, mean time to contain, lateral movement scope, and uptime during cyber incidents.  

Chris Boehm: What if you don't have to respond because it's already been contained and isolated? That's what we're measuring now – mean time to containment, blast radius reduction, lateral movement scope, and whether I can prove my uptime stays intact during an incident. That's the shift from 'we saw a lot of alerts' to 'here's proof our architecture is working.' 

Zero Networks' Breach Map makes this visible in a way that resonates at the board level. A CISO can click on any user or device and see what that identity has access to with and without Zero Networks applied. A user with broad privileges might have access to dozens of workloads in an uncontrolled environment. With comprehensive microsegmentation, that scope narrows to only what they actively need and use, often by 90% or more. 

Chris Boehm: The beautiful paradox of microsegmentation is that when it's working well, you don't even notice it. So, we created a way for customers to actually see what it's doing – what their blast radius looks like with and without containment in place. Customers were asking: can you prove the difference of what you're doing? That's the answer. 

Building a Containment Architecture: Best Practices for Protecting Networks Against AI 

To minimize risk exposure in the AI era, security teams should focus on three key priorities: dynamically closing privileged ports, implementing identity-aware microsegmentation, and governing AI agents with identity-based policies.  

Over 70% of enterprise risk activity flows through admin protocols like RDP, SMB, WinRM, and RPC. By closing those lateral movement pathways with network-layer MFA, security teams ensure that administrators with an explicit business need can still get access – but only after identity verification, and only for a limited time.  

Albert Estevez: Imagine that in no time – one single click – you close access to those ports that don't need to be open 24/7. Now the vulnerabilities associated with those ports are blocked. Nobody can access them, exploit them, or bring credentials and try to use them, because those ports are closed behind a policy on the local server. You cannot exploit what is closed. 

Identity-based segmentation delivers the architectural controls to prevent unauthorized lateral movement. By leveraging deterministic, human-on-the-loop automation to create policies based on observed network behavior, organizations ensure granular segmentation won’t disrupt legitimate traffic, but it will break the attack chain.  

Albert Estevez: After you are segmented, an application can only communicate with these specific assets through these specific ports. There are no other endpoints available. You cannot scan the infrastructure to find vulnerabilities because everything is closed. Contained by default – you cannot discover or communicate with other parts of the network unless a policy explicitly allows it. 

Governing AI agents with the same identity-based, least-privilege controls that apply to human users ensures they can only reach what they explicitly need to reach, through the ports they're permitted to use. If an agent deviates from its approved communication baseline, the connection is blocked, drastically shrinking the agentic attack surface.  

These strategies give security leaders a clear, provable answer to questions about Mythos, Daybreak, and any other frontier AI models that may come next. In a network architected for containment, it doesn’t matter how many vulnerabilities are discovered – attackers still have nowhere to go.  

Network Security for the AI Era: Strengthening Cyber Resilience with Zero Networks  

Mythos and Daybreak have set a new capability baseline. The organizations that remain resilient in this evolving threat landscape will be the ones that respond with something more durable than an accelerated patching plan: lateral movement is blocked by default, and we can show exactly how far any attacker could go. 

Zero Networks’ automated, identity-based microsegmentation stops lateral movement and contains any attack – human or AI – to keep the business running. With Zero, security teams get complete AI visibility, deterministic control, and built-in containment to neutralize the risk of machine-speed vulnerability discovery and exploitation.  

To see how Zero Networks gives defenders the advantage in an era defined by Mythos and Daybreak, request a demo.  

If you prevent lateral movement structurally, breaches are automatically contained by the network architecture, ensuring critical operations continue running through cyber incidents. We’ll explore some of the most common lateral movement techniques and offer tips to block attack paths in real time.   

What Are Lateral Movement Techniques? 

Lateral movement techniques are the methods cyber attackers use to move through a network after gaining initial access. These tactics help them:  

• Deploy persistence mechanisms to maintain access  
• Escalate privileges 
• Discover new systems and credentials  
• Reach high-value targets (like domain controllers or sensitive databases)   

Lateral movement is so pervasive that the MITRE ATT&CK framework classifies it as one of the core tactics used in modern cyberattacks. While a hacker may gain access to the network from phishing or compromised credentials, lateral movement techniques are how an initial breach cascades into an enterprise-wide crisis.

Common Lateral Movement Techniques 

Though cyber threats are constantly evolving, many common lateral movement techniques fall into broad categories like:  

• Session hijacking: Attackers take control of existing sessions with remote services  
• Remote services: Using valid accounts, attackers log into services that accept remote connections and perform actions as the logged-on user 
• Alternate authentication: Attackers bypass normal controls through the use of materials like password hashes, access tokens, and Kerberos tickets  

Other lateral movement techniques fall outside of these groups but can prove equally destructive. And in fact, attackers rarely rely on a single technique; instead, they often string tactics together to stay undetected and maintain momentum.  

Living off the Land (LotL) 

Instead of deploying external tools, attackers use built-in utilities like PowerShell, PsExec, or Windows Management Instrumentation (WMI) to move laterally with LotL attacks. Because these tools are part of the operating system, their use blends in with regular network traffic, making this tactic especially challenging to detect.

In fact, in a Red Team Assessment Report, CISA concluded that heavy EDR reliance creates insufficient protection to stop all living-off-the-land attacks. With malware-free attacks now comprising 82% of cyber incidents, proactively blocking lateral movement rather than relying on alerts is more important than ever.  

AI-Driven Lateral Movement (AILM) 

AI-driven lateral movement or AI lateral movement (AILM) is a tactic where adversaries use AI to accelerate the attack chain – achieving impossibly fast breakout times as a result – or weaponize overprivileged AI agents’ legitimate connections to pivot between systems.   

In other words, AILM encompasses two distinct vectors: AI-accelerated lateral movement, where attackers use AI to expedite established lateral movement techniques, and agent-induced lateral movement, where attackers exploit AI agents’ legitimate connections as a new attack surface.  

Compromised Credentials 

Simple or reused passwords make it easy for hackers to guess, brute-force, or reuse credentials across multiple systems; 80% of attacks leverage stolen credentials at some stage. Once they access one asset, attackers often use those same credentials to pivot to others.   

Compromised credentials are particularly risky in this era of excessive privileged access and machine identity sprawl. Ninety-nine percent of users, roles, and services hold excessive standing permissions, often unused for 60+ days. Meanwhile, machine and service identities – which are notoriously over-permissioned and under-monitored – outnumber human identities 109:1, a trend that’s only accelerating amid a massive influx of AI agents in enterprise environments.  

Pass-the-Hash (PtH) Attacks and Pass-the-Ticket (PtT) Attacks  

In a PtH attack, adversaries use a hashed version of a password to authenticate without decrypting it. This technique is especially effective in environments that use NTLM; according to Zero Networks’ Lateral Movement Exposure Report, 43% of internal authentication still relies on NTLM.

PtT attacks use stolen Kerberos tickets to impersonate users and access systems without needing passwords, enabling access to sensitive internal services. In a Golden Ticket attack, the ticket granting ticket (TGT) is stolen, allowing attackers to impersonate any user; Silver Ticket attacks steal service tickets, which enable more limited authentication. 

Internal Spear Phishing  

After gaining access to an account, attackers send convincing phishing emails from within the organization to carry out this lateral movement technique. This tactic is more likely to succeed due to the internal sender and known context. 

Kerberoasting 

This technique involves requesting service tickets for accounts with access to a particular service and attempting to crack them offline. Service accounts with weak passwords are frequent targets, especially when they hold administrative privileges. Kerberoasting is stealthier than a PtT attack since it doesn’t generate unusual network activity.  

Credential Dumping  

Credential dumping extracts usernames, password hashes, or plaintext credentials from memory, local files, or the registry. The credentials are then used in other lateral movement techniques, such as PtH attacks, PtT attacks, or RDP login attempts. 

Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) 

Two examples of remote services exploitation, RDP and WinRM attacks use stolen credentials to remotely access systems and perform actions as the logged-on user. Zero Networks’ 2026 Lateral Movement Exposure Report found that 87% of monitored servers accept internal RDP or SSH traffic; without strong controls like MFA, this movement can remain undetected for long periods.  

Server Message Block (SMB)  

Another technique involving remote services, this method allows attackers to interact with a remote network share by logging in with stolen credentials. Over 75% of servers are reachable over SMB and WinRM, and since the SMB protocol is primarily used to access files, printers, and serial ports, it’s an easy way for attackers to move laterally through a network. In fact, more than 70% of enterprise threat activity flows through just four privileged management protocols: SMB, WinRM, RDP, and RPC. 

SSH Hijacking 

Attackers can hijack active SSH sessions to gain the same access held by the original user and remotely execute commands on a system. Because it leverages a legitimate user’s existing SSH session to move laterally, this technique often allows adversaries to go undetected.  

Lateral Movement Protection: Why Detection-only Strategies Fall Short  

Many organizations rely on tools like endpoint detection and response (EDR) systems or security information and event management (SIEM) platforms to detect lateral movement. While detection is important, it’s an incomplete strategy for preventing unauthorized lateral movement and protecting business continuity.   

