<?xml version="1.0" encoding="UTF-8"?>
  <rss version="2.0"
    xmlns:dc="https://purl.org/dc/elements/1.1/"
    xmlns:admin="http://webns.net/mvcb/"
    xmlns:rdf="https://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:content="https://purl.org/rss/1.0/modules/content/"
    xmlns:atom="http://www.w3.org/2005/Atom">

    <channel>
      <title>Zero Networks</title>
      <link>https://zeronetworks.com/blog</link>
      <atom:link href="https://zeronetworks.com/feed" rel="self" type="application/rss+xml" />
      <description>Unified network security platform for microsegmentation and advanced ZTNA.</description>
      <dc:language>en</dc:language>
      <dc:creator>info@zeronetworks.com</dc:creator>
      <dc:rights>Copyright 2026</dc:rights>
      <dc:date>2026-07-13T21:58:00+00:00</dc:date>
      <admin:generatorAgent rdf:resource="https://expressionengine.com/" />

      <image>
        <url>https://zeronetworks.com/images/uploads/site-assets/zer0-rss-image.png</url>
        <title>Zero Networks</title>
        <link>https://zeronetworks.com/blog</link>
        <width>142</width>
        <height>161</height>
      </image>

      
        <item>
          <title>Building Cyber Resilience in Financial Services: 6 Real-World Success Stories</title>
          <link>https://zeronetworks.com/blog/building-cyber-resilience-in-financial-services-6-real-world-success-stories</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Mon, 13 Jul 2026 21:58:00 +0000</pubDate>
          <dc:date>Mon, 13 Jul 2026 21:58:00 +0000</dc:date>
          <category><![CDATA[Network Security]]></category>
          <dc:subject><![CDATA[Network Security]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/building-cyber-resilience-in-financial-services-6-real-world-success-stories#When:1218</guid>
          <description><![CDATA[In financial services organizations, the systems cyber attackers most want to reach are also the most critical to business operations. Meanwhile, legacy infrastructure resists change, auditors and pen testers keep finding the same gaps, and AI-driven vulnerability discovery is collapsing the time between disclosure and exploitation, so the cost of standing still keeps climbing &ndash; but simply patching faster isn&rsquo;t a viable solution. &nbsp; This roundup features six Zero Networks&#8230;]]></description>
          <content:encoded><![CDATA[<p>In <a href="https://zeronetworks.com/resource-center/brochures/zero-networks-effortless-microsegmentation-for-financial-institutions">financial services organizations</a>, the systems cyber attackers most want to reach are also the most critical to business operations. Meanwhile, legacy infrastructure resists change, auditors and pen testers keep finding the same gaps, and <a href="https://zeronetworks.com/blog/protecting-against-mythos-daybreak-and-beyond-frontier-ai-security">AI-driven vulnerability discovery</a> is collapsing the time between disclosure and exploitation, so the cost of standing still keeps climbing &ndash; but simply patching faster isn&rsquo;t a viable solution. &nbsp;</p>

<p>This roundup features six <a href="https://zeronetworks.com/company/customer-stories">Zero Networks customers</a>, spanning private credit, investment banking, wealth management, and beyond, who <a href="https://zeronetworks.com/resource-center/topics/network-security-fundamentals-what-it-is-why-it-matters">closed network security gaps</a> without the operational complexity and outage risks that had stalled prior attempts. &nbsp;</p>

<p>We&rsquo;ll walk through how these firms <a href="https://zeronetworks.com/platform">leveraged automated, identity-driven microsegmentation</a> to secure legacy systems, enforce granular controls without breaking critical connections, mitigate recurring pen test and audit findings, and <a href="https://zeronetworks.com/blog/how-to-build-cyber-resilience-via-automated-containment-an-architectural-framework">build architectures designed to contain</a> vulnerabilities that can&#39;t yet be patched. &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/brochures/zero-networks-effortless-microsegmentation-for-financial-institutions"><img alt="" src="https://zeronetworks.com/images/uploads/blog/Blog_Callout_-_Financial_Serevices_Infosheet_Download_%281%29.png" /></a></p>

<h2>Legacy Complexity in Enterprise Networks: Closing Security Gaps &nbsp;</h2>

<p>Inherited infrastructure is the norm in financial services and enterprise orgs. Assets accumulate across years of mergers and vendor decisions, often maintained by separate teams with no unified network visibility. This leaves security teams to face a forced trade-off: accept protection gaps, or risk operational disruptions by enforcing granular controls. &nbsp;</p>

<h3>Real-World Examples &nbsp;</h3>

<p><a href="https://zeronetworks.com/company/customer-stories/shielding-90b-in-capital-under-management-from-cyber-threats">Antares Capital</a> is one of the largest direct lenders in the US and is responsible for $60B+ in middle-market lending. Their team recognized lateral movement as a portfolio risk as much as a security risk. But disparate legacy assets made it difficult to get a complete view of the network, so the team struggled to determine which ports were actually necessary for business operations. &nbsp;</p>

<p>Similarly, <a href="https://zeronetworks.com/resource-center/videos/risky-business-interview-aaron-steinke-of-la-trobe-financial-talks-about-zero-networks">La Trobe Financial</a>&rsquo;s environment had been evolving since the 1980s, leaving the security team to untangle decades of legacy complexity. As one of Australia&rsquo;s leading and most trusted alternative asset managers &ndash; and responsible for securing over $20B in assets &ndash; La Trobe understood the urgent need to close legacy enterprise security gaps, but many systems were so deeply embedded in critical operations that replacing them would require years of effort and millions of dollars. &nbsp;</p>

<blockquote>
<p>Other microsegmentation products work if you&rsquo;re in a cloud native environment &ndash; if everything is modern, shiny, and new &ndash; down here in the real world, we have to deal with some pretty horrible old school protocols that don&rsquo;t play nice.</p>

<p>- Aaron Steinke, Head of Infrastructure, La Trobe Financial &nbsp;</p>
</blockquote>

<h3>The Solution: Full Network Visibility and Agentless Integration &nbsp;</h3>

<p>Antares Capital and La Trobe Financial solved their enterprise legacy complexity challenges with Zero&rsquo;s deterministic automation engine and agentless approach: &nbsp;</p>

<ul>
	<li>Automated discovery of all network assets and identities &ndash; including legacy systems &ndash; uncovered traffic patterns and dependencies across previously siloed environments. &nbsp;</li>
	<li><a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">Deterministic, human-on-the-loop automation</a> fuels policy creation and enforcement, enabling precise rules that scale protection to legacy systems without risking disruption.&nbsp;</li>
	<li>Agentless architecture deploys in minutes by leveraging native, host-based firewalls, enabling a seamless fit with legacy systems &ndash; without introducing latency. &nbsp;</li>
</ul>

<p>By integrating with existing infrastructure and unlocking <a href="https://zeronetworks.com/platform/network-map">end-to-end network visibility</a>, Zero Networks removed the legacy barriers that stand in the way of comprehensive <a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide">microsegmentation</a> for many financial and enterprise institutions. &nbsp;</p>

<p>As a result, <strong>Antares reached full segmentation in under three months</strong>, freeing 10+ hours a week across cloud and networking teams; La Trobe reached a security posture its team described as historically "out of reach," <strong>without a multi-year, multi-million-dollar modernization project</strong>. &nbsp;</p>

<h2>Implementing Microsegmentation without Disrupting Critical Operations&nbsp;</h2>

<p>Even when legacy complexity is not the primary barrier to a more robust network security posture, financial services organizations often hesitate to implement granular network segmentation for fear that it will break something &ndash; will enforcement disrupt the trading systems, client workflows, or applications the business depends on? Overly complex tools and unsustainable manual burdens can break critical connections outright or leave gaps and inconsistencies that risk continuity over time. &nbsp;</p>

<h3>Real-World Examples &nbsp;</h3>

<p><a href="https://zeronetworks.com/company/customer-stories/replaced-an-overly-complex-microsegmentation-solution">Baron Funds</a> oversees ~$49B in client assets, making continuity and access integrity extremely critical. After <a href="https://zeronetworks.com/blog/modern-vs-legacy-microsegmentation-what-to-look-for-in-todays-top-solutions">other microsegmentation solutions</a> broke the network, the organization was hesitant to move forward, but pen testing reinforced the need for more granular segmentation. &nbsp;</p>

<p><a href="https://zeronetworks.com/company/customer-stories/block-lateral-movement-and-control-every-network-identity">Evercore</a> faced the same underlying concern. A leading global independent investment bank, Evercore needed to <a href="https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies">shut down lateral movement</a> across a complex, high-value enterprise environment without adding operational friction or deploying intrusive agents. But traditional approaches &ndash; manual access controls, privileged group clean-up, and firewall-based segmentation &ndash; required an extraordinary amount of effort that made inconsistencies inevitable and still left exploitable pathways open. &nbsp;</p>

<h3>The Solution: Deterministic Automation and Living-off-the-Land Defense &nbsp;</h3>

<p>Baron Funds and Evercore confidently embraced microsegmentation by removing the manual effort, guesswork, and operational complexity of legacy solutions with Zero Networks: &nbsp;</p>

<ul>
	<li>Policies are built from observed traffic and network behavior over a defined learning period, rather than manually assembled rule sets that require guesswork and introduce human error at scale. &nbsp;</li>
	<li>Deterministic, human-on-the-loop automation eliminates unsustainable manual effort without removing human judgement entirely from the equation. &nbsp;</li>
	<li>Orchestration of the native controls that already exist in today&rsquo;s environments enable a non-disruptive, &ldquo;living-off-the-land&rdquo; defense.&nbsp;</li>
</ul>

<blockquote>
<p>[Zero Networks] actually uses technology that we already have &ndash; it&rsquo;s technology that we&rsquo;ve already had on the network for 20 years. For as long as we&rsquo;ve had firewalls, we could have done this. We just couldn&rsquo;t manage the firewall at scale. You couldn&rsquo;t manage the firewall intelligently. We had every piece of the solution there &ndash; what we did not have was the brains.&#8239;&#8239;&nbsp;&nbsp;</p>

<p>- Henry Mayorga, CISO, Baron Funds&nbsp;</p>
</blockquote>

<p>By accurately automating rules based on learned network realities and enforcing them via native controls, Zero Networks gave both organizations the confidence to enforce granular segmentation without betting business continuity on an untested rule set or an unsustainable manual process. As a result, Baron Funds reached <strong>full segmentation in 30 days with zero disruptions to network traffic</strong>; Evercore <strong>locked down lateral movement across the entire enterprise from a single platform</strong>, managed by a single part-time administrator.&nbsp;</p>

<p>As a Banking IT Manager <a href="https://www.gartner.com/reviews/market/network-security-microsegmentation/vendor/zero-networks/product/zero-networks-segment/review/view/6667150">pointed out in a Gartner Peer Insights review</a>, the value of these results compounds at scale: &nbsp;</p>

<div style="background:#eeeeee;border:1px solid #cccccc;padding:5px 10px;"><em>&ldquo;I had a very realistic outlook on implementing Microsegmentation in a dynamic and complex environment. I was blown away by the volume and accuracy of the Zero Networks automation engine &hellip; It would have been impossible for our team to create and implement 16,000+ rules.&rdquo;&nbsp;</em></div>

<div style="background:#eeeeee;border:1px solid #cccccc;padding:5px 10px;">IT Manager, Banking, 3B &ndash; 10B USD Firm Size&nbsp;</div>

<h2>Pen Tests, Audits, and Cyber Compliance Requirements: Prioritizing and Validating Controls&nbsp;</h2>

<p>Penetration tests and <a href="https://zeronetworks.com/blog/cybersecurity-compliance-playbook-standards-requirements-best-practices">compliance requirements</a> are some of the most common forcing functions for microsegmentation initiatives &ndash; especially in highly regulated industries like financial services. But pen tests and audits don&rsquo;t only expose gaps to help security leaders prioritize strategies, they also validate the impact of controls. &nbsp;</p>

<h3>Real-World Examples &nbsp;</h3>

<p>Auditors had repeatedly flagged a specific gap with La Trobe Financial: the absence of MFA on <a href="https://zeronetworks.com/blog/the-4-protocols-driving-enterprise-risk-in-2026">high-risk protocols like RDP</a> and SSH. But prior attempts to implement MFA on admin protocols and legacy systems had introduced latency, bugs, or errors severe enough to make the fix impractical.&nbsp;</p>

<p><a href="https://zeronetworks.com/company/customer-stories/automated-microsegmentation-in-30-days">ACT Commodities</a> &ndash; a leading global provider of market-based sustainability solutions &ndash; uncovered the scale of exposure across its Azure Cloud environment the same way. Pen testers could access the environment and exfiltrate data within just five minutes, but reimplementing firewalls, adjusting configurations, and completing the other tasks necessary to protect servers proved too difficult.&nbsp;</p>

<p>Like many financial services organizations, diversified holding company <a href="https://zeronetworks.com/resource-center/videos/aaron-goodwin-of-briley-financial-talks-about-zero-networks">B. Riley Financial</a> saw the same security gaps surface in pen test results year after year but faced an impossible tradeoff: address persistent findings and disrupt key operations or live with known risks to maintain business as usual.&nbsp;</p>

<blockquote>
<p>There were a lot of years of doing penetration testing and coming up with similar results. There was always a critical. There was always a high. There were always multiples. And we just couldn&rsquo;t stop those from reoccurring; no matter what we did, those same things would just show up again &ndash; we thought we had it fixed and then we&rsquo;d find out a year later that we still had that issue.&rdquo;</p>

<p>- Aaron Goodwin, CISO, B. Riley Financial &nbsp;</p>
</blockquote>

<h3>The Solution: Closing Gaps by Default with Containment Architecture&nbsp;</h3>

<p>La Trobe, ACT Commodities, and B. Riley all closed exploitable pathways before a pen test or audit could find them, rather than remediating findings one at a time after the fact &ndash; if at all. With Zero Networks, these financial services orgs implemented comprehensive microsegmentation and <a href="https://zeronetworks.com/resource-center/guides/resilient-by-design-architecting-security-that-keeps-operations-running">built containment into the network architecture</a> via capabilities like: &nbsp;</p>

<ul>
	<li><a href="https://zeronetworks.com/blog/mfa-is-our-dna-zero-networks-multi-factor-segmentation">Network-layer MFA</a> that extends authentication to high-risk protocols like RDP and SSH without touching the underlying legacy systems or introducing new points of failure.&nbsp;</li>
	<li><a href="https://zeronetworks.com/blog/a-practical-guide-to-least-privilege-access-zero-trust-security-in-action">Least-privilege access</a> enforced by default, closing the specific pathways that attackers &ndash; and therefore, pen testers &ndash; rely on, rather than depending on manual review to catch every gap.&nbsp;</li>
	<li>Continuous, automated policy enforcement generates audit-ready evidence as a byproduct of normal operation.&nbsp;</li>
</ul>

<p>By closing gaps structurally rather than chasing them one finding at a time, security teams turn audits and pen tests from a source of stress to a validation exercise. For example, after implementing Zero Networks, La Trobe <strong>closed the exact MFA gap auditors had consistently flagged without breaking legacy systems</strong>; ACT Commodities&#39; five-minute <strong>breach window closed entirely</strong>, with later pen tests revealing <strong>unwanted lateral movement was completely blocked and contained</strong>; and B. Riley finally received <strong>a penetration test report with no high alerts</strong>, closing out a cycle of findings that had persisted for years.&nbsp;</p>

<blockquote>
<p>We had six findings in our penetration test, and every one of them would have been prevented or mitigated with Zero Networks. There&rsquo;s not one other product we have that could have come close... Zero Networks is a cornerstone piece of security technology.</p>

<p>Chris Turek, Former CIO, Evercore&nbsp;</p>
</blockquote>

<h2>Containing Vulnerabilities Before Patching: Preemptive Security in the Frontier AI Era&nbsp;</h2>

<p>Security teams have long faced an uphill battle keeping up with day-to-day <a href="https://zeronetworks.com/resource-center/topics/preventing-vulnerability-exploitation-a-guide-to-cybersecurity-trends-and-cves">vulnerability management.</a> The issue has compounded in this age of frontier AI, where <a href="https://zeronetworks.com/blog/protecting-against-mythos-daybreak-and-beyond-frontier-ai-security">models like Mythos and Daybreak</a> can find, analyze, and generate exploits for vulnerabilities at a speed and scale no human team can match. &nbsp;</p>

<p>For example,&#8239;<a href="https://cyberscoop.com/anthropic-mythos-software-flaws-glasswing/">Mythos found over 10,000 previously unknown vulnerabilities</a>&#8239;in seven weeks, including bugs that had evaded automated detection for decades.&#8239;The window between disclosure and exploitation has collapsed. Even if vendors release mountains of patches to mitigate this influx of discovered vulnerabilities, organizations face an impossible tradeoff: patch immediately and manage updates that contain thousands of fixes at a time, or wait and prioritize while accepting risk exposure. &nbsp;</p>

<p>Instead, financial institutions need a way to protect uptime before patches exist, or while validating that patches won&rsquo;t cause unintended operational disruptions. &nbsp;</p>

<h3>Real-World Examples&nbsp;</h3>

<p><a href="https://zeronetworks.com/blog/ciso-insights-how-to-pass-every-penetration-test">B. Riley Financial faced versions of the vulnerability exposure problem</a> multiple times. In one case, a Microsoft Outlook vulnerability involving outbound SMB traffic left the firm exposed with no patch available from the vendor. Waiting for a fix meant leaving the exposure open.&nbsp;</p>

<div style="background:#eeeeee;border:1px solid #cccccc;padding:5px 10px;">&ldquo;We stay on top of [patching], but it&rsquo;s always a grueling cycle. You still have to have time to test those patches with the different groups, different systems, different operating systems &hellip; Patching will only go so far. What can we do to stop or break the cycle of the attack?&rdquo;&nbsp;</div>

<div style="background:#eeeeee;border:1px solid #cccccc;padding:5px 10px;">- Aaron Goodwin, CISO, B. Riley Financial&nbsp;</div>

<h3>The Solution: Structural Containment as a Buffer Against Unpatched Risk&nbsp;</h3>

<p>With Zero Networks, B. Riley deployed a targeted rule blocking outbound SMB traffic from Outlook to the internet, closing the specific path the vulnerability relied on. &nbsp;</p>

<div>
<div style="padding:100% 0 0 0;position:relative;"><iframe allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" frameborder="0" referrerpolicy="strict-origin-when-cross-origin" src="https://player.vimeo.com/video/1152718170?badge=0&amp;autopause=0&amp;player_id=0&amp;app_id=58479" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="How to Pass Every Pen Test [B. Riley] Webinar Snippet"></iframe></div>
<script src="https://player.vimeo.com/api/player.js"></script></div>

<p>And critically, this is just one example of how a <a href="https://zeronetworks.com/resource-center/topics/zero-trust-architecture-how-to-achieve-cyber-resilience">cyber resilient network architecture</a> designed for containment protects financial institutions against vulnerabilities without patching. More broadly, <a href="https://zeronetworks.com/platform/network-segmentation">automated, identity-driven microsegmentation</a> buys security teams time to patch safely by: &nbsp;</p>

<ul>
	<li>Closing unnecessary access paths by default, limiting what any unpatched vulnerability can reach, regardless of how it was discovered &ndash; or how quickly.&nbsp;</li>
	<li><a href="https://zeronetworks.com/blog/stopping-privilege-escalation-how-to-neutralize-stolen-credential-threats">Constraining privileged access</a> to explicitly authorized identities, so admin protocols aren&rsquo;t lateral movement highways. &nbsp;</li>
	<li>Scaling protection across the entire network, including OT and legacy systems that can&rsquo;t always be patched on short notice &ndash; or at all. &nbsp;</li>
</ul>

<blockquote>
<p>Having microsegmentation in place has really given us a precautionary protection layer so we can delay applying some of these patches. This gives us plenty of time to test, make sure everything&rsquo;s working, and then apply it, but still have that protection layer in place.&nbsp;</p>

<p>- Aaron Goodwin, CISO, B. Riley Financial &nbsp; &nbsp;</p>
</blockquote>

<h2>Cyber Resilience for Financial Services: Build a Self-Defending Architecture with Zero Networks &nbsp;</h2>

<p>Legacy complexity, operational disruption risk, compliance pressure, and accelerating vulnerabilities are distinct challenges almost every financial institution faces, but they can all be solved with <a href="https://zeronetworks.com/platform">a single platform</a>. &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/guides/mfa-powered-microsegmentation-for-financial-services"><img alt="" src="https://zeronetworks.com/images/uploads/blog/Blog_Callout_-_Financial_Services_Buyer_s_Guide_Download_%281%29.png" /></a></p>

<p>By delivering automated discovery across legacy and modern assets alike, a deterministic policy engine that builds and enforces rules from real traffic and identity behavior, agentless integration with existing infrastructure, and network-layer MFA for privileged access, Zero Networks enables financial services orgs to <a href="https://zeronetworks.com/resource-center/videos/self-defending-by-design-the-future-of-cybersecurity-defense">build a self-defending network architecture</a> that proactively blocks attacks without disrupting the business. &nbsp;</p>

<p>See how Zero Networks makes cyber resilience practical for financial institutions &ndash; <a href="https://zeronetworks.com/request-demo">request a demo</a>.&nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>How to Automatically Generate Least-Privilege Policies Based on Network Behavior</title>
          <link>https://zeronetworks.com/blog/how-to-automatically-generate-least-privilege-policies-based-on-network-behavior</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Fri, 10 Jul 2026 19:45:00 +0000</pubDate>
          <dc:date>Fri, 10 Jul 2026 19:45:00 +0000</dc:date>
          <category><![CDATA[Identity Access Control]]></category>
          <dc:subject><![CDATA[Identity Access Control]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/how-to-automatically-generate-least-privilege-policies-based-on-network-behavior#When:1215</guid>
          <description><![CDATA[The principle of least privilege states that a user, process, or system should receive only the minimum level of access required to perform its intended function &ndash; and virtually every security leader agrees. &nbsp; But scaling least privilege enforcement across sprawling, multi-business-unit enterprise networks with tens of thousands of assets takes more effort and resources than most teams can spare. As a result, 99% of identities still hold excessive permissions. &nbsp; Rather than&#8230;]]></description>
          <content:encoded><![CDATA[<p>The <a href="https://zeronetworks.com/blog/a-practical-guide-to-least-privilege-access-zero-trust-security-in-action">principle of least privilege</a> states that a user, process, or system should receive only the minimum level of access required to perform its intended function &ndash; and virtually every security leader agrees. &nbsp;</p>

<p>But scaling least privilege enforcement across sprawling, multi-business-unit enterprise networks with tens of thousands of assets takes more effort and resources than most teams can spare. As a result, <a href="https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report">99% of identities</a> still hold excessive permissions. &nbsp;</p>

<p>Rather than relying on manual processes to generate and enforce least privilege access policies, security teams can <a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">leverage deterministic automation</a> for adaptive, accurate policies &ndash; without the manual overhead. We&rsquo;ll walk through how least privilege policy automation works and share tips for unlocking <a href="https://zeronetworks.com/blog/how-to-measure-cyber-resilience-zero-trust-roi">Zero Trust outcomes</a> faster. &nbsp;</p>

<h3>Key Takeaways &nbsp;</h3>

<ul>
	<li><strong>Which tools or solutions help enforce the principle of least privilege?</strong> <a href="https://zeronetworks.com/platform">Identity-aware microsegmentation</a> and just-in-time MFA &ndash; powered by an automated policy engine that continuously learns network behavior &ndash; are the core mechanisms. Together, they restrict every connection to the access that&rsquo;s operationally necessary for only as long as it&rsquo;s necessary. &nbsp;</li>
	<li><strong>What tools help automatically generate least-privilege policies based on observed network traffic?</strong> Solutions powered by deterministic automation engines that continuously monitor network activity, build a behavioral baseline from observed connections, and generate policy directly from that baseline. For example, Zero Networks learns all network connections over a 30-day period before leveraging those insights to build deterministic, highly accurate firewall rules and policies that adapt dynamically across networks spanning multiple data centers, cloud regions, and business units. This keeps least privilege enforcement accurate and simple even for the largest, most complex orgs.&nbsp;</li>
	<li><strong>How can security teams automatically learn and map network connections to create access policies?</strong> <a href="https://zeronetworks.com/platform/network-map">Real-time monitoring</a> that captures which identities and assets communicate, over what protocols, and how frequently can be used as the direct input for policy generation rather than relying on assumed or documented access requirements.&nbsp;</li>
	<li><strong>Do AI-generated least privilege policies rely on determinism?</strong> No. AI-generated policies are typically probabilistic, based on statistical inference. Deterministic automation generates and enforces policies directly from observed behavior using fixed logic and producing a traceable, precise rule rather than a likely guess.&nbsp;</li>
</ul>

<h2>Automating Least Privilege Access to Accelerate Zero Trust &nbsp;</h2>

<p><a href="https://zeronetworks.com/resource-center/topics/zero-trust-security-a-complete-guide-to-principles-architecture-and-best-practices">Zero Trust security</a>&#8239;is based on the philosophy &ldquo;never trust, always verify.&rdquo; Enforcing least privilege by default is a non-negotiable tenet of Zero Trust &ndash; while Zero Trust defines the philosophy, least privilege enforces the mechanics. &nbsp;</p>

<p>Modern <a href="https://zeronetworks.com/resource-center/topics/zero-trust-architecture-how-to-achieve-cyber-resilience">Zero Trust architectures</a>&#8239;apply least privilege across human identities, machine-to-machine communications, APIs, AI agents, and service accounts.&#8239;<a href="https://zeronetworks.com/blog/network-segmentation-all-you-need-to-know">Network segmentation</a>, identity segmentation, and <a href="https://zeronetworks.com/blog/what-is-multi-factor-authentication-mfa">just-in-time&#8239;multi-factor authentication (MFA)</a>&#8239;are the solutions that make this comprehensive coverage possible &ndash; but it&rsquo;s only achievable at scale when automated. &nbsp;</p>

<p>AI agents introduce a new challenge &ndash; unlike a static service account, an agent&rsquo;s access needs can shift from task to task. <a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/">OWASP&rsquo;s Agentic Applications Top 10 Project</a> addresses this directly through its Least Agency principle, which calls for constraining an agent&rsquo;s autonomy, tool access, and decision-making authority to limit the blast radius of prompt injection or compromised agents.&nbsp;</p>

<h3>Manual Policy Creation Challenges: Static Rules, Security Gaps, and Scale &nbsp;</h3>

<p>Manual policy management has a structural ceiling. Rules are typically written from assumptions about what a role or service account <em>should</em> need, and those assumptions rarely stand up to network realities. So, when least privilege policies are a primarily manual effort, a few common challenges emerge: &nbsp;</p>

<ul>
	<li>Static rules go stale almost immediately &nbsp;&nbsp;</li>
	<li>Security gaps or operational breakage as assumed access requirements produce either overly permissive rules that leave too much room for lateral movement, or overly restrictive ones that break legitimate traffic&nbsp;</li>
	<li>A scale problem headcount can&#39;t fix &nbsp;</li>
</ul>

<p>As Gartner points out&#8239;in its report,&#8239;<a href="https://zeronetworks.com/resource-center/reports/gartner-reimagining-network-microsegmentation"><em>Reimagining Network Microsegmentation: Beyond the IP &ndash; Identity, Context, and Agentless Innovation</em></a>, continued reliance on static rules leaves organizations especially vulnerable to AI-driven attacks. &nbsp;</p>

<blockquote>
<p>Vendors clinging to manual policies face rapid obsolescence, as these methods are completely incapable of securing dynamic hybrid networks against lateral movement.</p>

<p>- Gartner &nbsp;</p>
</blockquote>

<h3>Deterministic Automation vs. Probabilistic Models &nbsp;</h3>

<p>As manual policy management becomes untenable, many cybersecurity tools have rushed to fill the gap with AI capabilities. But AI-generated least-privilege policies aren&#39;t the same as ones built through deterministic automation. &nbsp;</p>

<p>Probabilistic AI models produce outputs based on statistical likelihood; deterministic automation engines rely entirely on learned realities.&nbsp;</p>

<table border="1" cellpadding="1" cellspacing="1">
	<thead>
		<tr>
			<th scope="col">&nbsp;</th>
			<th scope="col">Deterministic Automation</th>
			<th scope="col">Probabilistic (AI) Models</th>
		</tr>
	</thead>
	<tbody>
		<tr>
			<th scope="row">Policy is based on</th>
			<td>Directly observed network behavior</td>
			<td>Statistical inference about likely behavior</td>
		</tr>
		<tr>
			<th scope="row">Result</th>
			<td>A traceable rule tied to real activity</td>
			<td>A likely-correct guess</td>
		</tr>
		<tr>
			<th scope="row">Best suited for</th>
			<td>Enforcement decisions</td>
			<td>Visibility, investigation, pattern-surfacing</td>
		</tr>
	</tbody>
</table>

<p>A rule that&#39;s 99% accurate is still wrong enough to break applications or leave security gaps open, which is why AI adoption for security policies is often hindered by <a href="https://zeronetworks.com/blog/network-microsegmentation-in-2026-gartner-research-takeaways">what Gartner calls &ldquo;enforcement anxiety&rdquo;</a> &ndash; the fear that probabilistic algorithms will disrupt business operations. For enterprises that want to automate least privilege policy creation and enforcement at scale but can&rsquo;t risk operational continuity, deterministic engines offer the best of both worlds.</p>

<h2>How Deterministic Least Privilege Policy Generation Works &nbsp;</h2>

<p>Automating least privilege access means translating raw network activity insights to enforceable rules &ndash; in practice, that process occurs in four stages. &nbsp;</p>

<h3>1. Observing Real Traffic to Build a Behavioral Baseline&nbsp;</h3>

<p>Before any policy can be written, a comprehensive <a href="https://zeronetworks.com/platform/network-map">picture of what&#39;s actually happening on the network</a> must be established: which assets and identities communicate, over which ports and protocols, how frequently, and in what direction. This learning period requires continuous observation to build a knowledge base of existing network communication patterns, including logon activity, account behavior, and asset access patterns tied to specific identities&nbsp;&ndash; even across networks with hundreds of thousands of connections and complex identity hierarchies.</p>

<h3>2. Translating Observed Behavior into Enforceable Rules&nbsp;</h3>

<p>Once a behavioral baseline exists, an automation engine can use it to generate precise policies scoped to what&#39;s been observed as necessary for each asset and identity. This is the step that makes the approach deterministic rather than probabilistic &ndash; the policy isn&#39;t inferred from a model&#39;s best guess about likely access needs; it&#39;s derived directly from what was actually observed. That distinction is what allows the resulting rules to walk a fine line: tight enough to constitute <a href="https://zeronetworks.com/blog/perimeter-based-to-identity-centric-enforcing-least-privilege-access-everywhere">genuine least privilege</a> and precise enough to ensure legitimate traffic remains unaffected.&nbsp;</p>

<h3>3. Optional Simulation and Review Before Enforcement&nbsp;</h3>

<p>Even when policies are built from real behavior, most enterprises want an added layer of certainty that enforcement won&rsquo;t break anything. Before any rule goes live, a human on the loop should have the option to simulate its impact &ndash; testing the policy against real traffic in a sandbox environment for visibility into what it would allow and block before it affects production. &nbsp;</p>

<h3>4. Keeping Policy Aligned as Behavior Changes&nbsp;</h3>

<p>Generating an accurate least privilege policy once is only half the problem. Modern enterprise networks evolve constantly &ndash; new assets appear, old ones get decommissioned, and applications shift how they communicate.&nbsp;Or, new business units get acquired, old ones get divested, and applications shift how they communicate &ndash; enterprises need dynamic policy coverage.&nbsp;<a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">Automated lifecycle management</a> keeps policies current in dynamic environments: access paths that go unused get closed, new patterns are incorporated, and rule sprawl is structurally prevented rather than periodically cleaned up after the fact. Always-current <a href="https://zeronetworks.com/blog/how-real-time-network-visibility-enables-automated-zero-trust-enforcement">network visibility fuels the deterministic automation engine</a>, enabling an adaptive least privilege posture. &nbsp;</p>

<h2>Automating Least Privilege Enforcement to Strengthen Business Resilience &nbsp;</h2>

<p>By scaling least privilege across the full enterprise with automation, security teams drastically change the math on what happens when something goes wrong. Because access is continuously scoped to observed network behavior and aligned to business need rather than defaulting to what was granted once and forgotten, breaches are automatically constrained &ndash; regardless of how they start. That translates directly into the <a href="https://zeronetworks.com/blog/what-is-cyber-resilience-how-to-protect-business-continuity">resilience outcomes</a> security leaders need to show the business:&nbsp;</p>

<ul>
	<li><strong><a href="https://zeronetworks.com/blog/what-is-blast-radius-in-cybersecurity-best-practices-for-breach-containment">Smaller blast radius</a> by default: </strong>access never exceeds what&#39;s necessary, significantly reducing the threat of stolen credentials &nbsp;</li>
	<li><strong>Fewer standing, unused permissions: </strong>the exact accumulation attackers rely on to escalate privileges while evading detection gets closed continuously &nbsp;</li>
	<li><strong>Faster containment:</strong> lateral movements pathways that were never open in the first place don&#39;t need to be shut down mid-incident&nbsp;</li>
	<li><strong>Enforcement that doesn&rsquo;t drift: </strong>policies adapt as the network changes, enabling demonstrable compliance and uptime protection &nbsp;</li>
</ul>

<h3>Deterministic Policy Automation: Real-World Example&nbsp;</h3>

<p><a href="https://zeronetworks.com/company/customer-stories/securing-the-infrastructure-behind-21-of-global-shipping">Mediterranean Shipping Company (MSC)</a> operates one of the largest-scale and complex logistics networks in the world, moving 21% of global shipping across a massive footprint of ports, vessels, and facilities spanning dozens of countries. Uptime is nonnegotiable and instability is unacceptable; still, the organization needed a way to strengthen internal defenses. &nbsp;</p>

<p>Manual segmentation was slow to scale, requiring countless hours of log analysis and manual rule maintenance for only partial coverage. Limited visibility into internal traffic patterns further complicated policy creation. &#8239;&nbsp;</p>

<p>MSC offloaded the manual effort of discovery, learning, and policy management to Zero&rsquo;s deterministic automation engine, successfully segmenting roughly 95% of its servers. &nbsp;</p>

<blockquote>
<p>What once took more than a year of manual work and endless log analysis is now fully automated. We&rsquo;ve segmented about 95% of our environment, gained complete visibility into network activity, and dramatically strengthened our defenses.</p>

<p>- <a href="https://zeronetworks.com/company/customer-stories/securing-the-infrastructure-behind-21-of-global-shipping">Sergio Fedelini, SVP, IT Infrastructure, MSC</a></p>
</blockquote>

<h3>Build a Self-Defending Network Architecture with Zero Networks &nbsp;</h3>

<p>Zero provides immediate visibility into every identity and asset on the network, monitors and learns all network connections, then automatically generates and enforces identity-aligned least privilege policies to <a href="https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies">prevent lateral movement</a> by default. Our comprehensive solution operationalizes the principle of least privilege across every axis of network traffic:&nbsp;</p>