Once attackers are inside a network and moving laterally, the window to contain them narrows quickly – detection often takes too long to prevent damage. Attackers can begin moving laterally in as little as 27 seconds, and with so many lateral movement techniques involving native tools or valid accounts, malicious behavior can be hard to distinguish from legitimate activity. Because of this, there’s a massive gap between machine-speed lateral movement and the 241 days it typically takes to identify and contain a breach.  

Instead of relying solely on detection, organizations must also find ways to prevent lateral movement entirely, proactively strengthening cyber resilience so security teams can shift to containing threats rather than chasing them.  

How to Block Lateral Movement Techniques in Real Time  

Patching entry points won’t effectively prevent lateral movement; to block attackers’ favorite techniques, organizations have to eliminate the internal pathways attackers rely on. The most effective strategies combine network segmentation, identity controls, and real-time access enforcement. 

Key approaches to eliminate lateral movement span:  

• Microsegmentation: Enforce least-privilege access to limit communication between systems to what’s explicitly allowed, isolating every asset to leave hackers stranded.   
• Multi-factor authentication: Apply MFA to privileged ports and services inside the network, making lateral movement techniques that rely on stolen credentials ineffective.  
• Identity-based access controls: Grant access based on verified identity and purpose, not just IP address or location. 
• Automate policy management: Leverage automation-enabled solutions to dynamically generate rules based on observed behavior and continually update policies as the environment evolves.   

Even if attackers manage to breach the network, measures like these cut off their pathways and ensure cyber incidents stay isolated. 

Stop Lateral Movement Before It Starts with Zero Networks  

Zero Networks turns lateral movement pathways into dead ends with automated, identity-based microsegmentation. By orchestrating native firewalls to secure every asset, applying just-in-time MFA at the network layer, and automatically enforcing adaptive policies that evolve alongside your network, Zero ends privilege escalation and maintains dynamic granular controls.   

Protect your network from today’s most common lateral movement techniques while future-proofing your security strategy against new threats – request a demo to learn how.  

Cybersecurity teams know that preventing lateral movement is key to stopping minor cyber incidents before they escalate into enterprise-wide disruption, but applying controls robust enough to effectively halt attackers has historically been considered too complex and disruptive.    

To clarify the destructive network security risks lateral movement poses – and how to prevent them entirely – we’ll explore the underlying vulnerabilities that enable lateral movement, how attackers exploit them, the growing threat of AI-driven lateral movement (AILM), and practical strategies to proactively lock down lateral movement.  

What Is Lateral Movement? Definition, Causes, and Examples

Lateral movement in cybersecurity is the tactic attackers use to move “sideways” (East-West) across the network after gaining initial access, often in search of sensitive data and assets. In other words, lateral movement is how attackers turn a small foothold with minimal access into a widespread security breach impacting business-critical systems. In fact, lateral movement is so pervasive that the MITRE ATT&CK framework classifies it as one of the core tactics used in modern cyberattacks.  

From Compromise to Privilege Escalations: What Causes Lateral Movement?

Lateral movement starts with an initial compromise; today, the most common initial access vectors are vulnerability exploitation, phishing, and credential abuse. With that first foothold, attackers can move laterally through the network when controls aren’t sufficient to stop privilege escalation.  

According to Zero Networks’ analysis of 5.4 trillion activities across 312 enterprise environments, the top 10 risks that enable lateral movement are:  

1. Broad Internal Admin Protocol Exposure 
2. Excessive Internal Reachability 
3. Excessive Privileged Access 
4. Overprivileged Service Accounts 
5. Legacy Authentication Paths 
6. Exposed Control Plane Infrastructure 
7. Internal Vulnerability Pivoting 
8. Lack of East-West Visibility 
9. Single Endpoint to Critical Asset Reachability 
10. Poor Containment Readiness 

These risks represent the structural exposures most responsible for converting a single compromise into enterprise-wide impact. 

Lateral Movement Examples: Notable Incidents

High-profile breaches often use lateral movement to expand blast radius and access critical assets; notable examples include:

• MITRE/Ivanti breach: In January 2024, MITRE’s network was compromised through two zero-day vulnerabilities in Ivanti VPN solutions. The attackers moved laterally through the network by leveraging a compromised admin account, establishing persistent access and harvesting credentials. This breach highlighted the importance of prevention in network security strategies, rather than overreliance on detection and response.
• Change Healthcare ransomware attack: Shortly after the MITRE/Ivanti breach, Change Healthcare was targeted by the ALPHV/Blackcat ransomware group, resulting in the exfiltration of 4TB of data. The attackers infiltrated the network by exploiting compromised credentials; after that, they deployed ransomware and demanded a hefty ransom.
• AT&T breach: In 2024, AT&T confirmed that a threat actor had gained unauthorized access to internal systems by using stolen credentials associated with a third-party vendor. Once inside, the attacker moved laterally to access and exfiltrate customer data, including passcodes and Social Security numbers. The breach underscored a critical gap: MFA was not in place for the compromised entry point. With network-layer MFA and strict privilege enforcement, the attacker’s access could have been blocked before any data was exposed.

What Types of Cyberattacks Use Lateral Movement?

Many attacks rely on lateral movement to maximize their scope and achieve a specific goal. Some attack types that commonly involve lateral movement are:

• Ransomware: To demand the highest possible payout, ransomware aims to infect and encrypt as many systems as possible. Lateral movement enables ransomware to spread rapidly across the network, reaching critical assets and increasing pressure to pay.
• Data Exfiltration: Once inside the network, attackers move laterally to locate sensitive data like personal records, IP, or financial information before transferring it outside the network for ransom, sale, or public exposure.
• Botnet Infection: Lateral movement helps attackers quietly add devices to a robotic network (botnet), growing their control before launching larger-scale operations like distributed denial-of-service (DDoS) attacks.

Critically, lateral movement isn’t just a supporting tactic, it’s the key mechanism for turning small compromises into large-scale incidents.  

Why Does Lateral Movement (Still) Happen?

Lateral movement isn’t a new concept, yet it remains a tried-and-true technique in cyberattacks. Why? It essentially comes down to complexity – both of modern environments and the solutions designed to secure them.   

Still, security leaders working in sectors that mandate robust security postures can’t afford to leave lateral movement unchecked. As Aaron Steinke, Head of Infrastructure at La Trobe Financial put it, “We’re a financial institution, we are very paranoid, that’s the nature of working in finance. Getting control over lateral movement in our network is really essential, and it’s a hard thing to do.”   

Between hybrid system sprawl, vulnerable privileged accounts, and traditional segmentation solutions too complex to deploy at scale, lateral movement remains a pressing cybersecurity risk – one that’s only growing more urgent in the AI era.  

The Growing Threat of AI-Driven Lateral Movement (AILM) 

AI-driven lateral movement or AI lateral movement (AILM) is a tactic where adversaries use AI to accelerate the attack chain – achieving impossibly fast breakout times as a result – or weaponize overprivileged AI agents’ legitimate connections to pivot between systems.   

As AI adoption proliferates, innovation has outpaced security and rapidly expanded attack surfaces. As a result, 57% of organizations have already seen an uptick in security incidents linked to AI usage; nearly two-thirds of organizations don’t have the necessary policies to manage AI or detect shadow AI.   

In many cases, AILM isn’t functionally different than any other type of lateral movement – it’s just far faster. Attackers weaponize the same network vulnerabilities that have always existed, compounded by excessive permissions for AI agents, to expand breach impact faster than any human response cycle can match.  

Microsegmentation is the gold standard in locking down lateral movement, but traditional tools left it out of reach for many organizations.  

Legacy Microsegmentation Implementation Challenges

Unlike traditional network segmentation strategies – which involve dividing a large network into smaller subnetworks, or segments – microsegmentation is a much more granular and robust process that isolates all clients, workloads, applications, virtual machines, and operating systems into segments with individual security perimeters.

In other words, if an attacker manages to access a microsegmented network, they’ll find themselves immediately stranded. The only problem is: legacy microsegmentation solutions are typically so complex that many implementations stall or fail outright.

Nicholas DiCola, VP of Customers at Zero Networks summed up this problem: “Networks are too open, and accounts are too permissive. Once you’re inside the network, it’s very easy for an attacker to move laterally. How do we stop lateral movement? The root way to stop that is by microsegmenting the network – there were some companies out there that were doing that already, why were they not successful? What’s missing? It’s too hard, it takes too much time.”

These labor- and time-intensive implementations are why just 5% of organizations are microsegmenting their networks today, despite grasping the importance. Traditional microsegmentation solutions often require:

• Significant manual work: From manual asset tagging and grouping to policy creation and management.
• Long implementation times: As DiCola said, “Most CISOs move every three to five years on average – they start these projects that don’t even finish by the time the CISO leaves because it just takes a lot of human effort to manage.”
• Agent-based architecture: Since most traditional solutions require installing agents on endpoints, scaling, configuration, and maintenance is difficult.

Although microsegmentation is an accepted best practice for locking down lateral movement, the complexity of legacy solutions has long outweighed the potential benefits.