<ul>
	<li><a href="https://zeronetworks.com/platform/network-segmentation"><strong>Automated microsegmentation</strong></a>&#8239;isolates every asset within its own secure perimeter, closing unnecessary communication paths without disrupting operations.&#8239;&nbsp;</li>
	<li><a href="https://zeronetworks.com/platform/identity-segmentation"><strong>Identity segmentation</strong></a>&#8239;enforces granular access rules for users, devices, and applications, ensuring every connection is explicitly authorized. &#8239;&nbsp;</li>
	<li><a href="https://zeronetworks.com/use-cases/apply-mfa-to-anything"><strong>Just-in-time network-layer MFA</strong></a>&#8239;adds adaptive authentication at the moment of privileged access, turning static permissions into temporary access. &#8239;&nbsp;</li>
	<li><strong>Deterministic, highly accurate automation</strong> learns all network behavior to create and enforce least privilege policies at scale.&#8239;&nbsp;</li>
</ul>

<p>Learn how you can automatically generate least privilege policies that dynamically adapt as your network evolves &ndash;&nbsp;<a href="https://zeronetworks.com/request-demo">request a demo</a>. &#8239;&nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>CISO&#8217;s Guide to Business Impact Analysis: 3 Steps to Strengthen Cyber Resilience</title>
          <link>https://zeronetworks.com/blog/cisos-guide-to-business-impact-analysis-3-steps-to-strengthen-cyber-resilience</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Wed, 08 Jul 2026 20:08:00 +0000</pubDate>
          <dc:date>Wed, 08 Jul 2026 20:08:00 +0000</dc:date>
          <category><![CDATA[Operational &amp; Cyber Resilience]]></category>
          <dc:subject><![CDATA[Operational &amp; Cyber Resilience]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/cisos-guide-to-business-impact-analysis-3-steps-to-strengthen-cyber-resilience#When:1212</guid>
          <description><![CDATA[After gaining initial access, attackers begin moving laterally in as little as 27 seconds &ndash; and a single compromised host directly exposes 85% of the environment. Still, it takes an average of 200+ days to identify and contain a breach. &nbsp; As models like Mythos, Daybreak, and other tools attackers weaponize for AI-driven exploits compress the window between initial compromise and business disruption even further, time is no longer on the defender&rsquo;s side. Security teams can no&#8230;]]></description>
          <content:encoded><![CDATA[<p>After gaining initial access, attackers begin moving laterally in <a href="https://www.crowdstrike.com/en-us/global-threat-report/">as little as 27 seconds</a> &ndash; and a single compromised host <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">directly exposes 85% of the environment</a>. Still, it takes an average of <a href="https://www-api.ibm.com/adobe/assets/urn:aaid:aem:607b9590-38e0-4c91-b433-aa8a17f5b5e8/original/as/cost-of-a-data-breach-2025-full-report.pdf">200+ days to identify and contain</a> a breach. &nbsp;</p>

<p>As <a href="https://zeronetworks.com/blog/protecting-against-mythos-daybreak-and-beyond-frontier-ai-security">models like Mythos, Daybreak</a>, and other tools attackers weaponize for AI-driven exploits compress the window between initial compromise and business disruption even further, time is no longer on the defender&rsquo;s side. Security teams can no longer afford to plan for prevention; they must engineer for the impact of a breach. &nbsp;</p>

<p>A <a href="https://zeronetworks.com/blog/from-documentation-to-enforcement-translating-bia-to-real-cyber-resilience">business impact analysis (BIA)</a> is a vital step in gaining consequence clarity and tailoring cyber resilience strategies to business and board-level priorities. But all too often, a BIA documents critical systems, the disruptions that would materially impact the organization, and how long the business can tolerate downtime without detailing current exposure or producing cyber resilience priorities. &nbsp;</p>

<p>We&rsquo;ll walk through <a href="https://zeronetworks.com/resource-center/guides/ciso-guide-business-impact-analysis-for-cyber-resilience">a business impact analysis template that translates documented business priorities</a> into actionable cyber resilience enforcement steps, giving CISOs the necessary insights to protect uptime where it matters most. &nbsp;</p>

<h2>How to Conduct a Business Impact Analysis for Cyber Resilience: 3-Step Framework&nbsp;</h2>

<p>A BIA built to produce resilient architecture, not just documentation, moves through three steps: critical asset identification and business exposure quantification, attack path analysis and containment metrics, and investment prioritization. Each step is designed to hand off concrete inputs to the next, ultimately delivering a set of specific intervention priorities tied to specific exposure reductions. &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/guides/ciso-guide-business-impact-analysis-for-cyber-resilience"><img alt="" src="https://zeronetworks.com/images/uploads/blog/BIA_Guide_Download_%281%29.png" /></a></p>

<h3>Step 1: Identify Critical Assets and Quantify Business Exposure&nbsp;</h3>

<p>The first step in resilience-focused business impact analysis is to identify which systems and assets are critical to the strategic success and day-to-day operations of the company. This means evaluating assets across five dimensions of business exposure: &nbsp;</p>

<ol>
	<li><strong>Regulatory Classification:</strong> If an asset contains data that is restricted by regulations, then a compromise could incur fines, time-consuming reporting, and disclosure requirements.&nbsp;</li>
	<li><strong>Revenue Exposure: </strong>If an asset is critical to delivering goods and services or measuring consumption of goods and services, any downtime or breach would disrupt revenue streams and could even force the organization to pay penalties or credits to impacted customers.&nbsp;</li>
	<li><strong>Financial Sensitivity: </strong>If an asset has the ability to issue or redirect payments, compromise could impact the organization&rsquo;s operational cash flow.&nbsp;</li>
	<li><strong>Customer Notification Requirements: </strong>If customer notification processes &ndash; often tied to revenue exposure and regulatory classification &ndash; are required due to a cyber incident, they can impact ongoing customer conversations and sales cycles. &nbsp;</li>
	<li><strong>Reputational Sensitivity: </strong>If assets containing data or conducting functions that are core to the organization&rsquo;s communications or value proposal are impacted by a breach, it could cause reputational harm.&nbsp;</li>
</ol>

<p>Identifying business-critical systems requires collaboration across multiple stakeholders &ndash; CISOs need to gather information from CROs, CIOs, COOs, and business unit leaders to fully grasp the organization&rsquo;s overall risk exposure and the disruptions that would materially impact uptime, revenue, or customer commitments, ensuring the assessment reflects real-world operational priorities. &nbsp;</p>

<p>Following this step, CISOs should have a preliminary list of critical assets, enough information to justify <em>why</em> it&rsquo;s critical, and a baseline estimation of the business impact if a compromise occurred. &nbsp;</p>

<h3>Step 2: Analyze Attack Paths Against Containment Metrics &nbsp;</h3>

<p>With an inventory of critical assets and an understanding of how downtime would impact the business, CISOs can tackle the question that most urgently affects business continuity: how exposed are critical systems today? &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/breach-map"><img alt="" src="https://zeronetworks.com/images/uploads/blog/Breach_Map_Download_%281%29.png" /></a></p>

<p>This is where many BIAs miss out on delivering practical value &ndash; they document priorities on paper without establishing whether critical systems are actually protected or where they&rsquo;re vulnerable. &nbsp;</p>

<p>An attack path analysis evaluates the level of effort it would take an attacker to move from a common ingress point to a business-critical asset. No analysis can comprehensively map every breach scenario, so CISOs should focus on categories that reflect the current threat landscape, like: &nbsp;</p>

<ul>
	<li>Compromised user&nbsp;</li>
	<li>Compromised cloud identity&nbsp;</li>
	<li>Technical perimeter entry&nbsp;</li>
	<li>Trusted vendor/third-party access&nbsp;</li>
</ul>

<p>For each threat category and critical system, security teams should identify the nearest ingress point and map a plausible attack path relative to three containment dimensions: path distance, privilege requirements, and data-layer controls. &nbsp;</p>

<table aria-rowcount="4" border="1" data-tablelook="1184" data-tablestyle="MsoTableGrid" dir="ltr">
	<thead>
		<tr aria-rowindex="1" role="row">
			<th data-celllook="0" role="rowheader" scope="col">
			<p paraeid="{1e4908a2-8100-4388-b538-812d434032f4}{215}" paraid="383932005">Containment Dimension&nbsp;</p>
			</th>
			<th data-celllook="0" role="columnheader" scope="col">
			<p paraeid="{1e4908a2-8100-4388-b538-812d434032f4}{222}" paraid="68759084">What It Measures&nbsp;&nbsp;&nbsp;</p>
			</th>
			<th data-celllook="0" role="columnheader" scope="col">
			<p paraeid="{1e4908a2-8100-4388-b538-812d434032f4}{229}" paraid="1426913898">Specific Details to Capture&nbsp;</p>
			</th>
		</tr>
	</thead>
	<tbody>
		<tr aria-rowindex="2" role="row">
			<th data-celllook="0" role="rowheader" scope="row">
			<p paraeid="{1e4908a2-8100-4388-b538-812d434032f4}{237}" paraid="508423885">Lateral Movement&nbsp;Path Distance: How do I get there?&nbsp;&nbsp;</p>
			</th>
			<td data-celllook="0">
			<p paraeid="{1e4908a2-8100-4388-b538-812d434032f4}{248}" paraid="785317868">How many structural barriers and controls exist between the ingress point for a&nbsp;breach&nbsp;scenario&nbsp;and the&nbsp;critical&nbsp;asset.&nbsp;</p>
			</td>
			<td data-celllook="0">
			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{16}" paraid="429339906">Authentication boundaries crossed&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{22}" paraid="1220889257">Network segments traversed&nbsp;&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{28}" paraid="1403619062">Enforced inspection points in path (proxies, Layer 7 firewalls, etc.)&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="4" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{34}" paraid="1446823224">Cross-domain traversal (on-prem to cloud, cross-tenant, IT/OT, vendor to internal, etc.)&nbsp;</p>
				</li>
			</ul>
			</td>
		</tr>
		<tr aria-rowindex="3" role="row">
			<th data-celllook="0" role="rowheader" scope="row">
			<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{48}" paraid="1200791260">Privilege Requirements: Can I access the resource once&nbsp;I&rsquo;m&nbsp;there?&nbsp;&nbsp;</p>
			</th>
			<td data-celllook="0">
			<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{59}" paraid="1592085386">How difficult it is for an attacker to gain the privileges needed&nbsp;to reach the critical asset.&nbsp;</p>
			</td>
			<td data-celllook="0">
			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{72}" paraid="1893703436">Escalation levels&nbsp;required&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{78}" paraid="521534071">Persistent privileged&nbsp;access&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{84}" paraid="1413229517">Service account density&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="4" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{90}" paraid="495969119">Additional&nbsp;authentication requirements&nbsp;&nbsp;</p>
				</li>
			</ul>
			</td>
		</tr>
		<tr aria-rowindex="4" role="row">
			<th data-celllook="0" role="rowheader" scope="row">
			<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{98}" paraid="658755188">Data Layer Controls: How much damage can I do?&nbsp;&nbsp;</p>
			</th>
			<td data-celllook="0">
			<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{105}" paraid="1867779758">How much damage an attacker could do once they reach the critical asset.&nbsp;</p>
			</td>
			<td data-celllook="0">
			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{114}" paraid="911927746">Encryption at rest&nbsp;&nbsp;</p>
				</li>
			</ul>

			<ul role="list">
				<li 335552541="" aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Symbol" data-leveltext="" data-list-defn-props="{">
				<p paraeid="{2eac279f-49a1-4d19-bbfa-f3cfdbaf4c3a}{120}" paraid="113516941">Identity-based access controls&nbsp;&nbsp;</p>
				</li>
			</ul>
			</td>
		</tr>
	</tbody>
</table>

<p>The result, run across every combination of scenario and critical asset, is a documented map of exposure tied to likely attack tactics rather than a general sense of risk. This breakdown of exposure across all critical assets bubbles up to two enterprise-level risk insights: &nbsp;</p>

<ul>
	<li><strong>Asset-level worst case path:</strong> The compromise scenario that presents the shortest, least obstructed route for an attacker to reach a business-critical system. &nbsp;</li>
	<li><strong>Enterprise-level highest cost path: </strong>The single scenario-to-asset combination with the weakest containment and the highest business exposure &ndash; the easiest attack with the greatest business impact. &nbsp;</li>
</ul>

<p>These insights deliver a baseline for <a href="https://zeronetworks.com/blog/how-to-measure-cyber-resilience-zero-trust-roi">measuring cyber resilience</a> improvements over time, and a natural starting point for prioritizing enforcement and investment. &nbsp;</p>

<h3>Step 3: Prioritize Security Strategies and Investments for Reducing Business Risk Exposure &nbsp;</h3>

<p>With critical assets identified and their exposure mapped against likely attack scenarios, CISOs have what they need to answer the question that turns documentation into a <a href="https://zeronetworks.com/blog/how-to-build-cyber-resilience-via-automated-containment-an-architectural-framework">cyber resilience roadmap</a>: what actions will reduce the most risk &ndash; and fastest?&nbsp;</p>

<p>As a general principle, interventions that <a href="https://zeronetworks.com/blog/what-is-blast-radius-in-cybersecurity-best-practices-for-breach-containment">reduce blast radius</a> structurally, by eliminating an attacker&#39;s ability to reach a critical asset in the first place, are more durable than interventions that depend on detecting and responding to an attack already in progress. With that in mind, security teams should focus on strengthening the same dimensions of threat containment used to analyze exposure: &nbsp;</p>

<ul>
	<li><strong>Increase path distance or completely remove pathways to critical assets: </strong>Granular <a href="https://zeronetworks.com/blog/network-segmentation-all-you-need-to-know">network segmentation</a>, additional authentication boundaries, and inspection points placed along the worst-case attack path can eliminate entire compromise scenarios rather than simply slowing them down. &nbsp;</li>
	<li><strong>Reduce privilege exposure: </strong><a href="https://zeronetworks.com/blog/stopping-privilege-escalation-how-to-neutralize-stolen-credential-threats">Eliminating persistent privileged access</a>, reducing service account scope, enforcing just-in-time reauthentication, and introducing additional authentication requirements for critical assets can reduce privilege exposure, making it harder for attackers to successfully reach critical assets. &nbsp;</li>
	<li><strong>Enforce data layer controls: </strong>Implementing <a href="https://zeronetworks.com/platform/identity-segmentation">identity-based access controls</a> and encryption at rest limits the potential damage if attackers do manage to reach critical systems, helping to ensure that a compromise won&rsquo;t escalate to downtime. &nbsp;</li>
</ul>

<p>For each recommended intervention, CISOs should document the expected impact in terms the business understands: which worst-case path do these strategies break or lengthen, which critical assets do they better protect, and how do they reduce business exposure? This creates a direct line from investment to risk reduction, making budgetary conversations concrete and clearly tying security outcomes to business continuity. &nbsp;</p>

<h2>Build a Cyber Resilient Architecture with Zero Networks &nbsp;&nbsp;</h2>

<p>Zero Networks closes the gap between business priorities and real-world enforcement with&#8239;<a href="https://zeronetworks.com/platform">automated, identity-based microsegmentation</a>. Zero provides immediate visibility into every identity and asset on the network, then&#8239;<a href="https://www.scworld.com/perspective/navigating-the-8d-city-why-multi-dimensional-network-security-is-no-longer-optional">automatically enforces adaptive, identity-aligned policies</a>&#8239;that prevent lateral movement to critical assets to safeguard business resilience. &nbsp;</p>

<p>The&#8239;<a href="https://zeronetworks.com/company/customer-stories">average Zero customer&#8239;achieves</a> 90%+ segmentation within 90 days, achieving comprehensive protection that measurably reduces risk exposure without disrupting regular operations. &nbsp;</p>

<p>Find out how Zero Networks can help you build a cyber resilient architecture with measurable business value &ndash;&#8239;<a href="https://zeronetworks.com/request-demo">request a demo</a>. &#8239;&#8239;&nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>Network Microsegmentation in 2026: Gartner Research Takeaways</title>
          <link>https://zeronetworks.com/blog/network-microsegmentation-in-2026-gartner-research-takeaways</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Thu, 02 Jul 2026 21:47:00 +0000</pubDate>
          <dc:date>Thu, 02 Jul 2026 21:47:00 +0000</dc:date>
          <category><![CDATA[Network Segmentation &amp; Microsegmentation]]></category>
          <dc:subject><![CDATA[Network Segmentation &amp; Microsegmentation]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/network-microsegmentation-in-2026-gartner-research-takeaways#When:1210</guid>
          <description><![CDATA[Ninety-five percent of security leaders agree that microsegmentation is key to strengthening cyber defenses, yet only 9% are successfully protecting more than 80% of their critical systems with microsegmentation. &nbsp; In other words, organizations understand the value of microsegmentation, but there&rsquo;s a gap between intent and execution. The question is: how can enterprises deploy microsegmentation at scale, in real-world environments, without multi-year projects or partial coverage that&#8230;]]></description>
          <content:encoded><![CDATA[<p><a href="https://zeronetworks.com/resource-center/reports/research-report-the-maturing-microsegmentation-market">Ninety-five percent of security leaders agree</a> that microsegmentation is key to strengthening cyber defenses, yet <a href="https://www.prnewswire.com/news-releases/elisity-commissioned-omdia-survey-reveals-90-of-organizations-falling-behind-on-microsegmentation-despite-near-universal-demand-302754959.html">only 9% are successfully protecting more than 80% of their critical systems</a> with <a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide">microsegmentation</a>. &nbsp;</p>

<p>In other words, organizations understand the value of microsegmentation, but there&rsquo;s a gap between intent and execution. The question is: how can enterprises deploy microsegmentation at scale, in real-world environments, without multi-year projects or partial coverage that leaves gaps for attackers to exploit? &nbsp;</p>