Privileged Account & Identity Threat Vulnerabilities

Once inside a network, attackers often seek to escalate privileges, exploiting admin and service account vulnerabilities, misconfigurations, or stolen credentials. Weak identity controls make it easier for attackers to:

• Leverage excessive logon permissions
• Use pass-the-ticket, golden ticket, Kerberoasting, and other attacks
• Move laterally across the network without raising alarms

Without strict identity and access controls, hackers don’t have to break in – they can log in. Since the process is generally manual, lengthy, and complex, governing access rights remains a challenge for organizations trying to lock down lateral movement.

How to Detect and Prevent Lateral Movement

Lateral movement happens fast – in this era of AI-accelerated attacks, cyber adversaries can begin moving laterally less than 30 seconds after gaining initial access. That means security teams must shift from reactive alerts to proactive control, prioritizing robust prevention strategies that contain threats before they escalate on top of the detection techniques most organizations already have in place.  

Detecting Lateral Movement

Attackers work hard to stay under the radar, blending in with legitimate traffic and using native tools to avoid triggering alerts. To catch them in time to prevent damage, organizations must deploy layered detection techniques capable of identifying subtle anomalies:  

• Real-Time Monitoring: Detection hinges on recognizing deviations from normal behavior. Always-current network visibility enables teams to recognize suspicious patterns that don’t match documented baselines. Ideally, a visibility tool should be integrated into a platform that also enables real-time enforcement, enabling security teams to quarantine threats in a click.  
• Behavioral Analytics: Machine learning models trained on user behavior can identify deviations like unusual login times, odd file access patterns, or abnormal administrative actions – all signs of potential lateral movement.  
• SIEM & Log Analysis: Security Information and Event Management (SIEM) platforms correlate logs and events across the network, detecting unusual patterns and surfacing potential lateral movement paths.   
• Network Traffic Analysis (NTA): NTA tools evaluate network flow and flag anomalies that could suggest unauthorized East-West traffic, leveraging algorithms to distinguish normal network behaviors from harmful activities.   
• Endpoint Detection and Response (EDR): EDR systems monitor endpoint and network events, helping teams investigate access attempts to high-value systems and track attack progression.  
• Deception Technology: Honeypots and decoy systems lure attackers into revealing their presence, offering early detection of lateral movement activity with minimal risk.  
• Log Management: Centralized log management and analysis solutions sift through access patterns to catch potential privilege escalations or stealthy jumps across systems.  

While lateral movement detection is an important component of a well-rounded cybersecurity strategy, relying too heavily on detection is risky – alerts often arrive too late, don’t fire at all, or don’t add meaningful value. In fact, just 30% of alerts translate to real risk reduction as many attackers move laterally in the shadows.  

Preventing Lateral Movement

Preventing lateral movement outright is the most effective way to stop an attack before it spreads. An ideal prevention strategy combines network controls, identity governance, and automation to seal off potential pathways and reduce the blast radius of a breach.  

Security teams can proactively block lateral movement by:   

• Embracing modern microsegmentation: As we’ve already established, microsegmentation is a powerful way to limit communication between assets unless explicitly allowed. By isolating systems into smaller, controlled network zones, organizations can ensure that even if one system is compromised, the attacker can't easily pivot to others.  Modern microsegmentation reduces the complexity of legacy approaches by integrating directly with existing infrastructure, orchestrating native firewall rules, and eliminating manual work from implementation and ongoing maintenance with robust automation.   
• Automatically enforcing dynamic policies: Static policies can’t keep up with today’s fluid IT environments. Instead, security teams should adopt automated policy creation and enforcement, where rules are generated based on observed behavior and continually updated as the environment evolves.   
• Enforcing least privilege access: User permissions should be tightly controlled using the principle of least privilege (PoLP). Each user, device, AI agent, or application should only have access to the resources required for their role or function. This minimizes opportunities for attackers to exploit over-privileged accounts during a lateral move.  
• Integrating MFA across the network: Beyond user logins, MFA can be applied to critical systems and privileged ports. This approach ensures that even if credentials are compromised, access isn’t granted without a second form of verification, dramatically reducing the attacker’s ability to move laterally.  
• Adopting a Zero Trust mindset: The zero trust model assumes that every device, user, and connection is untrusted until verified – a mindset aligned with this model requires that security accept breaches as inevitable. In practice, this means consistently verifying identity, limiting access, and segmenting network traffic to neutralize threats and stop lateral movement before it begins.  
• Building a layered defense: To truly prevent lateral movement, organizations must adopt 3D network security that not only safeguards against East-West movement, but that also minimizes attackers’ entry opportunities with robust North-South protection (barring entry from the outside world), and Up-Down protection that dynamically controls access to sensitive areas of the network based on identity.   

With strategies like these, security teams can finally control lateral movement before a breach becomes a disaster.   

Stop Lateral Movement in Real Time with Zero Networks

Zero Networks makes lateral movement a relic by delivering automated, identity-based microsegmentation that automatically contains threats to the point of initial access. Unlike the legacy solutions with complex, never-ending implementations, Zero Networks goes live in days – not years – and enforces least privilege access at scale.  

Here’s how Zero Networks locks down lateral movement in record time:

• With automated asset tagging, grouping, and policy creation and management, Zero generates deterministic, fine-grained rules – no complex configurations required.
• Our infrastructure-agnostic solution orchestrates native firewalls to secure every asset and integrate seamlessly into existing environments – without the manual complexity of traditional solutions
• Just-in-time MFA applied at the network layer keeps privileged ports closed until verified, shutting down credential abuse and privilege escalation
• With adaptive policy enforcement, Zero dynamically maintains granular controls that evolve alongside your network

Modern cyber attackers don’t stop at the perimeter – neither should your defenses. With Zero Networks, it’s easier than ever to build a proactive, layered defense that halts lateral movement and leaves hackers stranded – request a demo to learn more. 

As boards look for validation that security investments translate to uptime protection, security leaders need more than a Zero Trust strategy – they need a resilient architecture that enforces that strategy, and the outcomes to prove it.  

But most security programs are still reporting on detection-centric metrics like alert volume that measure activity rather than impact. To effectively measure cyber resilience and communicate the ROI of Zero Trust investments, security teams need outcome-oriented metrics tied to operational continuity.  

We’ll walk through the cyber resilience metrics that demonstrate Zero Trust maturity, share strategies for leveraging a business impact analysis (BIA) to assess resilience, and lay out best practices for tying security investment to business outcomes.  

Zero Trust and Cyber Resilience: How Do They Connect?  

Zero Trust and cyber resilience are built on the same foundational assumption: that compromise is inevitable. Where they differ is in emphasis – Zero Trust is a security philosophy that removes implicit trust, while cyber resilience is the business outcome that philosophy is meant to produce. 

In other words, a Zero Trust architecture is how security teams implement the “never trust, always verify” philosophy across key pillars; cyber resilience is the so what – the underlying objective to absorb any attack without disrupting the business.

How Zero Trust Drives Cyber Resilience Outcomes  

In a typical attack, adversaries gain a foothold, move laterally through the environment, and escalate privileges to reach high-value systems. Unrestricted lateral movement is what turns a minor cyber incident into a major operational disruption.  

Zero Trust eliminates the conditions that make attack progression possible by enforcing least privilege access across every identity and communication path, requiring explicit verification for every connection, and closing internal access by default. In other words, Zero Trust security strengthens cyber resilience by promoting proactive controls across every layer of network traffic. 

When lateral movement is structurally constrained, attackers have no way to expand their footprint – blast radius stays small and critical operations continue running.  

While properly implemented Zero Trust controls directly lead to cyber resilience, those outcomes are only provable when security leaders measure and report on the right metrics.   

4 Cyber Resilience Metrics Security Leaders Should Track  

Most security teams default to metrics that are easy to capture, like alert volume, detection coverage, or patch rates. But detection-centric metrics quantify security activity, not outcomes. 

To effectively measure cyber resilience, security leaders have to begin tracking metrics that signal minimized impact from breaches and downtime avoided – prioritize reporting on these four dimensions to translate the business value of security spending.  

1. Blast Radius: Reducing the Potential Damage of a Breach  

Blast radius refers to the total scope of potential damage resulting from a breach – it’s defined by the breadth of systems an attacker can reach, the volume of data they can access or encrypt, and the operational disruption they can trigger from a single foothold.  Most enterprise networks operate with uncontrolled blast radius – a single compromised system can enable access to 85% of the environment within one hop, which is why 86% of cyber incidents now cause operational downtime, reputational damage, or both.  

A mature Zero Trust architecture shrinks blast radius by design: microsegmentation isolates assets into secure zones and identity-based access controls enforce comprehensive least privilege, creating a closed-by-default network. By tracking how blast radius contracts over time, security leaders can clearly demonstrate that controls are effectively preventing a minor breach from cascading into an operational crisis. 

2. Lateral Movement Pathways: Containing Attackers by Default  

Most enterprise networks accumulate excessive internal access paths over time through legacy configurations, over-scoped permissions, and standing privilege that outlives its purpose. With every lateral movement pivot across one of these pathways, attackers capitalize on an uncontrolled blast radius.  

Tracking lateral movement pathways as a measure of cyber resilience requires actively quantifying how many internal communication routes exist that aren't operationally justified and deliberately reducing that number. Fewer pathways mean less room for attackers to operate, which directly translates to smaller blast radius and faster containment when incidents do occur. Reporting on the reduction in open lateral movement pathways over time demonstrates proactive cyber resilience via structural risk reduction before an incident occurs.  

3. Time-to-Containment: Stopping Attacks in Real Time  

Time-to-containment measures how quickly a breach is locked down after initial access. The faster an attack is contained, the less likely it is to have a significant operational impact. Many organizations still rely on manual detection and response workflows, and it shows: the mean time to contain (MTTC) a breach is 60 days – on top of the 181 days it takes to detect a breach in the first place.  

When internal access is closed by default and lateral movement pathways are governed by identity controls enforced at the network layer, containment doesn't wait for an analyst to act – it's a built-in property of the network itself. Tracking time-to-containment clearly demonstrates the shift from reactive coordination to architectural enforcement, validating that security investment is reducing operational exposure and not just improving detection scores. 

4. Uptime and Continuity During Cyber Incidents 

Operational uptime during a cyber incident is the most direct business-facing resilience measure – and the one that resonates most at the board level. When critical services continue running through a breach, the organization has demonstrated true cyber resilience under pressure.  

Tracking this metric starts with knowing what "critical" means in your environment: which services cannot tolerate disruption, what their maximum tolerable downtime is, and which systems and dependencies they rely on. Using a business impact analysis (BIA) to build that foundation, security leaders can tailor enforcement to identified business priorities and prove alignment by measuring uptime as a consistent post-incident benchmark. Over time, a strong uptime record during incidents is the most compelling evidence a security leader can bring to a board conversation about whether Zero Trust and cyber resilience investments are working. 

How to Conduct a Cyber Resilience Assessment 

Measuring cyber resilience requires a baseline. To establish it, security leaders need a structured assessment grounded in business priorities, not just technical exposure. CISOs can take a BIA from documentation to enforcement in three steps: identifying what matters most to the business, mapping exposure to those priorities, and building the controls to proactively close attack paths. 

Step 1: Identify Critical Assets and Quantify Business Exposure 

Before any technical measurement is possible, security leaders need organizational alignment on what actually matters. For each asset, the goal is to understand its criticality across five dimensions: 

Regulatory classification: Would a breach trigger reporting obligations, fines, or disclosure requirements? 

• Revenue exposure: Would downtime disrupt goods, services, or measurable revenue streams? 
• Financial sensitivity: Does the asset have the ability to issue or redirect payments? 
• Customer notification burden: Would a compromise require customer notification that could damage relationships?  
• Reputational sensitivity: Does the asset touch communications, brand, or the organization's core value proposition? 

With a prioritized critical asset inventory and a business exposure profile for each, security leaders establish the foundation for effectively assessing cyber resilience.  

Step 2: Map Attack Paths and Baseline Controls  

Once critical assets are identified, the security team's job is to map realistic paths from common ingress points, such as a compromised user, compromised cloud identity, technical perimeter entry, or trusted third-party access. For each path, the analysis documents three dimensions: 

• Path distance: How many network segments, authentication boundaries, or inspection points sit between the ingress point and the critical asset? Fewer barriers mean bigger blast radius.  
• Privilege requirements: How many escalation steps does an attacker need? Vulnerabilities like persistent privileged access, over-scoped service accounts, and cached credentials can collapse multiple escalation steps into one. 
• Data layer controls: If an attacker reaches the critical asset, what limits what they can do? For example, identity-based access controls can reduce the business consequences of a breach, even when an attacker gets inside the network.  

This analysis delivers clarity around the enterprise’s highest-cost path: the easiest attack against the costliest asset, which represents the most urgent starting point for investment. 

Step 3: Prioritize Structural Controls and Measure Progress 

With paths mapped and exposure quantified, security leaders can easily prioritize investments and report on their impact. Structural controls that increase path distance, such as network segmentation or just-in-time authentication boundaries are the highest-leverage interventions because they can eliminate entire compromise scenarios.  

Critically, each control should be tied back to the business priorities identified in Step 1: which attack path does it break, which critical asset does it better protect, and how does it reduce business exposure? That direct line from investment to risk reduction is what makes budgetary conversations concrete and cyber resilience metrics meaningful. 

As Zero Trust maturity advances, the Step 2 analysis should be re-run. When attack paths get longer (or disappear), escalation requirements increase, and blast radius contracts, CISOs gain the evidence they need to prove that a cyber resilient architecture has delivered meaningful business value.  

Build a Cyber Resilient Architecture with Zero Networks  

Zero Trust security maps directly to meaningful cyber resilience outcomes, but most teams struggle when it comes to implementation – 88% of CISOs report significant challenges operationalizing Zero Trust, and the gap between strategy and structural enforcement makes it difficult to prove the value of cyber resilience investments.  

Zero Networks closes that gap with automated, identity-based microsegmentation. Zero provides immediate visibility into every identity and asset on the network, then automatically enforces adaptive, identity-aligned policies that prevent lateral movement by default. The average Zero customer achieves 90%+ segmentation within 90 days, fast-tracking Zero Trust maturity to preserve uptime, protect revenue, and strengthen cyber resilience.  

Find out how Zero Networks can help you build a cyber resilient architecture with measurable business value – request a demo.   

As AI usage outpaces governance, nearly two-thirds of organizations don’t have the necessary policies to manage or detect shadow AI. The challenge for security leaders is twofold: uncovering unsanctioned AI usage in the first place, then implementing controls to effectively secure AI.  

We’ll provide a comprehensive overview of shadow AI, how it’s contributing to an evolving threat landscape, and what security leaders can do now to detect and govern AI across the environment.  

What Is Shadow AI?  

Shadow AI refers to the use of any AI tool or application without formal IT and security oversight or approval.  

Examples of shadow AI can include everything from unsanctioned generative AI platforms accessed on corporate devices and AI agents deployed by developers without security visibility to autonomous workflows embedded in third-party software and LLM integrations that live inside tools organizations already trust.  

Cyber pros aren’t strangers to the challenge of securing unseen and unsanctioned tech after years of contending with shadow IT, but the AI era has added urgency to this fundamentally familiar threat.  

AI Security Risks: Expanding Attack Surfaces, Lateral Movement, and Compliance Gaps 

Cyber risks related to AI vulnerabilities rank as organizations’ fastest growing concern, but most security teams don’t have the necessary capabilities to effectively control AI – traditional tools were designed for a different threat model. 

For example, application-layer controls see managed endpoints and known SaaS traffic routed through a proxy. They were built to govern what human users access through browsers and approved applications, not to see what AI agents access through APIs, what machine identities are doing across cloud workloads, or how AI capabilities embedded in sanctioned tools are behaving on the network. That enforcement blind spot is what makes shadow AI so risky, leaving security teams to manage:  

• Access path proliferation: Every unsanctioned AI tool creates new connections to corporate data, external APIs, and internal systems that are often undocumented, over-permissioned, and persistent. AI agents compound the problem as they accumulate permissions over time through policy drift, tool chaining, and expanding task scope, frequently without security team visibility.  
• Lateral movement exposure: Shadow AI tools and agents typically operate with implicit trust inside the network, contributing to a rapidly expanding AI attack surface. In environments where a single compromised host can reach 85% of internal systems in the first hop, over-privileged and under-monitored AI creates a new lateral movement highway adversaries can exploit without triggering alarms. 
• Cyber compliance gaps: Organizations subject to frameworks like NIS2, DORA, or CIS Benchmarks cannot demonstrate policy adherence for connections they don't know exist. In other words, shadow AI creates operational and regulatory exposure that only compounds over time as AI usage scales. 
• The collective result? Security incidents linked to AI usage are skyrocketing, with 57% of organizations already reporting an uptick – and the impact is quantifiable. The average cost of a data breach is $670,000 higher for organizations with high levels of shadow AI, and it takes 247 days to identify and contain a breach involving shadow AI.  

To effectively address AI security risks before they spiral into disruptive breaches, teams need both comprehensive visibility and network-layer control. 

How to Detect Shadow AI: Real-Time Network Visibility  

Most detection tools are calibrated to catch anomalies that shadow AI doesn’t produce. When an employee accessing an unsanctioned AI service looks like ordinary web traffic, organizations can’t rely on alerts and dashboards built for a different threat landscape to uncover shadow AI.  

Instead, security teams need continuous, live visibility into every asset and identity on the network, delivering the granular clarity to answer three key questions:  

1. Which SaaS AI destinations are users and devices reaching? If an organization has standardized on Copilot, nothing on the network should be reaching ChatGPT, Gemini, or other unapproved services. Real-time traffic visibility surfaces misalignment between AI policies and behavior, making enforcement possible the moment an unauthorized connection appears, not after a log review. 
2. Which AI agents are running and what are they connecting to? In many environments, AI agents are deployed by developers and business units without security team visibility, meaning there's no reliable inventory of what's running, what it's authenticating to, or what it can reach. Real-time visibility into asset-to-asset and identity-to-asset communication allows teams to identify and govern AI agents before they become a liability.  
3. Where does AI access exceed operational need? Even sanctioned AI can lead to hidden vulnerabilities – for example, an agent might be deployed for a narrow task but connecting to a CRM, a production database, and a set of external APIs. When the gap between operational need and real-world connectivity remains invisible, it can’t be mitigated. 