<p>Gartner answered just that in its report, <a href="https://zeronetworks.com/resource-center/reports/gartner-reimagining-network-microsegmentation"><em>Reimagining Network Microsegmentation: Beyond the IP &ndash; Identity, Context, and Agentless Innovation</em></a>. The research identifies three critical insights that should shape how security teams evaluate <a href="https://zeronetworks.com/blog/modern-vs-legacy-microsegmentation-what-to-look-for-in-todays-top-solutions">modern microsegmentation solutions</a> &ndash; we&rsquo;ll break down what they are and what they mean for the evolving landscape of zero trust microsegmentation. &nbsp;</p>

<h3>Key Takeaways &nbsp;</h3>

<ul>
	<li><strong>What does Gartner&#39;s research say about innovative microsegmentation in 2026?</strong> In <a href="https://zeronetworks.com/resource-center/reports/gartner-reimagining-network-microsegmentation"><em>Reimagining Network Microsegmentation: Beyond the IP &ndash; Identity, Context, and Agentless Innovation</em></a>, Gartner identifies three critical insights shaping the future of network microsegmentation: the shift from IP-based rules to identity-first enforcement, the need for autonomous policy governance that moves beyond manual management, and the requirement for agentless, multimodal enforcement architectures that can deliver comprehensive coverage across heterogeneous enterprise environments.&nbsp;</li>
	<li><strong>Who are the leading enterprise microsegmentation vendors in 2026?</strong> Gartner&#39;s <a href="https://www.gartner.com/document-reader/document/7776453?ref=solrResearch&amp;refval=551996103&amp;"><em>Reimagining Network Microsegmentation report</em></a> names a range of sample vendors actively shaping the market, including Zero Networks, Palo Alto Networks, Akamai, Aqua Security, Broadcom, Cisco, ColorTokens, Elisity, Fortinet, Illumio, and Zscaler. Zero Networks is also recognized in the <a href="https://zeronetworks.com/blog/its-official-zeros-customers-are-the-happiest-microsegmentation-users">2026 Gartner Peer Insights Voice of the Customer</a> report with a perfect 5-star rating and a 100% willingness-to-recommend score. Likewise, Zero Networks earned a Platinum rating in <a href="https://zeronetworks.com/resource-center/reports/zero-networks-named-platinum-leader-in-microsegmentation-insights-from-the-ema-prism-report">EMA&rsquo;s PRISM Report</a>; we at Zero are proud to receive the analyst validation and customer trust that defines leading microsementation solutions.&nbsp;</li>
	<li><strong>What does identity-first microsegmentation mean in practice? </strong>Policies are bound to verified user, machine, or AI identities rather than network addresses, and enforced dynamically as those identities move across environments. This includes non-human identities like service accounts and AI agents, which already significantly outnumber human identities and are frequently over-privileged and under-monitored.&nbsp;</li>
	<li><strong>What is the most effective zero trust microsegmentation approach for stopping lateral movement?</strong> Gartner&#39;s research points to a combination of identity-first controls, automated policy governance, and agentless enforcement across the full environment. Together, these eliminate the coverage gaps and static policies that attackers rely on to move laterally, regardless of how initial access was gained.&nbsp;</li>
	<li><strong>What should security leaders look for when evaluating microsegmentation vendors? </strong>Three capabilities aligned to Gartner&#39;s critical insights: whether identity governs reachability at the network layer, whether policy automation is accurate, scalable, and auditable with human-on-the-loop controls, and whether the platform can reach the full environment &ndash; including legacy, IoT/OT, and cloud &ndash; without requiring agents on every asset.&nbsp;</li>
</ul>

<h2>Identity-First Microsegmentation: Replacing IP-Based Rules &nbsp;</h2>

<p>For decades, network segmentation meant drawing boundaries around IP addresses, <a href="https://zeronetworks.com/blog/what-is-a-vlan-definition-core-components-and-segmentation-strategies">VLANs</a>, and ACLs. The logic was sound for static, on-premises environments: define what can talk to what, and enforce it at the network layer. But the environments these tools were built for no longer exist &ndash; according to Gartner, that&rsquo;s why it&rsquo;s time to pivot from IP-centric rules to unified identity fabric. &nbsp;</p>

<blockquote>
<p>&ldquo;The shift from network-centric to identity-first segmentation is a response to the evolution of traditional perimeters to hybrid architectures, the rise of dynamic, cloud-native environments, and the adoption of NHI. Static controls like IP addresses, VLANs, and ACLs are now ineffective, for ephemeral workloads and serverless architectures make manual rule management unmanageable and leave organizations vulnerable to lateral movement attacks.&rdquo; &nbsp;</p>

<p>Gartner, Reimagining Network Microsegmentation: Beyond the IP &ndash; Identity, Context, and Agentless Innovation &nbsp;</p>
</blockquote>

<p>IP-centric policy governs a location, not an identity &ndash; when a workload moves, a cloud instance spins up, or an AI agent is provisioned into your environment, a static rule doesn&#39;t follow it. The policy appears intact, but the coverage is full of gaps; for security leaders, that creates a false sense of protection.&nbsp;</p>

<h3>Dynamic Security Enforcement for Human Users, Machine Identities, and AI Agents</h3>

<p>The proliferation of non-human identities (NHI) like service accounts and AI agents adds urgency to the identity-first segmentation shift. &nbsp;</p>

<p>Machine and service identities <a href="https://www.paloaltonetworks.com/idira/identity-security-landscape-report">already outnumber human identities 109:1</a> &ndash; a trend expected to accelerate as organizations anticipate 85% growth in AI agents over the next year. But NHI are notoriously over-privileged and under-monitored: <a href="https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024">just 2.6% of workload identity permissions</a> are actually used, and 51% of workload identities are completely inactive; meanwhile, nearly <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">two-thirds of organizations do not have AI governance</a> policies. &nbsp;</p>

<p>The takeaway? Enterprises need <a href="https://zeronetworks.com/platform/network-segmentation">microsegmentation solutions</a> that anchor controls to the actual human user, non-human identity, or workload rather than their network location. &nbsp;</p>

<blockquote>
<p>&ldquo;Relying on static, IP-based microsegmentation guarantees catastrophic vulnerability to AI-driven attacks. Vendors clinging to manual policies face rapid obsolescence, as these methods are completely incapable of securing dynamic hybrid networks against lateral movement.&rdquo;&nbsp;</p>

<p>Gartner, Reimagining Network Microsegmentation: Beyond the IP &ndash; Identity, Context, and Agentless Innovation &nbsp;</p>
</blockquote>

<h3>Context-Aware Identity Governance and Complete Visibility &nbsp;</h3>

<p>Identity-first microsegmentation ensures policies can be dynamically enforced based on the real-time identity of users and NHI as they move across environments. At the core of this shift is what Gartner calls the Unified Identity Graph &ndash; a single, comprehensive view of network identities and context that enables real-time, granular policy enforcement. &nbsp;</p>

<p>When it comes to evaluating microsegmentation vendors, this means security leaders should look for: &nbsp;</p>

<ul>
	<li><a href="https://zeronetworks.com/platform/network-map">Real-time network mapping</a> that delivers comprehensive visibility into all identities, assets, and network behavior &nbsp;</li>
	<li>Policy-based access control (PBAC) that autonomously enforces identity-based, context aware policies across hybrid and multi-cloud infrastructures&nbsp;</li>
	<li>Product architecture that natively supports identity-based segmentation, so <a href="https://zeronetworks.com/platform/identity-segmentation">identity governs reachability</a> at the network layer &nbsp;</li>
</ul>

<h2>Autonomous Governance, Agentic AI, and the End of Manual Segmentation Policy Management&nbsp;</h2>

<p>Just as modern, dynamic environments have rendered IP-centric rules insufficient, they&rsquo;ve made manual microsegmentation strategies impossible to scale in today&rsquo;s rapidly changing, distributed infrastructures, leaving a gap between what&#39;s configured and what&#39;s actually happening on the network. &nbsp;</p>

<p>To avoid policy drift and hidden risk exposure, Gartner suggests <a href="https://zeronetworks.com/blog/modern-vs-legacy-microsegmentation-what-to-look-for-in-todays-top-solutions">modern microsegmentation</a> should autonomously map application dependencies, generate policies, and enforce rules in real time. The goal is continuous, adaptive governance that keeps protection aligned to network realities. &nbsp;</p>

<h3>Agentic AI: Opportunities and Risks &nbsp;</h3>

<p>Automated policy creation and enforcement is what Gartner recommends, but how can enterprises get there? The report identifies agentic AI as an enabler of autonomous governance &ndash; but with a trust gap standing in the way. &nbsp;</p>

<p>Agentic AI adoption for security policies is often hindered by &ldquo;enforcement anxiety,&rdquo; as teams fear that algorithms may disrupt legitimate business operations. What&rsquo;s more, the deployment of <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">agentic AI brings its own security risks</a> as agents become targets for adversarial attacks. &nbsp;</p>

<p>Gartner&#39;s prescription for closing this trust gap is explainability and human oversight: policy simulation, transparent reasoning, and human-in-the-loop safeguards that allow teams to review and validate automated rules before they go live. &nbsp;</p>

<h3>Deterministic, Human-on-the-Loop Automation &nbsp;</h3>

<p>Security teams that can&rsquo;t afford to risk operational disruption by replacing human judgement with AI can still operationalize Gartner&rsquo;s insights by leveraging <a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">deterministic, human-on-the-loop automation</a>, which operates on defined logic rather than probabilistic guesswork while keeping security teams in control of outcomes.&nbsp;</p>

<p>Microsegmentation powered by deterministic automation delivers the adaptive, dynamic protection modern enterprises need by generating precise enforcement based on learned network behavior. For example, Zero Networks&rsquo; automation engine learns allowed network behaviors in order to create dynamic rules for identities and assets. As <a href="https://zeronetworks.com/blog/the-role-of-ai-in-cybersecurity-promises-pitfalls-and-best-practices">Chris Boehm, Zero Networks Field CTO, points out,</a> this type of deterministic automation hinges on learning:&nbsp;</p>

<div style="background:#eeeeee;border:1px solid #cccccc;padding:5px 10px;"><em>&ldquo;Zero Networks learns and then provides automation on top of that without guessing &hellip; when you deploy [Zero], we will learn based on each asset and we&rsquo;ll tell you what that asset is doing &ndash; like a machine, server, service account &ndash; and then we control it, manage it, and automate it. So, that almost feels like artificial intelligence, but we don&rsquo;t advertise that capability at all; we advertise the capability of learning.&rdquo;&nbsp;</em></div>

<p>In other words, deterministic automation relies on learned realities rather than educated guesses, which are central to probabilistic approaches. Keeping a human on the loop to optionally review, approve, or fine-tune policies in a sandbox environment is a key safeguard for peace of mind while still shrinking manual effort and enabling protection to scale alongside modern environments. &nbsp;</p>

<p>Whatever mechanism security teams choose to get there, the ultimate goal remains the same: microsegmentation that shifts away from manual policies and embraces automation, enabling defenses that effectively counter <a href="https://zeronetworks.com/blog/what-is-ai-driven-lateral-movement-ailm">AI-driven attacks</a>. When evaluating microsegmentation tools on this capability, CISOs and cyber leaders should ask questions like: &nbsp;</p>

<ul>
	<li>Does the platform generate policies based on observed network behavior? Can your team see how a policy was derived?&nbsp;</li>
	<li>Can teams simulate and validate policies before enforcement goes live, and test against real traffic to catch potential disruptions before they impact operations?&nbsp;</li>
	<li>Does the platform continuously adapt as environments change, or does staying accurate require manual intervention?&nbsp;</li>
	<li>How does the platform handle policy drift? Does it detect and remediate unauthorized changes automatically?&nbsp;</li>
</ul>

<h2>Agentless Enforcement: How Microsegmentation Scales Across Enterprise Environments&nbsp;</h2>

<p>Autonomous, real-time policy governance only works if the underlying enforcement architecture can actually reach the full environment &ndash; without introducing performance overhead that makes it impractical.&nbsp;</p>

<p>That&#39;s the core of Gartner&#39;s third critical insight: agent-based platforms struggle with performance and scalability across hybrid, cloud, and containerized environments, making granular policy management too complex. The recommended path forward? Multimodal, agentless enforcement that extends comprehensive coverage without the operational burden agents introduce.&nbsp;</p>

<h3>Agent-Based vs. Agentless Microsegmentation &nbsp;</h3>

<p>Agent-based platforms require software on every managed endpoint. In heterogeneous enterprise environments, that creates a structural problem: performance overhead on every host, version management across a diverse fleet, and coverage gaps on the assets that can&#39;t run agents at all &ndash; legacy systems, <a href="https://zeronetworks.com/resource-center/guides/applying-zero-trust-to-ot-systems-with-microsegmentation">IoT and OT devices</a>, unmanaged endpoints, and cloud workloads. These are precisely the assets attackers move through.&nbsp;</p>

<p>Agentless microsegmentation solves this by extending enforcement through existing OS and network infrastructure rather than requiring software on every endpoint. Coverage reaches the full environment, including assets that could never host an agent, without the performance tax or the operational burden of managing agents at enterprise scale.&nbsp;</p>

<p>From a solution evaluation perspective, this insight signals that security teams should ask vendors questions like: &nbsp;</p>

<ul>
	<li>Does the platform require agents on every endpoint, or does it enforce policy through existing infrastructure?&nbsp;</li>
	<li>What happens to coverage on legacy systems, IoT/OT, or cloud workloads where agents can&#39;t be deployed?&nbsp;</li>
	<li>Does the deployment model scale as the environment grows, or does agent management become a ceiling on coverage over time?&nbsp;</li>
</ul>

<h2>Automated, Identity-Driven Microsegmentation for Modern Enterprises: Strengthen Cyber Resilience with Zero Networks &nbsp;&nbsp;</h2>

<p>Modern enterprises are moving away from reactive security to proactive containment &ndash; an evolution Gartner describes as the &ldquo;shift from preventative-only security to <a href="https://zeronetworks.com/resource-center/topics/zero-trust-architecture-how-to-achieve-cyber-resilience">cyber resilience</a>.&rdquo; For security leaders embracing microsegmentation as part of this shift, Gartner&rsquo;s report paints a clear picture of what innovative solutions must look like: identity-first, automated with human oversight, and agentless. &nbsp;</p>

<p>Zero Networks is named in the report as a sample vendor, recognized for <a href="https://zeronetworks.com/platform">automated, identity-driven microsegmentation</a> that delivers on all three critical insights: &nbsp;</p>

<ul>
	<li><a href="https://zeronetworks.com/platform/identity-segmentation">Identity-based policies</a> govern access at the network layer, tied to user, machine, or AI identity, and automatically updated as environments change.&nbsp;</li>
	<li>A deterministic automation engine maps observed network behavior, generates least-privilege policies, and keeps teams in control through human-on-the-loop simulation and staged rollout before enforcement.&nbsp;</li>
	<li>Zero deploys agentlessly, <a href="https://zeronetworks.com/platform/network-segmentation">orchestrating native OS enforcement</a> mechanisms across IT, OT, IoT, and cloud &ndash; no proprietary agents, no rearchitecting, and no coverage gaps on the assets that matter most.&nbsp;</li>
</ul>

<p>The <a href="https://zeronetworks.com/company/customer-stories">average Zero customer</a> segments 90%+ of their environment within 90 days &ndash; 91% faster than legacy approaches, at <a href="https://zeronetworks.com/resource-center/white-papers/esg-technical-validation-zero-networks">87% lower cost</a>. <a href="https://zeronetworks.com/request-demo">Request a demo</a> to see how. &nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>Top 10 Lateral Movement Risks in Enterprise Networks (and What to Do About Them)</title>
          <link>https://zeronetworks.com/blog/top-10-lateral-movement-risks-in-enterprise-networks-and-what-to-do-about-them</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Tue, 30 Jun 2026 22:01:00 +0000</pubDate>
          <dc:date>Tue, 30 Jun 2026 22:01:00 +0000</dc:date>
          <category><![CDATA[Ransomware &amp; Lateral Movement Protection]]></category>
          <dc:subject><![CDATA[Ransomware &amp; Lateral Movement Protection]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/top-10-lateral-movement-risks-in-enterprise-networks-and-what-to-do-about-them#When:1209</guid>
          <description><![CDATA[Zero Networks&#39; 2026 Lateral Movement Exposure Report analyzed 54 trillion activities across 312 enterprise environments to answer one question: how do breaches turn into business outages? In answer, the report uncovered a structural problem: organizations have built networks optimized for access and connectivity where containment is an afterthought. &nbsp; We&rsquo;ll break down the top 10 risks behind unauthorized lateral movement in enterprise networks, exploring what each one means, why&#8230;]]></description>
          <content:encoded><![CDATA[<p>Zero Networks&#39; <a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">2026 Lateral Movement Exposure Report</a> analyzed 54 trillion activities across 312 enterprise environments to answer one question: how do breaches turn into business outages? In answer, the report uncovered a structural problem: organizations have built networks optimized for access and connectivity where containment is an afterthought. &nbsp;</p>

<p>We&rsquo;ll break down the top 10 risks behind unauthorized <a href="https://zeronetworks.com/resource-center/topics/lateral-movement-innovations-prevention-techniques">lateral movement</a> in enterprise networks, exploring what each one means, why it matters for <a href="https://zeronetworks.com/resource-center/topics/zero-trust-architecture-how-to-achieve-cyber-resilience">cyber resilience</a>, and how to strengthen your posture.&nbsp;</p>