Visibility into every AI tool and agent across the environment is a critical starting point, but it must feed directly into control.  

Securing AI: 4-Step Framework for Visibility and Control 

Security teams understand the urgent need to detect shadow AI, but seeing the full scope of exposure is only valuable when that visibility drives enforcement. Rather than prioritizing shadow AI detection in a vacuum, leverage this four-step approach for translating real-time network visibility into enforceable controls that govern every AI tool, agent, and integration in the environment. 

1. Maintain a Real-Time Inventory of AI in Your Environment   

Start by implementing continuous network monitoring that maps every AI-related identity, tool, and connection in the environment through observed traffic rather than relying on declared inventories or deployment logs. This end-to-end visibility forces shadow AI into the spotlight, enabling security policies tailored to network realities rather than best guesses or point-in-time snapshots.  

2. Block Unsanctioned AI by Default  

Define an approved list of cloud AI services and automatically block any connection to a SaaS AI destination outside of that list. With network-layer enforcement, security teams can ensure policies are applied universally across users, devices, and workloads regardless of how they're connecting. 

3. Govern AI Agents with Least Privilege Policies 

Every AI agent running in your environment is a process with an identity – like any other identity, agents should only be able to reach what’s explicitly necessary. Apply identity-based access controls to every AI agent in the environment with permissions tightly scoped to operational need.  

4. Automate AI Security Policy Lifecycles  

As the network changes, security gaps can emerge if AI governance relies on manual upkeep. Automated policy lifecycle management – powered by a deterministic, human-on-the-loop engine – adapts controls as the environment evolves, enforcing access deterministically and continuously without creating long-term operational debt.  

Identify, Segment, and Contain AI with Zero Networks  

With Zero Networks, security teams can easily uncover shadow AI and gain true control over the AI running in their environments. Zero’s AI Segmentation capabilities deliver complete AI visibility, deterministic enforcement, and built-in control to transform AI from a risk into a governed, enforceable part of the environment:  

• SaaS AI Control governs which cloud AI services users and devices can access, automatically blocking every unapproved destination. 
• AI Agent Control applies the same identity-based least-privilege controls governing every user and device to every agent in the environment. 
• AI Lateral Movement Control eliminates the open network that compromised AI tools and agents would otherwise move through by enforcing granular least privilege access controls everywhere.  
• LLM Protection segments the model infrastructure at the network layer so only authorized systems can reach it. 

Learn how you can detect shadow AI and scale network-layer security policy enforcement to achieve true control with Zero Networks – request a demo.  

Exclusive Networks and Zero Networks have built an alliance across different regions in Europe — and now that foundation is expanding. With this next chapter in Belgium, more partners and organizations gain access to true cyber resilience via automated, identity-driven microsegmentation that stops lateral movement and contains any attack — human or AI — before it becomes a crisis.

Steven Alen, Country Manager Exclusive Networks Belgium, highlighted:

We’re excited to bring Zero Networks’ innovative zero trust approach to the Belgian market. Their automated microsegmentation and adaptive access controls help organizations prevent lateral movement, reduce operational risk, and strengthen cyber resilience in a scalable and practical way.

Rob Toblin, VP North Region Exclusive Networks, added:

We’re excited to welcome Zero Networks into our cybersecurity portfolio. Their innovative approach to zero trust—particularly their plug-and-play microsegmentation and adaptive access controls — aligns perfectly with our mission to deliver disruptive, effective solutions to our partners. This partnership strengthens our ability to help organisations of all sizes secure their environments in a scalable and intelligent way.

Adam Hofeler, VP Sales & GTM at Channel at Zero Networks, commented:

Exclusive Networks Belgium gives us the reach and local expertise to get identity-aligned, automated containment in front of the organizations that need it most. They don't just move product — they truly believe in and invest in the technology they represent. That's exactly the kind of distribution partner that accelerates real market impact for real business resilience.

Empowering Reseller Partners

This partnership is designed with reseller partners in mind. By combining Zero Networks’ rapid deployment model and Exclusive Networks’ value-added services, partners will benefit from:

• Access to cutting-edge zero trust technology that meets the growing demand for scalable, identity-based security that helps organizations protect uptime, contain attacks before they spread, and ensure a breach never has to mean a disruption to the business.
• Accelerated deployment timelines, enabling faster customer onboarding and quicker ROI.
• Enhanced margin opportunities through deal registration, marketing support, and training incentives.
• Comprehensive technical enablement, including certifications, pre-sales support, and co-branded campaigns.
• Strategic alignment with a trusted distributor, helping partners build credibility and close deals more effectively.

About Exclusive Networks

Exclusive Networks (EXN) is a global cybersecurity specialist that provides partners and end-customers with a wide range of services and product portfolios via proven routes to market. With offices in over 45 countries and the ability to serve customers in over 170 countries, we combine a local perspective with the scale and delivery of a single global organisation.

Our best-in-class vendor portfolio is carefully curated with all leading industry players. Our services range from managed security to specialist technical accreditation and training and capitalize on rapidly evolving technologies and changing business models. For more information visit www.exclusive-networks.com

In the traditional compliance model, a security team spends weeks preparing documentation, evidence, and control narratives ahead of an audit; auditors review the package, ask questions, issue any findings, and sign off. But this point-in-time approach doesn’t guarantee the continuous cyber resilience that frameworks like NIS2, CIS, PCI-DSS, and DORA require.  

To meet an ever-expanding patchwork of cyber-related regulatory mandates without adding more operational complexity, security teams need a fundamentally different approach to compliance, making it a continuously enforced operating state rather than a periodic reporting exercise.  

We’ll walk through what that shift looks like: from the architectural changes that make continuous enforcement possible to the AI-powered risk scoring capabilities that allow security teams to prove posture against key frameworks in real time.  

How to Leverage AI for Cybersecurity Compliance 

"AI-powered" cybersecurity tools are everywhere, but not all use cases are created equal. Compliance is one area where AI delivers real value – modern enterprise environments generate too many connections, identities, and behavioral signals for security teams to manually map against framework requirements continuously. AI handles this at scale: querying live network activity, scoring posture against frameworks like NIS2 and CIS, and surfacing the most critical gaps as they emerge. 

But compliance also requires enforcement, which demands a different kind of precision. Security controls must be exact – just a 1% error rate in segmentation can break applications, disrupt operations, and create the gaps that auditors and attackers alike will find.  

So, a deterministic enforcement engine is a key complement to AI-driven compliance insights. Policies must be based on real network behavior rather than probabilistic inference to ensure granular controls don’t disrupt operations.  

Together, these capabilities create a scalable compliance motion: AI delivers actionable intelligence; a deterministic policy engine handles precise enforcement. This combination makes continuous compliance possible.  

What Is Dynamic Risk Scoring and How Does It Work? 

Dynamic risk scoring is the continuous, AI-powered evaluation of an organization's security posture against compliance framework requirements. By leveraging an AI-enabled solution, security teams can ensure this dynamic snapshot of risk exposure relative to compliance requirements stays updated as the environment changes, rather than being recalculated on a fixed schedule.  

Traditional compliance risk management relies on periodic assessments, manual scoring, and static risk registers that reflect the environment as it was, not necessarily as it is. By the time a score is updated, the environment has moved on. Dynamic scoring closes that gap: because AI can evaluate real network behavior against framework requirements continuously and at scale, organizations get an always-current view of compliance gaps. 

Translating Security Risk Visibility into Compliance Intelligence  

An AI-powered compliance and risk engine can transform how security leaders act on network insights in three primary ways:  

• Prioritization: Dynamic scoring helps teams understand which gaps require immediate attention and which represent lower-priority remediation work. 
• Trend visibility: Continuously updated scores show how posture is changing over time, making compliance conversations with boards and auditors substantive rather than retrospective. 
• Proactive remediation: When an AI-powered engine surfaces a gap, teams can investigate and act before a non-compliant condition becomes a control failure or a breach.  

Automated Enforcement: Building a Continuous Compliance Architecture  

Surfacing compliance gaps in real time is only valuable if those gaps can be closed at the same speed. That's where architectural enforcement, powered by deterministic, human-on-the-loop automation, becomes critical.  

When an AI-powered risk engine identifies a compliance gap – for example, a segmentation boundary that has drifted, a privileged access path that has accumulated beyond its necessary scope, or a workload communicating outside its defined boundaries – a ticket-driven response process introduces exactly the kind of lag that cyber-related regulations are focused on closing.  

An automated enforcement architecture closes that gap through three core mechanisms: 

1. Comprehensive microsegmentation: The foundation of a closed-by-default network architecture, microsegmentation controls what is accessible at the network layer, restricting East-West movement and isolating critical assets to ensure that compliance-mandated boundaries are enforced in the infrastructure itself, not described in a policy document. This is what makes unauthorized lateral movement structurally impossible rather than just detectable. 
2. Identity-based access controls: Microsegmentation controls what is accessible; security teams also have to control who can reach assets and under what conditions. Identity-based access controls enforce least-privilege at the network layer, ensuring that every user (human or AI), device, and application can only reach what is operationally necessary. This directly addresses two common compliance failure points: privilege escalation and lateral movement via overprivileged accounts. 
3. Deterministic automation: Microsegmentation and identity-based controls are core to a cyber resilient architecture, but they only unlock continuous compliance if they stay current. Deterministic, human-on-the-loop automation keeps the security architecture intact as the environment changes without requiring constant manual tuning. Critically, it's also what allows gaps surfaced by an AI-powered engine to be actioned immediately, closing the loop between continuous visibility and continuous enforcement. 

Together, these three mechanisms mean compliance posture is maintained continuously, and the evidence to prove it is always available.  

4 Pillars of Continuous Compliance Security 

Continuous compliance requires both elements of this model – an AI-powered compliance and risk engine and automated enforcement architecture – working together synergistically. Collectively, this means security teams should pursue four key priorities.  

1. Always-Current Visibility and Compliance Framework Mapping  

Most organizations manage compliance across multiple frameworks simultaneously – NIS2, CIS, DORA, PCI-DSS, and more – each with overlapping but distinct control requirements. Manually maintaining a current picture of how the environment maps to each one is operationally unsustainable.  

To solve this, AI should continuously evaluate live network activity against regulatory requirements and industry standards, surfacing gaps as they emerge to create a live, comprehensive compliance picture.

2. Dynamic Risk Scoring to Inform Adaptive Controls  

When an AI-powered risk engine scores compliance posture continuously and granularly, security teams unlock the prioritization intelligence to act on the most critical gaps first – and the trend visibility to have substantive conversations with boards and auditors. 

3. Architectural Enforcement Powered by Deterministic Automation  

AI-powered insights give security teams the blueprint for continuous compliance – deterministic, human-on-the-loop automation powers adaptive policy enforcement at the network layer. With this approach, microsegmentation and identity-based access controls create a self-defending network architecture that maintains compliance as the environment changes. 

4. Immediate Available Audit Evidence and Proof of Cyber Resilience  

When AI-powered scoring and deterministic policy enforcement are both running continuously, audit evidence is a natural output, available on demand. Importantly, this approach delivers real proof that uptime is protected by design by demonstrating that the network architecture structurally constrains lateral movement and access is continuously governed.  

Build Continuous Cyber Compliance into the Network Architecture with Zero  

Zero Networks delivers AI-powered compliance and deterministic control in a single, unified platform, enabling organizations to future-proof compliance without risking disruption or adding operational complexity.  

Zero’s AI-powered compliance and risk engine queries live network activity in natural language, scores posture continuously against frameworks like NIS2 and CIS, and generates audit-ready evidence on demand. With a deterministic policy engine informed by real network behavior, Zero enforces microsegmentation and least-privilege access across 90%+ of the environment within 90 days – without impacting regular traffic or rearchitecting existing infrastructure.  

Find out how you can future-proof compliance and protect business continuity with Zero Networks – request a demo.  

Closing the gap between Zero Trust strategy and enforcement requires policies that are granular enough to deliver meaningful protection and accurate enough not to break operations. We’ll walk through why real-time network visibility and a deterministic automation engine that uses those continuous insights to generate, enforce, and adapt policy are critical for confidently scaling Zero Trust microsegmentation.  

How Limited East-West Traffic Visibility Creates Zero Trust Blind Spots  

Zero Trust security is based on the philosophy of “never trust, always verify.” This strategy removes implicit trust, treating all traffic as potentially risky – even if it’s already inside the network. Rather than assuming internal traffic is trustworthy, Zero Trust assumes breach.   

Unchecked lateral movement – the key tactic attackers use to escalate breaches – directly contradicts Zero Trust’s core principles. Effectively locking down lateral movement requires microsegmentation, but it remains one of the most frequently deferred security initiatives, even after CISA’s guidance confirmed that microsegmentation is foundational to Zero Trust. Although nearly 70% of security leaders agree that microsegmentation is very important or essential for achieving Zero Trust, just 5% are microsegmenting their networks today.  

Labor-intensive implementation and concerns over operational disruption have long stood in the way of widespread microsegmentation adoption. Granular policy creation is complex and carries real operational risk when it isn't grounded in accurate, current network data. But without comprehensive visibility into east-west traffic across the environment, security teams struggle to implement granular access controls without the threat of breaking legitimate connections.   

So, when access policies are approximations based on static snapshots rather than dynamic controls based on real, current network behavior, organizations typically encounter one of two outcomes:  

• Over-permissive rules that leave meaningful gaps because teams manage uncertainty by leaving more access open than necessary 
• Over-restrictive rules that break legitimate operations because policy wasn't grounded in learned network realities  

In either case, Zero Trust initiatives fall short. The takeaway? Always-current network visibility is foundational to non-disruptive microsegmentation, and therefore, to Zero Trust enforcement.  

Why Static Network Maps Can’t Power Dynamic Zero Trust Architectures 

The traditional answer to east-west visibility has been flow logs, periodic audits, and on-demand maps generated from historical data. These share a common flaw: they don’t account for the dynamic nature of modern environments.  

A point-in-time snapshot begins drifting from reality the moment it's created – and policies built on that snapshot drift with it. The operational consequences compound quickly: 

• Policy delays: When teams aren't confident that enforcement won’t risk disruption, rollout may be deferred.  
• Broken incident response: An outdated picture of the network can stall incident response.  
• Stale compliance reporting: Board-level reports reflect a network state that no longer exists.  
• Rule drift: Policies written against a past environment accumulate exceptions and gaps, quietly expanding the attack surface. 

This is the gap between visibility as a reporting mechanism and visibility as an enforcement input. Rather than telling you what happened, visibility should show you what's happening – and that live picture should directly inform the policy engine underpinning Zero Trust architecture.  

Deterministic Control: Protecting Business Continuity and Enhancing Zero Trust  

Granular access controls only deliver on Zero Trust's promise if they can be enforced without blocking regular traffic – that requires policies precise enough to distinguish between what’s operationally necessary and what’s not. This precision is determinism: segmentation policies grounded in observed network reality rather than probabilistic guesswork, accurate enough to enforce confidently at scale. 

Live, end-to-end visibility into east-west traffic is key to deterministic policy enforcement. A baseline built from continuously observed behavior – which assets actually need to communicate, with what, and under what conditions – gives the policy engine the fidelity it needs to generate rules that allow the right traffic and block everything else.  

Critically, deterministic policy enforcement powered by always-current network visibility also keeps controls accurate beyond initial deployment: as environments change, unused access paths close automatically, new communication patterns are incorporated, and privilege creep is prevented structurally rather than cleaned up periodically. When an incident occurs, lateral movement paths are visible immediately rather than reconstructed under pressure. 

A 5-Step Path to Zero Trust Microsegmentation via Deterministic, Human-on-the-Loop Automation 

Real-time network visibility translates to non-disruptive protection through deterministic, human-on-the-loop automation that takes continuously observed network behavior and uses those insights to create fine-grain policies, unlocking comprehensive microsegmentation and accelerating Zero Trust. The process unfolds like this:  

• Automated discovery: Every asset, identity, and communication path is mapped in real time across on-premises, cloud, IoT/OT, and Kubernetes environments, immediately replacing the point-in-time guesswork of manual discovery. 
• Behavioral learning, tagging, and grouping: Assets are automatically classified across dimensions like function, application, criticality, and communication pattern, removing one of the most time-consuming barriers to segmentation: the weeks of manual taxonomy work that typically precede policy creation. 
• Policy generation from the learned, real-world baseline: Precise access rules are derived directly from observed behavior, reflecting what each asset or identity actually needs to keep the business running. Because the baseline is continuously updated, generated policies reflect current network reality, not a snapshot from last quarter. 
• Simulation and staged enforcement: Proposed policies can be tested against real traffic before a single rule goes live, validating that controls won't disrupt legitimate connections. Teams have the option to review, approve, and deploy at their own pace with full visibility into what each rule will do. 
• Continuous adaptation: As the environment changes, protection adapts dynamically. New assets and communication patterns are incorporated into the baseline, unused access paths are closed, and policies stay accurate without manual upkeep – the same always-current visibility that powered initial enforcement keeps the policy engine aligned over time. 

By using up-to-date, comprehensive network visibility as an input for deterministic automation and policy enforcement, organizations ensure that network visibility isn’t just another path to reactive detection and response, but that it’s leveraged to actively inform Zero Trust architecture. 

Turn Always-Current Network Visibility into Deterministic Control with Zero Networks  

Zero Networks eliminates the barriers that have historically stood in the way of comprehensive microsegmentation, delivering an automated, identity-driven solution that unlocks 90%+ segmentation depth within 90 days – without risking downtime.  

Zero automatically discovers every network asset and identity, then learns network behavior across on-prem, cloud, IoT/OT, and Kubernetes environments before using those insights to generate precise identity-based access controls and segmentation policies. With Zero’s real-time Network Map, security teams maintain a live picture of every asset, identity, and communication path across the environment, enabling policy simulation for peace of mind and controls that stay accurate over time without accumulating the rule drift and maintenance burden that have historically made microsegmentation unsustainable at scale. 