<h3>Key Takeaways &nbsp;</h3>

<ul>
	<li><strong>How do attackers move laterally inside a network? </strong>The same protocols and trust relationships that keep business operations running &ndash; RDP, SMB, SSH, WinRM, RPC, cloud APIs, and orchestration platforms &ndash; are the pathways adversaries use to move laterally and turn a single compromised identity, workload, or laptop into a companywide outage. For example, 87% of servers accept internal RDP or SSH traffic, 78.7% are reachable over SMB or WinRM, and a single compromised host can <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">reach 85% of internal systems in the first hop</a>.&nbsp;</li>
	<li><strong>Why does breach prevention alone fail to protect business continuity? </strong>Attackers move faster than defenders can respond. The <a href="https://www.crowdstrike.com/en-us/global-threat-report/">fastest recorded breakout time in 2025 was 27 seconds</a>, yet the average time to <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">identify and contain a breach is 241 days.</a> That 771,200:1 ratio means that by the time most organizations detect a compromise, the attacker has already moved. Breach prevention addresses the perimeter without limiting how far an attacker travels once inside. Containment structurally limits what a compromised asset can reach.&nbsp;</li>
	<li><strong>How is AI changing the lateral movement threat landscape?</strong> With <a href="https://zeronetworks.com/blog/what-is-ai-driven-lateral-movement-ailm">AI-driven lateral movement (AILM)</a>, adversaries use AI to accelerate the attack chain or weaponize overprivileged AI agents&rsquo; legitimate connections to pivot between systems. Roughly <a href="https://www.ibm.com/think/insights/agentic-ai-security">80% of organizations have deployed AI agents</a>, and <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">two-thirds have no governance policies for them</a>. These agents hold broad standing access across email, databases, cloud APIs, and code repositories. An attacker who compromises or manipulates an agent inherits its legitimate permissions; the agent&#39;s privilege becomes the attack path.&nbsp;</li>
	<li><strong>How can enterprises block lateral movement inside their network without disrupting operations? </strong>The key is a <a href="https://zeronetworks.com/blog/how-to-build-cyber-resilience-via-automated-containment-an-architectural-framework">closed-by-default architecture</a>&nbsp;where administrative protocols are opened on demand rather than broadly exposed, access is governed by identity context and per-session authorization rather than standing permissions, and segmentation enforces least-privilege connectivity at the network layer. Just-in-time access and automated policy enforcement mean controls adapt to operational need rather than blocking legitimate connections. &nbsp;</li>
</ul>

<h2>The Risks That Enable Lateral Movement: Real-World Exposure and Benchmark Data &nbsp;</h2>

<p><a href="https://zeronetworks.com/blog/10-common-lateral-movement-techniques-how-to-stop-them">Lateral movement</a> is the process attackers use to move from an initially compromised asset to additional systems, accounts, data stores, or control-plane infrastructure. In other words, lateral movement is how attackers convert a single compromise into enterprise-wide impact. &nbsp;</p>

<blockquote>
<p>&ldquo;Initial access is a security problem. Lateral movement is when it becomes a business continuity problem. Before lateral movement, you may have an intrusion. After lateral movement, you have downtime, ransomware propagation, data exposure, failed recovery, customer impact, and executives explaining why one compromised endpoint could reach systems it never should have touched.&rdquo;&nbsp;</p>

<p>Dr. Chase Cunningham&nbsp;</p>
</blockquote>

<p>These 10 risks represent the structural exposures responsible for lateral movement in enterprise environments. &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report"><img alt="" src="https://zeronetworks.com/images/uploads/blog/LMER_Download_CTA_%281%29.png" /></a></p>

<h3>1. Broad Internal Admin Protocol Exposure&nbsp;</h3>

<p>Protocols like RDP, SMB, SSH, WinRM, and WMI are widely reachable across the internal environment. These protocols are foundational to Windows, Active Directory, and IT operations, making them critical for business continuity &ndash; and opening up lateral movement highways. &nbsp;</p>

<p>Over <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">70% of enterprise threat activity</a> flows through SMB, RDP, WinRM, and RPC, meaning attackers rely on the same trusted pathways the business depends on to function. The scope of the problem is undeniable: 87% of monitored servers accept internal RDP or SSH traffic, and 78.7% are reachable over SMB or WinRM.&nbsp;</p>

<p><em><strong>What to Do About It: Dynamically Close Admin Protocols &nbsp;</strong></em></p>

<p>To mitigate exposure across protocols like RDP, SMB, SSH, WinRM, and WMI, admin protocols should be closed by default &ndash; only opened on demand with per-session authorization and MFA. Just-in-time access enforcement minimizes risk without disrupting critical workflows. Layer-7 inspection on east-west traffic, including RPC, SMB, LDAP, and DNS, ensures malicious activity is distinguished from routine administration. &nbsp;</p>

<h3>2. Excessive Internal Reachability &nbsp;</h3>

<p>Enterprise networks were built for access and connectivity, not containment. The result is that internal systems can communicate too broadly by default, giving attackers an expansive internal attack surface the moment they gain a foothold.&nbsp;</p>

<p>A single compromised host can reach <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">85% of internal systems on the first hop and effectively 100% on the second.</a> A frequently neglected dimension is egress: most organizations block unsolicited inbound traffic but treat outbound traffic as inherently trustworthy, giving attackers a clear channel for command-and-control communication and data exfiltration over protocols like HTTPS and DNS.&nbsp;</p>

<p>The problem compounds in modern environments. Cloud platforms, Kubernetes clusters, <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">AI agents</a>, and hybrid infrastructure create dynamic communication patterns that frequently bypass static segmentation models, multiplying possible attack paths as environments grow.&nbsp;</p>

<p><em><strong>What to Do About It: Enforce Least-Privilege Connectivity&nbsp;</strong></em></p>

<p>Critical systems should be isolated by default, with administrative access tightly scoped and time-bound, and every communication path explicitly justified. User, server, cloud, Kubernetes, and agentic environments should be segmented by design, with critical assets explicitly isolated from user endpoints and egress filtering applied alongside inbound controls. &nbsp;</p>

<h3>3. Excessive Privileged Access&nbsp;</h3>

<p>Admin credentials can typically authenticate broadly across the environment with standing permissions that far exceed daily operational need. In fact, <a href="https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report">99% of users, roles, and services hold excessive standing permissions,</a> often unused for 60 days or more, and over <a href="http://crowdstrike.com/en-us/cybersecurity-101/identity-protection/identity-segmentation/">80% of attacks leverage stolen credentials at some stage</a>.&nbsp;</p>

<p>Without proper <a href="https://zeronetworks.com/platform/identity-segmentation">identity segmentation</a> &ndash; the practice of restricting access based on identity context and limiting the scope of what each identity can authenticate to &ndash; an attacker can take one compromised identity and leapfrog between systems. &nbsp;</p>

<p><em><strong>What to Do About It: Apply Granular Identity-Based Access Controls &nbsp;</strong></em></p>

<p>Just-in-time admin access, tiered administration, and per-system authorization limit what each identity can reach &ndash; not just where it can enter. Identity-context-aware east-west policies ensure a compromised credential operates within tightly scoped boundaries rather than across the entire environment it technically can authenticate to.&nbsp;</p>

<h3>4. Overprivileged Service Accounts &nbsp;</h3>

<p>Service accounts &ndash; non-human identities used by applications, services, and automation &ndash; are frequently overprivileged and are systematically under-monitored. Machine and service identities now <a href="https://www.paloaltonetworks.com/idira/identity-security-landscape-report">outnumber human identities 109:1</a>, yet only <a href="https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024">2.6% of workload identity permissions are actually used</a>, and 51% of workload identities are completely inactive. &nbsp;</p>

<p>In on-premises environments, service accounts often carry static passwords that never expire and are sometimes shared across multiple services. In cloud environments, a single overprivileged role can silently enable complete environment takeover without any additional exploits required.&nbsp;</p>

<p><em><strong>What to Do About It: Apply Least Privilege to Every Machine Identity&nbsp;</strong></em></p>

<p>Service accounts should be scoped to the minimum permissions their function requires, with regular credential rotation, usage monitoring, and source-binding so credentials only function from sanctioned workloads. This limits what a stolen service account credential can do, even if it is valid.&nbsp;</p>

<h3>5. Legacy Authentication Paths&nbsp;</h3>

<p>Outdated authentication mechanisms create exploitable trust paths that modern controls cannot reach. NTLM is the canonical example: 43.2% of observed internal authentication traffic in enterprise environments still uses it, and its design means an attacker who obtains a hashed credential from one machine can authenticate directly to another without recovering the plaintext password. &nbsp;</p>

<p>Older email protocols like POP3 and IMAP bypass MFA entirely while Cleartext protocols expose credentials to anyone with network visibility. According to Microsoft, more than <a href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/managed-policies">99% of password-spray attacks use legacy authentication protocols</a> that bypass MFA &ndash; disabling legacy authentication in Entra ID alone reduces account compromise risk by 67%.&nbsp;</p>

<p><em><strong>What to Do About It: Retire Legacy Protocols and Enforce Modern Authentication&nbsp;</strong></em></p>

<p>Modern authentication standards like OAuth 2.1 and OIDC should replace legacy protocols across the environment, with MFA enforced on privileged internal access alongside perimeter authentication. Every legacy protocol left active is an authentication path that bypasses modern controls, leaving enterprises vulnerable to unauthorized lateral movement.&nbsp;</p>

<h3>6. Exposed Control Plane Infrastructure&nbsp;</h3>

<p>Active Directory, IAM platforms, backup systems, virtualization hypervisors, Kubernetes API servers, CI/CD controllers, and cloud management consoles are the operational brains of modern environments &ndash; and they&rsquo;re often broadly reachable as segmentation of control-plane infrastructure remains inconsistent across enterprise environments.&nbsp;</p>

<p>When critical management systems are reachable from broad internal segments, a single compromised component gives attackers direct access to large portions of the enterprise. The stakes extend beyond access: if attackers reach backup infrastructure or orchestration systems, recovery operations themselves may fail.&nbsp;</p>

<p><strong><em>What to Do About It: Isolate the Control Plane&nbsp;</em></strong></p>

<p>Control-plane systems should sit in dedicated management zones with restricted admin paths and MFA-gated access. Continuous monitoring of access to Active Directory, IAM, hypervisors, backup infrastructure, and CI/CD systems provides early warning of targeting before recovery options are compromised.&nbsp;</p>

<h3>7. Internal Vulnerability Pivoting &nbsp;</h3>

<p>Even organizations that diligently patch internet-facing systems frequently overlook internal ones &ndash; and attackers exploit that gap directly. Sensitive internal protocols remain broadly reachable across both server and client populations; unpatched or misconfigured internal services mean an attacker with a foothold can scan for a vulnerable service and exploit it without needing credentials or social engineering.&nbsp;</p>

<p>Meanwhile, <a href="https://zeronetworks.com/blog/ai-driven-vulnerability-research-and-the-growing-importance-of-containment-architecture">AI-powered vulnerability research</a> is changing the economics of exploitation. <a href="https://zeronetworks.com/blog/protecting-against-mythos-daybreak-and-beyond-frontier-ai-security">Models like Anthropic&#39;s Mythos</a> have demonstrated the ability to identify exploitable weaknesses and develop attack paths with limited human involvement, compressing the window between patch release and exploitation beyond what most patch cycles can accommodate.&nbsp;</p>

<p><strong><em>What to Do About It: Segment Vulnerable Assets&nbsp;</em></strong></p>

<p>Internal patch SLAs should apply to server and client populations, not just internet-facing systems. Where patching is delayed, granular segmentation around vulnerable assets limits their exploitability. Attack-path prioritization should account for internal reachability and legacy protocol restriction, not CVSS score alone.&nbsp;</p>

<h3>8. Lack of East-West Visibility&nbsp;</h3>

<p>Security teams cannot contain what they cannot see. Most organizations have reasonable perimeter logging, but logging and auditing of access between internal workloads, services, and accounts is inconsistent, meaning adversaries can exploit access and expand reach without triggering an alert. &nbsp;</p>

<p>Many organizations lack identity-attributed east-west authentication visibility, and full authenticated traffic logging between workloads remains inconsistent. Without it, misconfigurations go unidentified, dwell time extends, and security teams cannot reconstruct attack paths when incidents occur.&nbsp;</p>

<p><strong><em>What to Do About It: Identity-Attributed Traffic Logs</em></strong>&nbsp;</p>

<p><a href="https://zeronetworks.com/blog/how-real-time-network-visibility-enables-automated-zero-trust-enforcement">East-west visibility</a> requires identity-attributed traffic logs tied to specific identities rather than IP addresses or ports, combined with alerting on unusual internal movement and real-time path analytics &ndash; giving security teams the tools to act before lateral movement reaches critical systems.</p>

<h3>9. Single Endpoint to Critical Asset Reachability &nbsp;</h3>

<p>One user endpoint can be leveraged to reach high-value assets directly. While the risk of excessive internal reachability describes broad system-to-system communication, this one explores a dangerous special case: how often a routine workstation sits one hop away from crown-jewel infrastructure like domain controllers, backup systems, ERP platforms, and cloud management consoles.&nbsp;</p>

<p>Attacks start wherever adversaries can gain access &ndash; that&rsquo;s rarely on critical systems. Business impact grows when that initial foothold has a direct, unbroken path to the systems that matter most: 12.2% of organizations demonstrate direct user-to-server administrative pathways, sensitive administrative services remain broadly reachable from internal environments, and endpoint-to-server administrative connectivity is common across enterprise networks. &nbsp;</p>

<p><strong><em>What to Do About It: Close Direct User-to-Critical-Asset Pathways &nbsp;</em></strong></p>

<p>Multi-stage access controls between user and server tiers, segmentation by sensitivity tier, and critical assets explicitly isolated from user endpoints ensure a compromised endpoint cannot directly reach crown jewels. &nbsp;</p>

<h3>10. Poor Containment Readiness &nbsp;</h3>

<p>Attackers often move freely for months before enterprises detect the breach. While attackers begin <a href="https://www.crowdstrike.com/en-us/global-threat-report/">moving laterally in as little as 27 seconds</a>, it takes an average of <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">241 days to identify and contain a breach</a> &ndash; that&rsquo;s a breakout-to-containment ratio of 771,200:1. &nbsp;</p>

<p>What&rsquo;s worse, many organizations lack the ability to rapidly revoke risky access paths without disrupting operations as containment readiness remains operationally immature across enterprise environments. &nbsp;</p>

<p><em><strong>What to Do About It: Build Containment into the Network Architecture&nbsp;</strong></em></p>

<p>Fast isolation playbooks, identity kill-switch capability, and controlled segmentation response modes that can quarantine a compromised host without halting surrounding operations are the foundations of containment readiness. When these capabilities are built into the network architecture, organizations remove the tradeoff between stopping the spread of a breach and keeping the business running.&nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/breach-map"><img alt="" src="https://zeronetworks.com/images/uploads/blog/Breach_Map_Download_%281%29.png" /></a></p>

<h2>How to Assess Your Lateral Movement Posture&nbsp;</h2>

<p>The ten risks uncovered in the 2026 Lateral Movement Exposure Report map to a single underlying question: how far can an attacker travel once inside your environment? To find the answer, security leaders should assess their readiness across six dimensions: &nbsp;</p>

<ul>
	<li><strong>Identity Security: </strong>Can you deploy least privilege across humans, machines and agents?&nbsp;</li>
	<li><strong>Network Segmentation:</strong> Can systems communicate only where required?&nbsp;</li>
	<li><strong>Administrative Controls:</strong> Are admin pathways tightly restricted?&nbsp;</li>
	<li><strong>Control Plane Protection:</strong> Are critical management systems isolated?&nbsp;</li>
	<li><strong>Detection &amp; Response:</strong> Can suspicious movement be detected and contained quickly?&nbsp;</li>
	<li><strong>Operational Resilience: </strong>Can the network continue operating to support the business even during an active attack?&nbsp;</li>
</ul>

<p>The ultimate goal of lateral movement posture management is to minimize the blast radius of any attack and safeguard business continuity. Knowing what your network looks like to an attacker is a critical first step in strengthening cyber resilience and architecting for containment. &nbsp;</p>

<h3>Proactively Stop Lateral Movement with Zero Networks &nbsp;</h3>

<p>Zero Networks&rsquo; layered approach to lateral movement prevention closes long-standing security gaps and addresses emerging risks without creating operational complexity: <a href="https://zeronetworks.com/platform">automated, identity-driven microsegmentation</a> closes the protocol exposure, reachability gaps, and privilege sprawl that enable lateral movement in modern environments, while <a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">deterministic, human-on-the-loop automation</a> streamlines policy creation and enforcement without risking disruption. &nbsp;</p>

<p>For a firsthand look at how Zero Networks makes threat containment an architectural feature, <a href="https://zeronetworks.com/request-demo">request a demo</a>. &nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>Protecting Against Mythos, Daybreak, and Beyond: Frontier AI Security </title>
          <link>https://zeronetworks.com/blog/protecting-against-mythos-daybreak-and-beyond-frontier-ai-security</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Thu, 18 Jun 2026 18:19:00 +0000</pubDate>
          <dc:date>Thu, 18 Jun 2026 18:19:00 +0000</dc:date>
          <category><![CDATA[Cybersecurity Trends &amp; CVEs]]></category>
          <dc:subject><![CDATA[Cybersecurity Trends &amp; CVEs]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/protecting-against-mythos-daybreak-and-beyond-frontier-ai-security#When:1200</guid>
          <description><![CDATA[Vulnerability exploitation is now the #1 initial access vector, according to Verizon&rsquo;s latest Data Breach Investigations Report. Last year, organizations saw a 50% increase in critical vulnerabilities to patch compared to the previous year. As models like Mythos and Daybreak make machine-speed vulnerability discovery and exploitation a reality, security leaders need a defensible strategy for protecting against AI security threats. &nbsp;&nbsp; In a recent webinar, Mythos and Daybreak: What&#8230;]]></description>
          <content:encoded><![CDATA[<p>Vulnerability exploitation is now the #1 initial access vector, according to <a href="https://www.verizon.com/business/resources/T766/reports/2026-dbir-data-breach-investigations-report.pdf">Verizon&rsquo;s latest Data Breach Investigations Report</a>. Last year, organizations saw a 50% increase in critical vulnerabilities to patch compared to the previous year. As <a href="https://zeronetworks.com/blog/ai-just-broke-the-security-modelheres-what-actually-matters-now">models like Mythos and Daybreak</a> make machine-speed vulnerability discovery and exploitation a reality, security leaders need a defensible strategy for protecting against AI security threats. &nbsp;&nbsp;</p>