Learn more about how you can automate Zero Trust enforcement with dynamic microsegmentation coverage powered by continuous behavioral insights – request a demo.  

Organizations typically face business disruptions lasting more than three weeks from ransomware attacks as adversaries target the systems that underpin business continuity, like patient scheduling platforms, production lines, supply chains, or financial processing infrastructure. As a result, 86% of cyber incidents now cause operational downtime, reputational damage, or both. In the age of AI-accelerated attacks, it will only get harder for defenders to reactively contain ransomware threats.  

When downtime is a deliberate ransomware campaign tactic – not a side effect – security teams need to break the attack sequence before the damage is done. We’ll walk through how ransomware attacks typically unfold, identify the key inflection points for protecting business continuity, and outline the controls organizations can implement to proactively prevent the spread of ransomware.  

How Modern Ransomware Attacks Drive Operational Downtime: Real-World Examples  

The shift to deliberate operational disruption is documented across recent high-profile attacks. These incidents share a consistent pattern: attackers cause disruption by moving freely through the network until they reach the systems organizations can least afford to lose. 

4 of the most recent disruptive ransomware attacks that illustrate this trend include:  

1. Jaguar Land Rover (2025): A hacker group calling itself “Scattered Lapsus$ Hunters” claimed responsibility for an attack against the luxury car manufacturer that ultimately cost roughly $2.8 billion. The group leveraged social engineering and credential theft to gain initial network access, then moved laterally, escalating privileges until they reached critical infrastructure. Global production was halted for weeks with the attack’s ripple effects even impacting the broader UK economy – a reminder that operational disruption in manufacturing cascades across supplier and customer relationships in ways that are often difficult to fully quantify. 
2. Kettering Health (May 2025): The Interlock ransomware group targeted Kettering Health, a system responsible for 14 medical centers and dozens of clinics across Ohio. Attackers knocked critical clinical systems offline before exfiltrating sensitive patient data – forcing staff to cancel procedures, turn away patients, and revert to manual processes. Less than a month after the attack, a class-action lawsuit was filed alleging that patients missed scheduled treatments and were unable to access prescriptions as a result of the disruption.  
3. Asahi Group Holdings (October 2025): The Qilin ransomware gang used stolen credentials for initial network access, then relied on native administrative tools to move laterally, execute remote code, and establish persistence – all without triggering detection. The result was widespread operational disruption across one of Japan's largest beverage manufacturers, causing nationwide product shortages.  
4. Marks & Spencer (2025): The retailer’s online operations were disrupted for weeks following a ransomware attack carried out by the DragonForce group, ultimately costing an estimated $400 million in lost profit and additional expenses. The damage extended well beyond the immediate incident: supply chain disruption, customer trust erosion, and sustained reputational impact compounded the financial toll over months. 

The through-line across these incidents? Regardless of how they gained an initial foothold, ransomware groups were able to move laterally across the network with little to no friction. On the other hand, attackers who are contained at their initial entry point cannot reach patient scheduling platforms, production systems, or financial infrastructure – this is precisely why preventing ransomware requires preventing lateral movement.  

Ransomware Attack Stages: Reconnaissance to Ransom Demand 

Like most cyber incidents, ransomware attacks typically occur in six stages: reconnaissance, infection, escalation, scanning, encryption, and ransom. Understanding what happens at each stage – and where security teams can effectively intervene to protect business continuity – is key to avoiding ransomware-related operational disruption.  

Stage 1: Reconnaissance 

Attackers start by studying the environment before taking visible action – to whatever extent possible, they identify high-value assets, map network dependencies, and locate the operational chokepoints that would cause maximum disruption if taken offline. As attackers increasingly leverage AI, this activity is happening more quickly and quietly than ever. However, a closed-by-default network architecture meaningfully reduces what attackers can see and enumerate, making it harder for ransomware groups to pinpoint critical assets.  

Stage 2: Infection  

Ransomware actors most commonly gain initial access through phishing, vulnerability exploitation, or stolen credentials. The credential-based entry path is particularly dangerous: when attackers log in rather than break in, legitimate credentials bypass perimeter defenses entirely and the intrusion looks like normal user activity, allowing hackers to live off the land undetected. Meanwhile, AI-driven vulnerability discovery via tools like Mythos and Daybreak are making it easier for attackers to uncover and exploit vulnerabilities at machine speed. While security teams have to assume breaches will occur, proactively reducing the attack surface by dynamically closing privileged ports with just-in-time (JIT) MFA, implementing granular network segmentation, and applying identity-based controls helps minimize exposure. 

Stage 3: Escalation and Lateral Movement  

After establishing a foothold, attackers work to expand their access – moving laterally through the environment, escalating privileges, and positioning themselves to reach the systems that underpin operations. This is where the operational impact of an attack is largely decided. In this era of AI-accelerated attacks, threat actors can begin moving laterally in as little as 27 seconds and a single compromised system exposes 85% of the typical environment within one hop. Fortunately, this link in the attack chain represents the primary window of opportunity for defenders to intervene. Controls that structurally limit unauthorized movement, like identity-driven microsegmentation, can prevent attackers from leveraging a minor foothold into enterprise-wide crisis. 

Stage 4: Scanning 

With broader access established, attackers have the internal network visibility that reconnaissance could only approximate. Rather than mapping the environment from the outside, threat actors with elevated access across systems and no perimeter standing in the way can more effectively scan for high-value targets at this stage. The malware enumerates the environment at a granular level, identifying specific files, directories, databases, and connected systems to target in the deployment phase. Backup and recovery infrastructure, shadow copies, and other disaster recovery systems are often deliberately sought out at this stage. Least-privilege access controls and microsegmentation that isolates backup infrastructure help limit what any compromised account can see and reach.

Stage 5: Deployment 

Most ransomware attacks culminate in payload deployment – but the ransomware itself is only part of what makes this stage so damaging. Attackers execute on everything that scanning revealed: deploying the payload, deleting backups, locking out administrators, and exfiltrating data, often simultaneously. The combined effect is deliberate operational disruption with no clear recovery option, maximizing the pressure on organizations to pay. But when controls are enforced to prevent escalation and lateral movement, they directly limit the scope of damage in this final phase. An attacker who cannot move laterally or ride privileged access to critical resources would have already hit a dead end.

Stage 6: Ransom 

With operations disrupted and recovery options potentially compromised, attackers demand payment, typically combining ransom demands with threats of data exposure and public naming. Downtime adds clear pressure: organizations facing operational paralysis pay more, and faster. Even those with intact backups are likely to face long recovery timelines, and every hour of downtime comes at a hefty cost. Organizations that architect for containment with microsegmentation, identity-based controls, and just-in-time MFA break the attack sequence before disruption and ransom demands occur. 

How to Stop Ransomware from Spreading: Best Practices to Break the Attack Chain  

Detection-based security strategies identify threats after malicious activity is already underway. But when lateral movement begins in seconds and it still takes months to detect the average breach, security teams need to build containment into the network architecture, proactively blocking the spread of ransomware before initial access even occurs. Prioritizing these four approaches allows organizations to build and maintain a proactive ransomware defense posture:  

1. Microsegmentation: Block Lateral Movement to Stop Ransomware Attacks Before They Escalate  

Comprehensive microsegmentation locks down the default pathways that ransomware attackers leverage to escalate a minor foothold, ensuring communication between assets must be explicitly permitted by policy. When no implicit trust exists between systems, ransomware attacks are stranded at the initial entry point with no path forward. A compromised endpoint cannot reach a domain controller or other critical infrastructure, and an infected workstation cannot communicate with backup infrastructure. The blast radius of any breach is structurally constrained to the initial point of compromise – no detection and response workflow required. 

2. Identity-Based Access Controls: Enforce the Principle of Least Privilege Everywhere  

Microsegmentation governs what can be reached; granular identity-based access controls govern who (or what) can reach it, and under what circumstances. Stolen credentials are, by definition, legitimate – perimeter defenses cannot distinguish a threat actor authenticating with a valid password from the real user, and detection-based tools aren’t designed to identify an attacker masquerading as a legitimate identity. The solution? Apply narrowly scoped access controls on top of a tightly segmented architecture. Identity-based access controls that enforce least-privilege access at the network layer ensure every identity – human or machine – can only reach the assets that are operationally necessary so stolen credentials are no longer an all-access pass for ransomware groups.  

3. Just-in-Time MFA at the Network Layer: Close the Privilege Escalation Highway 

Persistent privileged access is one of ransomware's most reliable pathways to operational systems. JIT MFA replaces standing privilege with time-bound, purpose-bound access, eliminating the broad, always-on permissions that attackers inherit when they compromise a privileged account. Network-layer MFA even allows security teams to enforce verification at the protocol level itself: RDP, SMB, WinRM, and SSH – the protocols that more than 70% of threat activity flows through – should all require real-time authentication before temporary access is granted.  

4. Automated Policy Creation and Enforcement: Build an Adaptive Ransomware Defense  

In dynamic environments where new systems come online, workloads shift, and access requirements change continuously, a defense that requires manual upkeep will develop gaps – ransomware groups will only become more adept at finding them in this era of AI-accelerated attacks. With a deterministic, human-on-the-loop automation engine powering policy creation and enforcement, controls adapt in lockstep with the network: continuously learning real behavior, enforcing least-privilege access based on what is actually happening in the environment, and updating policies as conditions change. In turn, organizations can craft a dynamic defense that keeps the network protected regardless of how quickly it evolves – no policy lag, no misconfiguration windows, and no gaps for ransomware to slip through. 

Block Ransomware Attacks in Real Time: Building a Cyber Resilient Architecture with Zero Networks  

Speed, stealth, and lateral movement are ransomware's greatest weapons; by the time most organizations detect a threat, the window to avoid business impact has already closed. Zero Networks protects what organizations can’t afford to lose with automated, identity-driven microsegmentation that enforces least-privilege access across every asset and identity to contain threats in real time.  

With JIT network-layer MFA and a deterministic automation engine, Zero closes the coverage gaps where ransomware actors sneak through while aligning policies to verified business need, ensuring comprehensive protection doesn’t add operational complexity.  

See for yourself how Zero Networks proactively stops ransomware from spreading and strengthens cyber resilience – request a demo.  

In a recent webinar, Zero Networks Field CTOs Albert Estevez and Chris Boehm suggested that the industry has been focused on solving the wrong problem. Most security strategies are built to catch attackers, but very few are designed to stop breaches from spreading in the first place. As cyber resilience becomes the new mandate for security leaders, building a self-defending network is more critical than ever.  

We’ll unpack key themes from the session, Cyber Resilience Simplified: How to Build a Self-Defending Network, and highlight the most important insights for benchmarking current resilience, tying security metrics to business outcomes, and making built-in containment an architectural feature.  

Barriers to Cyber Resilience: Why Higher Security Spending Hasn’t Paid Off  

After years of climbing steadily, global information security spending is expected to reach $239 billion in 2026 – and it shows no signs of slowing down. Despite higher security spending, globally reported data compromises reached a record high in 2025, jumping 79% over five years.  

Chris Boehm: The problem is, even with all of these solutions out here today, companies are still getting hacked. Why is that?  

Albert Estevez: One of the biggest problems is the implicit trust that we keep having inside our companies. We try to focus on preventing attacks, but we never say, ‘wait a moment, what will happen if at some point they succeed and break into my network?’  

So, although most organizations have invested heavily in detection and response, many have not achieved true network resilience. Importantly, the challenge isn’t that attackers have gotten more creative – cyber adversaries have simply gotten better at manipulating existing access in the AI era.  

Chris Boehm: We ran our own data reports and said, ‘what are most attackers utilizing today?’ They’re utilizing four ports primarily. There’s SMB, RDP, WinRM, and RPC … the problem with all four of these ports is that companies have to utilize them – if you block them, things break. So, AI is not generating new vectors of attack, they’re just exposing the ones you’ve never done something about.  

Albert Estevez: The problem is within your network. You’re keeping privileged ports open, and the only thing AI is doing is using them faster.  

Amid a surge of malware-free attacks and the rise of AI-driven lateral movement (AILM), traditional security strategies fall short of resilience objectives. 

How Cyber Resilience Connects to Business Outcomes  

Regulations and industry frameworks like PCI DSS, DORA, and NIST CSF increasingly require proof that a business can absorb a cyber incident without disrupting critical operations, underscoring a broader shift toward cyber resilience as boards and executives focus on safeguarding continuity.  

Chris Boehm: Businesses are focusing more – not just on cybersecurity – but on the business risk itself. How do you keep your business up and running, even during an attack?  

Albert Estevez: All of these frameworks are nothing other than guidance on how you should configure, deploy, and protect. At the end of the day, it’s on you. How can you prove that you’ve applied security controls to be sure that the day something bad happens, you will be able to contain it automatically? All of these regulations will start asking for proof of how you’re doing this – not if you’ve planned ahead for what you will do if something happens and put it on paper. That will not contain the attack.  

Chris Boehm: Having full accountability of the flow of your business, showing that flow and containment, knowing how things dynamically adjust – that’s why the cyber resilience conversation has been popping up.  

Organizations should approach cyber resilience as a driver of business outcomes across two dimensions: harm reduction and profit maximization. By reducing outages and limiting liability, businesses constrain the impact of a breach; by protecting brand reputation and minimizing breach-related costs, they maximize profit.  

Evolving Cyber KPIs: What Metrics Matter for Business Continuity?  

Not every breach threatens business continuity – only breaches with an expansive blast radius after initial access escalate beyond minor cyber incidents.  

Albert Estevez: It’s not the breach itself that threatens business continuity. We know that 40-65% of internal network traffic is not protected. This is what we call the blast radius – when you compromise one host, how many others can you pivot to?  

Chris Boehm: You’re going to have that potential blast radius or exposure in most businesses. And the whole goal has just been hardening and enforcing … this has now shifted quite a bit. The noise is bigger and there’s less control.  

Albert Estevez: There is still a legacy way of looking at security – playing the cat and mouse game of detection and response. That is not going to work nowadays; even less since AI is utilizing a lot of tools faster than a human being. We need to change how we approach security to be more preventative from day one instead of trying to catch bad behavior that will generate more logs.  

In the context of this threat landscape, where uncontrolled blast radius is the key differentiator between minor breaches and major crises, security teams must evolve beyond traditional metrics and tie their success to the factors that directly impact business continuity, such as uptime during cyber incidents, mean time to containment, and blast radius reduction. 

What Resilience (Really) Means: Limiting Breach Impact vs. Accelerating IR  

Cyber resilience isn’t just about surviving and recovering from a breach – it’s about preventing the breach from spreading in the first place.  

Chris Boehm: Usually people think ‘I have resilience in place. I have backups. I have fast response times. We have automation. We’re using AI.’ It should be more of a shift to limiting what the attacker can do altogether. You don’t have to have better backups if you just don’t need them. How can you limit the damage done to your business?  

This mindset shift defines what cyber resilience should look like in practice. Rather than more automated detection or faster response, true resilience limits the impact of a breach automatically – eliminating the need for recovery processes.  

In other words, a resilient network ensures that the breach of any single asset cannot become an enterprise-wide attack. Achieving network resilience requires three things: microsegmentation, identity-aware access controls, and automated containment.  

Benchmarking Network Resilience: How to Evolve from Excessive Trust to Adaptive Control  

Organizations aiming to bolster cyber resilience can map their current posture against a simple 5-stage framework:  

• Stage 1 – Flat and Blind: Everything trust everything and there are no East-West controls 
• Stage 2 – Alert-Heavy: Tools like EDR and SIEM provide visibility without containment  
• Stage 3 – Early Containment: Some level of segmentation has been implemented but policies are manual and constantly multiplying  
• Stage 4 – Automated Containment: Identity-aware segmentation automatically blocks unauthorized lateral movement  
• Stage 5 – Self Defending: Adaptive controls create an audit-ready posture and breach containment is built into the network architecture 

As Boehm points out, most organizations sit between stages two and three today – they have tools in place, they complete red teaming exercises, and they meet basic compliance requirements, but they’re grappling with an unmanageable alert volume.  

Chris Boehm: A developer says, 'I need access to everything or I won't get this done.' You open holes temporarily. A temporary hole here, a temporary hole there. And then you're paying someone two hundred thousand dollars a year and you just need to get them going. That's how most customers end up between stages two and three. 

To reach a self-defending posture, security teams need a comprehensive solution that addresses the three core requirements for a resilient network by combining microsegmentation, identity control, and ZTNA.  

The Blueprint for Automated Threat Containment  

When reactive security strategies based in detection and response are insufficient for achieving true cyber resilience, yet most holistic Zero Trust and microsegmentation programs take years to implement, organizations need a way to build real-time containment quickly – without sacrificing coverage depth.  

Albert Estevez: The only way you can tackle this type of problem is by bringing automation, expertise, and knowledge, and putting it into an engine which is deterministic, which means that it will not make stuff up.  

By leveraging deterministic, human-on-the-loop automation, organizations can achieve comprehensive protection without the heavy manual burden.  

To path to cyber resilience starts with benchmarking – map your lateral movement paths, open privileged ports, and East-West traffic to gain visibility into current resilience maturity. Next, build a containment-first architecture by closing the highways attackers depending and enforcing MFA on high-risk protocols. Lastly, expand and automate by leveraging deterministic, human-on-the-loop automation to grow coverage without risking operational disruption.  

Strengthen Cyber Resilience and Protect Uptime with Zero Networks 

By unifying automated, identity-based microsegmentation, modern ZTNA, and network-layer MFA in a single platform, Zero Networks delivers everything organizations need to achieve network resilience without the long deployment timelines or operational complexity of other solutions.  

The average Zero Networks customer achieves 90%+ segmentation coverage within 90 days; thanks to Zero’s deterministic automation engine, granular policies are created based on real network behavior so there’s no impact to legitimate traffic – and no risk of hidden security gaps over time.  

See for yourself how Zero Networks enables organizations to build self-defending networks – request a demo.