<p>In a recent webinar, <a href="https://zeronetworks.com/resource-center/webinars/claude-mythos-what-to-actually-do-about-It">Mythos and Daybreak: What Boards Are Asking and What to Actually Do About It</a>, Zero Networks Field CTOs Chris Boehm and Albert Estevez explored why containment &ndash; not speed &ndash; is the only reliable advantage for defenders in the AI era. When <a href="https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies">lateral movement is blocked by default</a>, it doesn&#39;t matter how fast an attacker finds a vulnerability or how quickly your team can patch. The breach is contained before it can spread into a crisis.&nbsp;</p>

<p>We&rsquo;ll unpack key insights from the session and walk through best practices for <a href="https://zeronetworks.com/use-cases/protect-against-ai-threats-mythos-daybreak">protecting your network against AI</a>. &nbsp;</p>

<h2>Mythos and Daybreak: What They Are and Why They Matter for Security Teams &nbsp;</h2>

<p>Anthropic&rsquo;s Mythos and OpenAI&rsquo;s Daybreak are frontier AI models capable of finding, analyzing, and generating exploits for vulnerabilities at a speed and scale no human team can match.&nbsp;</p>

<p>For example, <a href="https://cyberscoop.com/anthropic-mythos-software-flaws-glasswing/">Mythos found over 10,000 previously unknown vulnerabilities</a> in seven weeks, including bugs that had evaded automated detection for decades. In a <a href="https://www.infosecurity-magazine.com/news/ai-security-institute-best/">UK AI Security Institute evaluation</a>, it successfully took over a simulated corporate network in 3 out of 10 attempts using only legitimate access paths. &nbsp;</p>

<blockquote>
<p>&ldquo;In controlled evaluations where Mythos Preview was explicitly directed and given network access to do so, we observed that <strong>it could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously &ndash; tasks that would take human professionals days of work</strong>.&rdquo; &nbsp;</p>

<p>AI Security Institute &nbsp;</p>
</blockquote>

<p>Daybreak delivers a similar class of capabilities; while OpenAI&rsquo;s model is also capable of delivering candidate patches, it&rsquo;s still not possible to deploy every critical patch quickly enough to prevent exploitation. &nbsp;</p>

<p><strong>Chris Boehm: </strong>These are two frontier models that are so cutting edge, they&#39;re keeping them contained behind a wall. And one of the prime examples Anthropic brought up was finding 300+ vulnerabilities on Firefox in a very short period of time. The concern is: how do I stay on top of patch management and operations when this is happening?&nbsp;</p>

<p>Frontier AI models didn&#39;t invent new attack techniques; <a href="https://zeronetworks.com/resource-center/topics/lateral-movement-innovations-prevention-techniques">lateral movement</a>, credential abuse, and <a href="https://zeronetworks.com/blog/stopping-privilege-escalation-how-to-neutralize-stolen-credential-threats">privilege escalation</a> are well-known tactics. What has changed is the speed at which those techniques can now be applied against vulnerabilities that already exist in the environment &ndash; and the scale at which a capable attacker can identify them. &nbsp;</p>

<p><a href="https://www.gartner.com/en/documents/7772953">Gartner noted after Mythos launched that</a> <em>"CIOs must tell their boards they will have to recalibrate their risk appetite for vulnerabilities because f<strong>aster patch cycles won&#39;t be enough</strong>."</em> Boards heard that message before most security teams had formed a response to it, leaving CISOs to face an evolving set of questions.&nbsp;</p>

<h3>AI Security Questions: What Are Boards Asking CISOs? &nbsp;</h3>

<p>As models like Mythos and Daybreak continue to dominate headlines, board-level questions for security leaders are increasingly focused on AI-era business resilience.&nbsp;</p>

<p><strong>Albert Estevez:</strong> The most common question I get when I visit customers is: as a company, how do we stop this type of attack inside our network? How will Mythos impact our infrastructure? And then there&#39;s the unbudgeted board mandate &ndash; go secure us against Mythos.&nbsp;</p>

<p><strong>Chris Boehm:</strong> If AI can find vulnerabilities in our environment at warp speed, how do we protect ourselves? And can you prove our investment is actually reducing the risk? Those are the questions security teams don&#39;t always have a crisp answer for.&nbsp;</p>

<p>Security leaders that come back to the board with a patch acceleration plan are going to have a harder conversation than those who can explain why speed is no longer the variable that matters.&nbsp;</p>

<h2>Why Patching Faster Won&rsquo;t Solve AI Threats &nbsp;</h2>

<p>According to the <a href="https://www.verizon.com/business/resources/T766/reports/2026-dbir-data-breach-investigations-report.pdf">2026 Verizon Data Breach Investigations Report</a>, only 26% of critical vulnerabilities were fully remediated by organizations in 2025, and the median time for full resolution increased by nearly two weeks year-over-year. &nbsp;</p>

<p>In other words, even before AI-enabled vulnerability discovery and exploitation burst onto the threat landscape, security teams have been struggling to keep up with patching. Frontier models have made traditional patching workflows an untenable solution. &nbsp;</p>

<p><strong>Albert Estevez:</strong> We cannot patch Mythos or Daybreak away. Discovery is infinite now. We can find thousands or even millions of new vulnerabilities every day. And the patching time we have is finite &ndash; it&#39;s impossible to digest all those patches, validate that a new patch isn&#39;t generating a business impact, and move fast enough. Even with prioritization, it will always be late. Because the time AI needs to generate an exploit will always be faster than the time you need to prioritize, test, and apply the patch.&nbsp;</p>

<p>So, organizations now face an impossible tradeoff: patch immediately and manage updates that contain thousands of fixes at a time, or wait and prioritize while accepting risk exposure. In either case, operational continuity is at risk. &nbsp;</p>

<p>OT and legacy systems can&#39;t always be patched on short notice without planning significant change windows that risk production impact. But leaving vulnerabilities uncovered is just as risky. Attackers can <a href="https://www.crowdstrike.com/en-us/global-threat-report/">begin moving laterally in as little as 27 seconds</a>, yet the mean time to <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">identify a breach via vulnerability exploitation is 180 days</a>. As AI accelerates exploit generation, that gap will only grow wider. &nbsp;</p>

<p><strong>Chris Boehm: </strong>Even if you have 90% detection, 90% analyst accuracy, 24/7 coverage, and fast response times &ndash; when you multiply all those numbers together, you still have a compounding failure rate. We&#39;re not blocking, we&#39;re not preventing. We&#39;re allowing attacks to go through even though we have most of what&#39;s necessary. The standard stack isn&#39;t enough anymore.&nbsp;</p>

<p>There is no version of &ldquo;respond faster&rdquo; that gives defenders a reliable advantage over AI-enabled attackers. Instead, security teams need an <a href="https://zeronetworks.com/blog/how-to-build-cyber-resilience-via-automated-containment-an-architectural-framework">architecture designed for containment</a> to make speed irrelevant.&nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/guides/resilient-by-design-architecting-security-that-keeps-operations-running"><img alt="" src="https://zeronetworks.com/images/uploads/blog/Cyber_Resilience_Guide_Download_%281%29.png" /></a></p>

<h2>Real-Time Threat Containment: Proactive Network Security &nbsp;&nbsp;</h2>

<p>Lateral movement is how attackers escalate a minor foothold into a business-disrupting breach &ndash; whether they get in via vulnerability exploitation, credential abuse, or any other initial access vector. The key to making an attacker&rsquo;s speed irrelevant is <a href="https://zeronetworks.com/blog/what-is-cyber-resilience-how-to-protect-business-continuity">building lateral movement prevention into the network architecture</a>. &nbsp;</p>

<p><strong>Albert Estevez:</strong> We need to make the speed of detection and remediation totally irrelevant. How? By building an infrastructure that prevents lateral movement by design. If everything is locked down, it doesn&#39;t matter how fast you discover new vulnerabilities or how fast you need to patch them &ndash; your system will not allow any new connection that isn&#39;t already allowed. Stop running. Contain first.&nbsp;</p>

<p>With this approach, attacker&#39;s speed advantage doesn&#39;t translate into business impact because there&#39;s nowhere to move in the first place. In a network where lateral movement is blocked by default and privileged ports are closed to all but explicitly authorized identities, a single compromised asset gives attackers very little access. &nbsp;</p>

<p><strong>Chris Boehm:</strong> If you actually contain and isolate appropriately, a hundred vulnerabilities discovered today wouldn&#39;t matter. You can go through your standard patch channels, do your testing and validation on your timeline, not theirs. You don&#39;t have to be in fear of a thousand patches dropping tomorrow.&nbsp;</p>

<p>This same principle applies to the second distinct AI challenge organizations are navigating alongside attack acceleration: vulnerabilities created by AI already running inside the network. Employees are using unsanctioned tools, <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">agents are operating with permissions nobody explicitly scoped</a>, and every new connection represents a path attackers can exploit if it isn&#39;t governed.&nbsp;</p>

<p><strong>Albert Estevez: </strong><a href="https://zeronetworks.com/blog/securing-shadow-ai-how-to-detect-and-govern-unsanctioned-ai-tools">Shadow AI expands the attack surface</a>. You need to govern those tools. Don&#39;t let users start using AI tools you haven&#39;t provided &ndash; you can&#39;t stop the adoption, but you can control what&#39;s sanctioned and what reaches what. Every agent needs an identity, scoped access, and defined communication paths. If you allow your AI agent to write to your database, the first question you should be asking is why.&nbsp;</p>

<h2>How to Measure AI Security: Metrics That Matter for Resilience &nbsp;</h2>

<p>Security teams have spent years reporting on alert volume, mean time to detect, and mean time to respond. In the context of AI-accelerated attacks, Estevez and Boehm argue those metrics are measuring the wrong thing.&nbsp;</p>

<p><strong>Albert Estevez:</strong> A year ago, customers were all talking about mean time to detect, mean time to respond. I would say &lsquo;okay, mean time to be hacked. What is that time?&rsquo; Changing the mindset to contain first means asking: can my business keep running while I&#39;m receiving an attack? The CEO and CIO don&#39;t care how long it took to identify something if they&#39;re already in the news.&nbsp;</p>

<p>The <a href="https://zeronetworks.com/blog/how-to-measure-cyber-resilience-zero-trust-roi">metrics that map to board-level concerns</a> include <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">blast radius</a>, mean time to contain, lateral movement scope, and uptime during cyber incidents. &nbsp;</p>

<p><strong>Chris Boehm: </strong>What if you don&#39;t have to respond because it&#39;s already been contained and isolated? That&#39;s what we&#39;re measuring now &ndash; mean time to containment, blast radius reduction, lateral movement scope, and whether I can prove my uptime stays intact during an incident. That&#39;s the shift from &#39;we saw a lot of alerts&#39; to &#39;here&#39;s proof our architecture is working.&#39;&nbsp;</p>

<p>Zero Networks&#39; <a href="https://zeronetworks.com/resource-center/breach-map">Breach Map</a> makes this visible in a way that resonates at the board level. A CISO can click on any user or device and see what that identity has access to with and without Zero Networks applied. A user with broad privileges might have access to dozens of workloads in an uncontrolled environment. With comprehensive microsegmentation, that scope narrows to only what they actively need and use, often by 90% or more.&nbsp;</p>

<p><strong>Chris Boehm: </strong>The beautiful paradox of <a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide">microsegmentation</a> is that when it&#39;s working well, you don&#39;t even notice it. So, we created a way for customers to actually see what it&#39;s doing &ndash; what their blast radius looks like with and without containment in place. Customers were asking: can you prove the difference of what you&#39;re doing? That&#39;s the answer.&nbsp;</p>

<h2>Building a Containment Architecture: Best Practices for Protecting Networks Against AI&nbsp;</h2>

<p>To minimize risk exposure in the AI era, security teams should focus on three key priorities: <a href="https://zeronetworks.com/blog/the-4-protocols-driving-enterprise-risk-in-2026">dynamically closing privileged ports</a>, implementing <a href="https://zeronetworks.com/platform">identity-aware microsegmentation</a>, and <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">governing AI agents</a> with identity-based policies. &nbsp;</p>

<p>Over <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">70% of enterprise risk activity</a> flows through admin protocols like RDP, SMB, WinRM, and RPC. By closing those lateral movement pathways with <a href="https://zeronetworks.com/blog/mfa-is-our-dna-zero-networks-multi-factor-segmentation">network-layer MFA</a>, security teams ensure that administrators with an explicit business need can still get access &ndash; but only after identity verification, and only for a limited time. &nbsp;</p>

<p><strong>Albert Estevez: </strong>Imagine that in no time &ndash; one single click &ndash; you close access to those ports that don&#39;t need to be open 24/7. Now the vulnerabilities associated with those ports are blocked. Nobody can access them, exploit them, or bring credentials and try to use them, because those ports are closed behind a policy on the local server. You cannot exploit what is closed.&nbsp;</p>

<p>Identity-based segmentation delivers the architectural controls to prevent unauthorized lateral movement. By leveraging <a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">deterministic, human-on-the-loop automation</a> to create policies based on observed network behavior, organizations ensure granular segmentation won&rsquo;t disrupt legitimate traffic, but it will break the attack chain. &nbsp;</p>

<p><strong>Albert Estevez:</strong> After you are segmented, an application can only communicate with these specific assets through these specific ports. There are no other endpoints available. You cannot scan the infrastructure to find vulnerabilities because everything is closed. Contained by default &ndash; you cannot discover or communicate with other parts of the network unless a policy explicitly allows it.&nbsp;</p>

<p><a href="https://zeronetworks.com/platform/ai-capabilities">Governing AI agents with the same identity-based, least-privilege controls</a> that apply to human users ensures they can only reach what they explicitly need to reach, through the ports they&#39;re permitted to use. If an agent deviates from its approved communication baseline, the connection is blocked, drastically shrinking the agentic attack surface. &nbsp;</p>

<p>These strategies give security leaders a clear, provable answer to questions about Mythos, Daybreak, and any other frontier AI models that may come next. In a network architected for containment, it doesn&rsquo;t matter how many vulnerabilities are discovered &ndash; attackers still have nowhere to go. &nbsp;</p>

<h3>Network Security for the AI Era: Strengthening Cyber Resilience with Zero Networks &nbsp;</h3>

<p>Mythos and Daybreak have set a new capability baseline. The organizations that remain resilient in this evolving threat landscape will be the ones that respond with something more durable than an accelerated patching plan: lateral movement is blocked by default, and we can show exactly how far any attacker could go.&nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/breach-map"><img alt="" src="https://zeronetworks.com/images/uploads/blog/Breach_Map_Download_%281%29.png" /></a></p>

<p>Zero Networks&rsquo; <a href="https://zeronetworks.com/platform">automated, identity-based microsegmentation</a> stops lateral movement and contains any attack &ndash; human or AI &ndash; to keep the business running. With Zero, security teams get complete AI visibility, deterministic control, and built-in containment to neutralize the risk of machine-speed vulnerability discovery and exploitation. &nbsp;</p>

<p>To see how Zero Networks gives defenders the advantage in an era defined by Mythos and Daybreak, <a href="https://zeronetworks.com/request-demo">request a demo</a>. &nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>10 Common Lateral Movement Techniques and How to Stop Them</title>
          <link>https://zeronetworks.com/blog/10-common-lateral-movement-techniques-how-to-stop-them</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Thu, 18 Jun 2026 15:44:00 +0000</pubDate>
          <dc:date>Thu, 18 Jun 2026 15:44:00 +0000</dc:date>
          <category><![CDATA[Ransomware &amp; Lateral Movement Protection]]></category>
          <dc:subject><![CDATA[Ransomware &amp; Lateral Movement Protection]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/10-common-lateral-movement-techniques-how-to-stop-them#When:688</guid>
          <description><![CDATA[When an attacker gains initial access to your network, the breach is only the beginning. To reach sensitive systems and data, hackers rely on&#8239;lateral movement&#8239;to venture deeper into your network, escalate privileges, and expand the attack surface. &#8239;Zero Networks&rsquo; analysis of 54 trillion activities across 300+ enterprise environments revealed that 80% of enterprise servers are reachable from anywhere inside the network, making it easy for attackers to pivot to critical&#8230;]]></description>
          <content:encoded><![CDATA[<p>When an attacker gains initial access to your network, the breach is only the beginning. To reach sensitive systems and data, hackers rely on&#8239;<a href="https://zeronetworks.com/resource-center/topics/lateral-movement-innovations-prevention-techniques">lateral movement</a>&#8239;to venture deeper into your network, escalate privileges, and expand the attack surface. &#8239;Zero Networks&rsquo; <a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">analysis of 54 trillion activities across 300+ enterprise environments</a> revealed that 80% of enterprise servers are reachable from anywhere inside the network, making it easy for attackers to pivot to critical systems after gaining a foothold. &nbsp;</p>

<p>If you&#8239;<a href="https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies">prevent lateral movement</a> structurally, breaches are automatically contained by the network architecture, ensuring critical operations continue running through cyber incidents. We&rsquo;ll explore some of the most common lateral movement techniques and offer tips to block attack paths in real time. &#8239;&nbsp;</p>

<h2>What Are Lateral Movement Techniques?&nbsp;</h2>

<p>Lateral movement techniques are the methods cyber attackers use to move through a network after gaining initial access. These tactics help them: &nbsp;</p>

<ul>
	<li>Deploy persistence mechanisms to maintain access &nbsp;</li>
	<li>Escalate privileges&nbsp;</li>
	<li>Discover new systems and credentials &nbsp;</li>
	<li>Reach high-value targets (like <a href="https://zeronetworks.com/use-cases/enhance-domain-controller-security">domain controllers</a> or sensitive databases) &nbsp;&nbsp;</li>
</ul>

<p>Lateral movement is so pervasive that the <a href="https://attack.mitre.org/tactics/TA0008/">MITRE ATT&amp;CK framework</a> classifies it as one of the core tactics used in modern cyberattacks. While a hacker may gain access to the network from phishing or compromised credentials, lateral movement techniques are how an initial breach&nbsp;cascades into an enterprise-wide crisis.</p>

<h2>Common Lateral Movement Techniques&nbsp;</h2>

<p>Though cyber threats are constantly evolving, many common lateral movement <a href="https://zeronetworks.com/blog/nsa-and-cisa-top10-cybersec-misconfigs-solved">techniques</a> fall into broad categories like: &nbsp;</p>

<ul>
	<li><strong>Session hijacking</strong>: Attackers take control of existing sessions with remote services &nbsp;</li>
	<li><strong>Remote services</strong>: Using valid accounts, attackers log into services that accept remote connections and perform actions as the logged-on user&nbsp;</li>
	<li><strong>Alternate authentication</strong>: Attackers bypass normal controls through the use of materials like password hashes, access tokens, and Kerberos tickets &nbsp;</li>
</ul>

<p>Other lateral movement techniques fall outside of these groups but can prove equally destructive. And in fact, attackers rarely rely on a single technique; instead, they often string tactics together to stay undetected and maintain momentum. &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report"><img alt="" src="https://zeronetworks.com/images/uploads/blog/LMER_Download_CTA_%281%29.png" /></a></p>

<h3>Living off the Land (LotL)&nbsp;</h3>

<p>Instead of deploying external tools, attackers use built-in utilities like PowerShell, PsExec, or Windows Management Instrumentation (WMI) to move laterally with <a href="https://zeronetworks.com/blog/how-to-prevent-malware-free-attacks-living-off-the-land-protection-strategies">LotL attacks</a>. Because these tools are part of the operating system, their use blends in with regular network traffic, making this tactic especially challenging to detect.</p>

<p>In fact, in a <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a">Red Team Assessment Report</a>, CISA concluded that <a href="https://zeronetworks.com/resource-center/webinars/why-edr-isnt-enough">heavy EDR reliance creates insufficient protection</a> to stop all living-off-the-land attacks. With malware-free attacks now comprising <a href="https://www.crowdstrike.com/en-us/global-threat-report/">82% of cyber incidents</a>, proactively blocking lateral movement rather than relying on alerts is more important than ever. &nbsp;</p>

<h3>AI-Driven Lateral Movement (AILM)&nbsp;</h3>

<p><a href="https://zeronetworks.com/blog/what-is-ai-driven-lateral-movement-ailm">AI-driven lateral movement or AI lateral movement (AILM)</a> is a tactic where adversaries use AI to accelerate the attack chain &ndash; achieving impossibly fast breakout times as a result &ndash; or weaponize overprivileged AI agents&rsquo; legitimate connections to pivot between systems. &nbsp;&nbsp;</p>

<p>In other words, AILM encompasses two distinct vectors: AI-accelerated lateral movement, where attackers use AI to expedite established lateral movement techniques, and agent-induced lateral movement, where attackers <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">exploit AI agents&rsquo; legitimate connections</a> as a new attack surface. &nbsp;</p>

<h3>Compromised Credentials&nbsp;</h3>

<p>Simple or reused passwords make it easy for hackers to guess, brute-force, or reuse credentials across multiple systems; <a href="https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report">80% of attacks leverage stolen credentials</a> at some stage. Once they access one asset, attackers often use those same credentials to pivot to others. &#8239;&nbsp;</p>

<p>Compromised credentials are particularly risky in this era of excessive privileged access and machine identity sprawl. <a href="https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report">Ninety-nine percent of users, roles, and services</a> hold excessive standing permissions, often unused for 60+ days. Meanwhile, machine and service identities &ndash; which are notoriously over-permissioned and under-monitored &ndash; <a href="https://www.paloaltonetworks.com/idira/identity-security-landscape-report">outnumber human identities 109:1</a>, a trend that&rsquo;s only accelerating amid a massive influx of <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">AI agents in enterprise environments</a>. &nbsp;</p>

<h3>Pass-the-Hash (PtH) Attacks and&nbsp;Pass-the-Ticket (PtT) Attacks &nbsp;</h3>

<p>In a PtH attack, adversaries use a hashed version of a password to authenticate without decrypting it. This technique is especially effective in environments that use NTLM;&nbsp;according to <a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">Zero Networks&rsquo; Lateral Movement Exposure Report</a>, 43% of internal authentication still relies on NTLM.</p>

<p>PtT attacks use stolen Kerberos tickets to impersonate users and access systems without needing passwords, enabling access to sensitive internal services. In a Golden Ticket attack, the ticket granting ticket (TGT) is stolen, allowing attackers to impersonate any user; Silver Ticket attacks steal service tickets, which enable more limited authentication.&nbsp;</p>

<h3>Internal Spear Phishing &nbsp;</h3>

<p>After gaining access to an account, attackers send convincing phishing emails from within the organization to carry out this lateral movement technique. This tactic is more likely to succeed due to the internal sender and known context.&nbsp;</p>

<h3>Kerberoasting&nbsp;</h3>

<p>This technique involves requesting service tickets for accounts with access to a particular service and attempting to crack them offline. Service accounts with weak passwords are frequent targets, especially when they hold administrative privileges. Kerberoasting is stealthier than a PtT attack since it doesn&rsquo;t generate unusual network activity. &nbsp;</p>

<h3>Credential Dumping &nbsp;</h3>

<p>Credential dumping extracts usernames, password hashes, or plaintext credentials from memory, local files, or the registry. The credentials are then used in other lateral movement techniques, such as PtH attacks, PtT attacks, or RDP login attempts.&nbsp;</p>

<h3>Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM)&nbsp;</h3>

<p>Two examples of <a href="https://attack.mitre.org/techniques/T1021/">remote services exploitation</a>, RDP and <a href="https://zeronetworks.com/blog/the-4-protocols-driving-enterprise-risk-in-2026">WinRM attacks</a> use stolen credentials to remotely access systems and perform actions as the logged-on user. Zero Networks&rsquo; <a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">2026 Lateral Movement Exposure Report</a> found that 87% of monitored servers accept internal RDP or SSH traffic; without strong controls like MFA, this movement can remain undetected for long periods. &nbsp;</p>

<h3>Server Message Block (SMB) &nbsp;</h3>

<p>Another technique involving remote services, this method allows attackers to interact with a remote network share by logging in with stolen credentials.&nbsp;Over <a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">75% of servers are reachable over SMB and WinRM</a>, and since the SMB protocol is primarily used to access files, printers, and serial ports, it&rsquo;s an easy way for attackers to move laterally through a network. In fact, <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">more than 70% of enterprise threat activity</a> flows through just four privileged management protocols: SMB, WinRM, RDP, and RPC.&nbsp;</p>

<h3>SSH Hijacking&nbsp;</h3>

<p>Attackers can hijack active SSH sessions to gain the same access held by the original user and remotely execute commands on a system. Because it leverages a legitimate user&rsquo;s existing SSH session to move laterally, this technique often allows adversaries to go undetected. &nbsp;</p>

<h2>Lateral Movement Protection: Why Detection-only Strategies Fall Short &nbsp;</h2>

<p>Many organizations rely on tools like endpoint detection and response (EDR) systems or security information and event management (SIEM) platforms to detect lateral movement. While detection is important, it&rsquo;s an <a href="https://zeronetworks.com/blog/edr-security-gaps-why-instant-breach-containment-beats-detection">incomplete strategy for preventing unauthorized lateral movement</a> and protecting business continuity. &nbsp;&nbsp;</p>

<p>Once attackers are inside a network and moving laterally, the window to contain them narrows quickly &ndash; detection often takes too long to prevent damage. Attackers can <a href="https://www.crowdstrike.com/en-us/global-threat-report/">begin moving laterally in as little as 27 seconds</a>, and with so many lateral movement techniques involving native tools or valid accounts, malicious behavior can be hard to distinguish from legitimate activity. Because of this, there&rsquo;s a massive gap between machine-speed lateral movement and the <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">241 days it typically takes to identify and contain a breach</a>. &nbsp;</p>

<p>Instead of relying solely on detection, organizations must also find ways to prevent lateral movement entirely, proactively strengthening cyber resilience so security teams can shift to containing threats rather than chasing them. &nbsp;</p>

<h2>How to Block Lateral Movement Techniques in Real Time &nbsp;</h2>

<p>Patching entry points won&rsquo;t effectively <a href="https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies">prevent lateral movement</a>; to block attackers&rsquo; favorite techniques, organizations have to eliminate the internal pathways attackers rely on. The most effective strategies combine <a href="https://zeronetworks.com/blog/network-segmentation-all-you-need-to-know">network segmentation</a>, identity controls, and real-time access enforcement.&nbsp;</p>

<p>Key approaches to eliminate lateral movement span: &nbsp;</p>

<ul>
	<li><a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide"><strong>Microsegmentation</strong></a>: Enforce <a href="https://zeronetworks.com/blog/a-practical-guide-to-least-privilege-access-zero-trust-security-in-action">least-privilege access</a> to limit communication between systems to what&rsquo;s explicitly allowed, isolating every asset to leave hackers stranded. &nbsp;&nbsp;</li>
	<li><strong>Multi-factor authentication</strong>: <a href="https://zeronetworks.com/blog/mfa-is-our-dna-zero-networks-multi-factor-segmentation">Apply MFA to privileged ports</a> and services inside the network, making lateral movement techniques that rely on stolen credentials ineffective.&nbsp;&nbsp;</li>
	<li><a href="https://zeronetworks.com/platform/identity-segmentation"><strong>Identity-based access controls</strong></a>: Grant access based on verified identity and purpose, not just IP address or location.&nbsp;</li>
	<li><strong>Automate policy management</strong>: Leverage automation-enabled solutions to dynamically generate rules based on observed behavior and continually update policies as the environment evolves. &nbsp;&nbsp;</li>
</ul>

<p>Even if attackers manage to breach the network, measures like these cut off their pathways and ensure cyber incidents stay isolated.&nbsp;</p>

<h3>Stop Lateral Movement Before It Starts with Zero Networks &nbsp;</h3>

<p>Zero Networks turns lateral movement pathways into dead ends with <a href="https://zeronetworks.com/platform">automated, identity-based microsegmentation</a>. By orchestrating native firewalls to secure every asset, applying just-in-time MFA at the network layer, and automatically enforcing adaptive policies that evolve alongside your network, Zero ends privilege escalation and maintains dynamic granular controls. &#8239;&nbsp;</p>

<p>Protect your network from today&rsquo;s most common lateral movement techniques while future-proofing your security strategy against new threats &ndash;&#8239;<a href="https://zeronetworks.com/request-demo">request a demo</a> to learn how. &nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>How to Prevent Lateral Movement: Cybersecurity Risks and Strategies</title>
          <link>https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Wed, 17 Jun 2026 19:52:00 +0000</pubDate>
          <dc:date>Wed, 17 Jun 2026 19:52:00 +0000</dc:date>
          <category><![CDATA[Ransomware &amp; Lateral Movement Protection]]></category>
          <dc:subject><![CDATA[Ransomware &amp; Lateral Movement Protection]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies#When:684</guid>
          <description><![CDATA[Lateral movement is how attackers escalate minor footholds into major breaches &ndash; and few networks are designed to prevent it. A single compromised system exposes 85% of the network within one hop, and attackers can begin moving laterally in as little as 27 seconds. &nbsp; Cybersecurity teams know that preventing lateral movement is key to stopping minor cyber incidents before they escalate into enterprise-wide disruption, but applying controls&#8239;robust enough&#8239;to&#8239;effectively&#8230;]]></description>
          <content:encoded><![CDATA[<p>Lateral movement is how attackers escalate minor footholds into major breaches &ndash; and few networks are designed to prevent it. A single compromised system exposes <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">85% of the network within one hop</a>, and attackers can <a href="https://www.crowdstrike.com/en-us/global-threat-report/">begin moving laterally in as little as 27 seconds</a>. &nbsp;</p>

<p>Cybersecurity teams know that preventing lateral movement is key to stopping minor cyber incidents before they escalate into enterprise-wide disruption, but applying controls&#8239;robust enough&#8239;to&#8239;effectively halt attackers&#8239;has historically been considered too complex and disruptive.&#8239;&#8239;&#8239;&nbsp;</p>

<p>To clarify the destructive <a href="https://zeronetworks.com/resource-center/topics/network-security-fundamentals-what-it-is-why-it-matters">network security</a>&#8239;risks&#8239;lateral movement poses &ndash; and how to prevent them entirely &ndash;&#8239;we&rsquo;ll&#8239;explore&#8239;the underlying vulnerabilities that enable lateral movement, how attackers exploit them, the growing threat of AI-driven lateral movement (AILM), and practical strategies to proactively lock down lateral movement. &nbsp;</p>

<h2>What Is Lateral Movement? Definition, Causes, and Examples</h2>

<p><a href="https://zeronetworks.com/resource-center/topics/lateral-movement-innovations-prevention-techniques">Lateral movement in cybersecurity</a> is the tactic attackers use to move &ldquo;sideways&rdquo; (East-West) across the network after gaining initial access, often in search of sensitive data and assets. In other words, lateral movement is how attackers turn a small foothold with minimal access into a widespread security breach impacting business-critical systems. In fact, lateral movement is so pervasive that the <a href="https://attack.mitre.org/tactics/TA0008/">MITRE ATT&amp;CK framework</a> classifies it as one of the core tactics used in modern cyberattacks. &nbsp;</p>

<table border="1" cellpadding="1" cellspacing="1">
	<thead>
		<tr>
			<th scope="col">Attack Phases</th>
			<th scope="col">What Happens</th>
		</tr>
	</thead>
	<tbody>
		<tr>
			<th scope="row">Preparation</th>
			<td>Rocennaissance and resource development. Happens outside the victim&#39;s network; there is little a defender can do at this stage.</td>
		</tr>
		<tr>
			<th scope="row">Infiltration</th>
			<td>First attacker access to the victim environment. Under "assume breach," defenders should plan as if this stage has already succeeded.&nbsp;</td>
		</tr>
		<tr>
			<th scope="row">Host Taking</th>
			<td>Activity on a compromised workload: execution, persistence, defense evasion, privilege escalation. Mitigated primarily by EDR and EPP.&nbsp;</td>
		</tr>
		<tr>
			<th scope="row">Lateral Movement</th>
			<td>Command-and-control, discovery, collection, credential access and movement betweek workloads</td>
		</tr>
		<tr>
			<th scope="row">Damage</th>
			<td>Exfiltration and impact. By this stage, the organization is in damage control, not mitigation&nbsp;</td>
		</tr>
	</tbody>
</table>

<h3>From Compromise to Privilege Escalations: What Causes Lateral Movement?</h3>

<p>Lateral movement&#8239;starts with&#8239;an&#8239;initial&#8239;compromise;&#8239;today, the most <a href="https://www.verizon.com/business/resources/T766/reports/2026-dbir-data-breach-investigations-report.pdf">common initial access vectors</a> are vulnerability exploitation, phishing, and credential abuse. With that&#8239;first foothold, attackers can move laterally through the network when controls&#8239;aren&rsquo;t&#8239;sufficient to stop privilege escalation. &nbsp;</p>

<p>According to <a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">Zero Networks&rsquo; analysis of 5.4 trillion activities across 312 enterprise environments</a>, the top 10 risks that enable lateral movement are: &nbsp;</p>

<ol>
	<li>Broad Internal Admin Protocol Exposure&nbsp;</li>
	<li>Excessive Internal Reachability&nbsp;</li>
	<li>Excessive Privileged Access&nbsp;</li>
	<li>Overprivileged Service Accounts&nbsp;</li>
	<li>Legacy Authentication Paths&nbsp;</li>
	<li>Exposed Control Plane Infrastructure&nbsp;</li>
	<li>Internal Vulnerability Pivoting&nbsp;</li>
	<li>Lack of East-West Visibility&nbsp;</li>
	<li>Single Endpoint to Critical Asset Reachability&nbsp;</li>
	<li>Poor Containment Readiness&nbsp;</li>
</ol>

<p>These risks represent the structural exposures most responsible for converting a single compromise into enterprise-wide impact.&nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report"><img alt="" src="https://zeronetworks.com/images/uploads/blog/LMER_Download_CTA_%281%29.png" /></a></p>

<h3>Lateral Movement Examples: Notable Incidents</h3>

<p>High-profile breaches often use lateral movement to expand <a href="https://zeronetworks.com/blog/what-is-blast-radius-in-cybersecurity-best-practices-for-breach-containment">blast radius</a> and access critical assets; notable examples include:</p>

<ul>
	<li><a href="https://zeronetworks.com/blog/cyber-defense-mitre-hack"><strong>MITRE/Ivanti breach</strong></a>: In January 2024, MITRE&rsquo;s network was compromised through two zero-day vulnerabilities in Ivanti VPN solutions. The attackers moved laterally through the network by leveraging a compromised admin account, establishing persistent access and harvesting credentials. This breach highlighted the importance of prevention in network security strategies, rather than overreliance on detection and response.</li>
	<li><a href="https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/"><strong>Change Healthcare ransomware attack</strong></a>: Shortly after the MITRE/Ivanti breach, Change Healthcare was targeted by the ALPHV/Blackcat ransomware group, resulting in the exfiltration of 4TB of data. The attackers infiltrated the network by exploiting compromised credentials; after that, they deployed ransomware and demanded a hefty ransom.</li>
	<li><a href="https://www.lexology.com/library/detail.aspx?g=b03e982d-1faa-4af9-bb95-4569bc65dd3e"><strong>AT&amp;T breach</strong></a>: In 2024, AT&amp;T confirmed that a threat actor had gained unauthorized access to internal systems by using stolen credentials associated with a third-party vendor. Once inside, the attacker moved laterally to access and exfiltrate customer data, including passcodes and Social Security numbers. The breach underscored a critical gap: MFA was not in place for the compromised entry point. With <a href="https://zeronetworks.com/blog/mfa-is-our-dna-zero-networks-multi-factor-segmentation">network-layer MFA</a> and strict privilege enforcement, the attacker&rsquo;s access could have been blocked before any data was exposed.</li>
</ul>

<h2>What Types of Cyberattacks Use Lateral Movement?</h2>

<p>Many attacks rely on lateral movement to maximize their scope and achieve a specific goal. Some attack types that commonly involve lateral movement are:</p>

<ul>
	<li><strong>Ransomware</strong>: To demand the highest possible payout, <a href="https://zeronetworks.com/blog/what-is-ransomware">ransomware</a> aims to infect and encrypt as many systems as possible. Lateral movement enables ransomware to spread rapidly across the network, reaching critical assets and increasing pressure to pay.</li>
	<li><strong>Data Exfiltration</strong>: Once inside the network, attackers move laterally to locate sensitive data like personal records, IP, or financial information before transferring it outside the network for ransom, sale, or public exposure.</li>
	<li><strong>Botnet Infection</strong>: Lateral movement helps attackers quietly add devices to a robotic network (botnet), growing their control before launching larger-scale operations like distributed denial-of-service (DDoS) attacks.</li>
</ul>

<p>Critically, lateral movement isn&rsquo;t just a supporting tactic, it&rsquo;s the key mechanism for turning small compromises into large-scale incidents. &nbsp;</p>

<h2>Why Does Lateral Movement (Still) Happen?</h2>

<p>Lateral movement&#8239;isn&rsquo;t&#8239;a new concept,&#8239;yet it&#8239;remains&#8239;a tried-and-true technique in cyberattacks. Why? It&#8239;essentially comes&#8239;down&#8239;to&#8239;complexity&#8239;&ndash;&#8239;both&#8239;of&#8239;modern environments and&#8239;the solutions designed to secure them.&#8239;&#8239;&nbsp;</p>

<p>Still, security leaders working in sectors that mandate robust security postures&#8239;can&rsquo;t&#8239;afford to leave lateral movement unchecked.&#8239;As&#8239;<a href="https://zeronetworks.com/resource-center/videos/risky-business-interview-aaron-steinke-of-la-trobe-financial-talks-about-zero-networks">Aaron Steinke, Head of Infrastructure at La Trobe Financial put it</a>,&#8239;&ldquo;We&rsquo;re a financial institution, we are very paranoid,&#8239;that&rsquo;s&#8239;the nature of working in finance.&#8239;<strong>Getting control over lateral movement in our network is&#8239;really essential, and&#8239;it&rsquo;s&#8239;a hard thing&#8239;to do</strong>.&rdquo;&#8239;&#8239;&nbsp;</p>

<p>Between hybrid system sprawl, vulnerable privileged accounts, and traditional segmentation solutions too complex to deploy at&#8239;scale,&#8239;lateral movement&#8239;remains&#8239;a pressing cybersecurity risk &ndash; one that&rsquo;s only growing more urgent in the AI era. &nbsp;</p>

<h4><small>The Growing Threat of AI-Driven Lateral Movement (AILM)&nbsp;</small></h4>

<p><a href="https://zeronetworks.com/blog/what-is-ai-driven-lateral-movement-ailm">AI-driven lateral movement</a> or AI lateral movement (AILM) is a tactic where adversaries use AI to accelerate the attack chain &ndash; achieving impossibly fast breakout times as a result &ndash; or weaponize overprivileged AI agents&rsquo; legitimate connections to pivot between systems. &nbsp;&nbsp;</p>

<p>As AI adoption proliferates, innovation has outpaced security and rapidly expanded attack surfaces. As a result,&#8239;<a href="https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf">57% of organizations</a>&#8239;have already seen an uptick in security incidents linked to AI usage; nearly&#8239;<a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">two-thirds of organizations</a> don&rsquo;t have the necessary policies&#8239;to manage AI or detect shadow AI. &#8239;&nbsp;</p>

<p>In many cases, AILM isn&rsquo;t functionally different than any other type of lateral movement &ndash; it&rsquo;s just far faster. Attackers weaponize the same network vulnerabilities that have always existed, compounded by excessive permissions for AI agents, to expand breach impact faster than any human response cycle can match. &nbsp;</p>

<p><a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide">Microsegmentation</a> is the gold standard in locking down lateral movement, but traditional tools left it out of reach for many organizations. &nbsp;</p>

<h3>Legacy Microsegmentation Implementation Challenges</h3>

<p>Unlike traditional <a href="https://zeronetworks.com/blog/network-segmentation-all-you-need-to-know">network segmentation</a> strategies &ndash; which involve dividing a large network into smaller subnetworks, or segments &ndash; <a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide">microsegmentation is a much more granular and robust process</a> that isolates all clients, workloads, applications, virtual machines, and operating systems into segments with individual security perimeters.</p>

<p>In other words, if an attacker manages to access a microsegmented network, they&rsquo;ll find themselves immediately stranded. The only problem is: legacy microsegmentation solutions are typically so complex that <a href="https://zeronetworks.com/blog/5-reasons-microsegmentation-projects-fail">many implementations stall or fail outright</a>.</p>

<p><a href="https://zeronetworks.com/blog/reimagining-cybersecurity-why-microsegmentation-should-come-first">Nicholas DiCola, VP of Customers at Zero Networks summed up this problem</a>: &ldquo;Networks are too open, and accounts are too permissive. Once you&rsquo;re inside the network, it&rsquo;s very easy for an attacker to move laterally. <strong>How do we stop lateral movement? The root way to stop that is by microsegmenting the network</strong> &ndash; there were some companies out there that were doing that already, why were they not successful? What&rsquo;s missing? It&rsquo;s too hard, it takes too much time.&rdquo;</p>

<p>These labor- and time-intensive implementations are why just <a href="https://zeronetworks.com/resource-center/reports/network-segmentation-zero-trust-architectures-survey-of-it-security-professionals">5% of organizations are microsegmenting</a> their networks today, despite grasping the importance. Traditional microsegmentation solutions often require:</p>

<ul>
	<li><strong>Significant manual work</strong>: From manual asset tagging and grouping to policy creation and management.</li>
	<li><strong>Long implementation times</strong>: <a href="https://zeronetworks.com/blog/reimagining-cybersecurity-why-microsegmentation-should-come-first">As DiCola said</a>, &ldquo;Most CISOs move every three to five years on average &ndash; they start these projects that don&rsquo;t even finish by the time the CISO leaves because it just takes a lot of human effort to manage.&rdquo;</li>
	<li><strong>Agent-based architecture</strong>: Since most traditional solutions require installing agents on endpoints, scaling, configuration, and maintenance is difficult.</li>
</ul>

<p>Although microsegmentation is an accepted best practice for locking down lateral movement, the complexity of legacy solutions has long outweighed the potential benefits.</p>

<h3>Privileged Account &amp; Identity Threat Vulnerabilities</h3>

<p>Once inside a network, attackers often seek to escalate privileges, exploiting admin and service account vulnerabilities, misconfigurations, or stolen credentials. Weak identity controls make it easier for attackers to:</p>

<ul>
	<li>Leverage excessive logon permissions</li>
	<li>Use pass-the-ticket, golden ticket, Kerberoasting, and other attacks</li>
	<li>Move laterally across the network without raising alarms</li>
</ul>

<p>Without strict <a href="https://zeronetworks.com/resource-center/topics/enhancing-identity-security-everything-you-need-to-know-about-identity-access-control">identity and access controls</a>, hackers don&rsquo;t have to break in &ndash; they can log in. Since the process is generally manual, lengthy, and complex, governing access rights remains a challenge for organizations trying to lock down lateral movement.</p>

<h2>How to Detect and Prevent Lateral Movement</h2>

<p>Lateral movement happens fast &ndash; in this era of AI-accelerated attacks, cyber adversaries can begin moving laterally <a href="https://www.crowdstrike.com/en-us/global-threat-report/">less than 30 seconds after gaining initial access</a>. That means security teams must shift from reactive alerts to proactive control, prioritizing robust prevention strategies that contain threats before they escalate on top of the detection techniques most organizations already have in place. &nbsp;</p>

<h3>Detecting Lateral Movement</h3>

<p>Attackers work hard to stay under the radar, blending in with legitimate traffic and using native tools to avoid triggering alerts. To catch them in time to prevent damage, organizations must deploy layered detection techniques capable of&#8239;identifying&#8239;subtle anomalies: &nbsp;</p>

<ul>
	<li><strong>Real-Time Monitoring:&#8239;</strong>Detection hinges on recognizing deviations from normal behavior. <a href="https://zeronetworks.com/platform/network-map">Always-current network visibility</a> enables teams to recognize suspicious patterns that don&rsquo;t match documented baselines. Ideally, a visibility tool should be integrated into a platform that also enables real-time enforcement, enabling security teams to quarantine threats in a click. &nbsp;</li>
	<li><strong>Behavioral Analytics:&#8239;</strong>Machine learning models trained&#8239;on&#8239;user behavior can&#8239;identify&#8239;deviations like unusual login times, odd file access patterns, or abnormal administrative actions&#8239;&ndash;&#8239;all signs of potential lateral movement.&#8239;&nbsp;</li>
	<li><strong>SIEM&#8239;&amp;&#8239;Log Analysis:</strong>&#8239;Security Information and Event Management (SIEM) platforms correlate logs and events across the network,&#8239;detecting unusual patterns and&#8239;surfacing potential lateral movement paths.&#8239;&#8239;&nbsp;</li>
	<li><strong>Network Traffic Analysis (NTA):&#8239;</strong>NTA tools evaluate network flow and flag anomalies that could suggest unauthorized East-West traffic,&#8239;leveraging&#8239;algorithms to distinguish normal network behaviors from harmful activities.&#8239;&#8239;&nbsp;</li>
	<li><strong>Endpoint Detection and Response (EDR):&#8239;</strong>EDR systems&#8239;monitor&#8239;endpoint&#8239;and network events, helping teams investigate access attempts to high-value systems and track attack progression.&#8239;&nbsp;</li>
	<li><strong>Deception Technology:&#8239;</strong>Honeypots and decoy systems lure attackers into revealing their presence,&#8239;offering early detection of lateral movement activity with minimal risk.&#8239;&nbsp;</li>
	<li><strong>Log Management:</strong>&#8239;Centralized log management&#8239;and analysis&#8239;solutions sift through access patterns to catch potential privilege escalations or stealthy&#8239;jumps&#8239;across systems.&#8239;&nbsp;</li>
</ul>

<p>While lateral movement detection is&#8239;an important component&#8239;of a well-rounded cybersecurity strategy,&#8239;<strong>relying too heavily on detection is risky &ndash; alerts often arrive too late, don&rsquo;t fire at all, or don&rsquo;t add meaningful value</strong>.&#8239;In fact, just <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">30% of alerts translate to real risk reduction</a> as many attackers move laterally in the shadows. &nbsp;</p>

<h3>Preventing Lateral Movement</h3>

<p>Preventing lateral movement outright is the most effective way to stop an attack before it spreads. An ideal prevention strategy combines network controls, identity governance, and automation to seal off potential pathways and reduce the blast radius of a breach.&#8239;&nbsp;</p>

<p>Security teams can proactively block lateral movement by:&#8239;&#8239;&nbsp;</p>

<ul>
	<li><strong>Embracing <a href="https://zeronetworks.com/platform/network-segmentation">modern&#8239;microsegmentation</a>: </strong>As we&rsquo;ve already established, microsegmentation is a&#8239;powerful way to limit&#8239;communication between assets unless explicitly allowed. By isolating systems into smaller, controlled network zones, organizations can ensure that even if one system is compromised, the attacker&#8239;can&#39;t&#8239;easily&#8239;pivot to&#8239;others.&#8239; <a href="https://zeronetworks.com/blog/modern-vs-legacy-microsegmentation-what-to-look-for-in-todays-top-solutions">Modern&#8239;microsegmentation</a>&#8239;reduces&#8239;the complexity of legacy approaches by integrating directly with existing infrastructure, orchestrating native&#8239;firewall&#8239;rules, and&#8239;eliminating&#8239;manual work from implementation and ongoing maintenance with robust automation.&#8239;&#8239;&nbsp;</li>
	<li><strong><a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">Automatically enforcing dynamic policies</a>:</strong>&#8239;Static policies&#8239;can&rsquo;t&#8239;keep up with today&rsquo;s fluid IT environments. Instead, security teams should adopt automated policy creation and enforcement, where rules are generated based on observed behavior and continually updated as the environment evolves.&#8239;&#8239;&nbsp;</li>
	<li><strong><a href="https://zeronetworks.com/blog/a-practical-guide-to-least-privilege-access-zero-trust-security-in-action">Enforcing least privilege access</a>:&#8239;</strong>User permissions should be tightly controlled using the principle of least privilege (PoLP). Each user, device, AI agent, or application should only have access to the resources&#8239;required&#8239;for their role or function. This minimizes opportunities for attackers to exploit over-privileged accounts during a lateral move.&#8239;&nbsp;</li>
	<li><strong><a href="https://zeronetworks.com/blog/mfa-is-our-dna-zero-networks-multi-factor-segmentation">Integrating MFA across the network</a>:</strong>&#8239;Beyond user logins, MFA can be applied to critical systems&#8239;and privileged&#8239;ports. This approach ensures that even if credentials are compromised, access&#8239;isn&rsquo;t&#8239;granted without a second form of verification, dramatically reducing the attacker&rsquo;s ability to move laterally.&#8239;&nbsp;</li>
	<li><strong><a href="https://zeronetworks.com/blog/what-is-zero-trust-security-without-the-marketing-bs">Adopting a Zero Trust mindset</a>:</strong>&#8239;The&#8239;zero trust&#8239;model assumes that every device, user, and connection is untrusted until verified&#8239;&ndash; a mindset aligned with this model requires that security&#8239;<a href="https://zeronetworks.com/blog/solving-cyber-resilience-zero-trust-microsegmentation">accept breaches as inevitable</a>.&#8239;In practice, this means&#8239;consistently verifying identity, limiting access, and segmenting network traffic&#8239;to neutralize&#8239;threats and stop&#8239;lateral movement before it begins.&#8239;&nbsp;</li>
	<li><strong><a href="https://zeronetworks.com/resource-center/videos/self-defending-by-design-the-future-of-cybersecurity-defense">Building a layered defense</a>:&#8239;</strong>To truly prevent lateral movement, organizations must adopt 3D network security that not only safeguards against East-West movement, but that also minimizes attackers&rsquo; entry opportunities with robust North-South protection (barring entry from the outside world), and Up-Down protection that dynamically controls access to sensitive areas of the network based on identity.&#8239;&#8239;&nbsp;</li>
</ul>

<p>With strategies like these, security teams can finally control lateral movement before a breach becomes a disaster.&#8239;&#8239;&nbsp;</p>

<h2>Stop Lateral Movement in Real Time with Zero Networks</h2>

<p>Zero Networks makes lateral movement a relic by delivering automated, identity-based microsegmentation that automatically contains threats to the point of initial access. Unlike the legacy solutions with complex, never-ending implementations, Zero Networks goes live in days &ndash; not years &ndash; and enforces least privilege access at scale. &nbsp;</p>

<p>Here&rsquo;s how Zero Networks locks down lateral movement in record time:</p>

<ul>
	<li>With <strong>automated asset tagging, grouping, and policy creation and management</strong>, Zero generates deterministic, fine-grained rules &ndash; no complex configurations required.</li>
	<li>Our infrastructure-agnostic solution <strong>orchestrates native firewalls to secure every asset and integrate seamlessly into existing environments</strong> &ndash; without the manual complexity of traditional solutions</li>
	<li><strong>Just-in-time MFA applied at the network layer</strong> keeps privileged ports closed until verified, shutting down credential abuse and privilege escalation</li>
	<li>With <strong>adaptive policy enforcement</strong>, Zero dynamically maintains granular controls that evolve alongside your network</li>
</ul>

<p>Modern cyber attackers don&rsquo;t stop at the perimeter &ndash; neither should your defenses. With Zero Networks, it&rsquo;s easier than ever to build a proactive, layered defense that halts lateral movement and leaves hackers stranded&nbsp;&ndash; <a href="https://zeronetworks.com/request-demo">request a demo</a> to learn more.&nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>How to Measure Cyber Resilience: Zero Trust ROI</title>
          <link>https://zeronetworks.com/blog/how-to-measure-cyber-resilience-zero-trust-roi</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Fri, 12 Jun 2026 14:48:00 +0000</pubDate>
          <dc:date>Fri, 12 Jun 2026 14:48:00 +0000</dc:date>
          <category><![CDATA[Operational &amp; Cyber Resilience]]></category>
          <dc:subject><![CDATA[Operational &amp; Cyber Resilience]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/how-to-measure-cyber-resilience-zero-trust-roi#When:1198</guid>
          <description><![CDATA[By 2028, 80% of CISOs will face board-level mandates to directly connect cybersecurity investments to tangible business outcomes, according to Gartner &ndash; it&rsquo;s no coincidence that many organizations are formally rebranding cybersecurity programs to cyber resilience at the same time. &nbsp; As boards look for validation that security investments translate to uptime protection, security leaders need more than a Zero Trust strategy &ndash; they need a resilient architecture that enforces&#8230;]]></description>
          <content:encoded><![CDATA[<p>By 2028, <a href="https://www.gartner.com/en/articles/cybersecurity-business-value">80% of CISOs will face board-level mandates</a> to directly connect cybersecurity investments to tangible business outcomes, according to Gartner &ndash; it&rsquo;s no coincidence that many organizations are formally rebranding <em>cybersecurity</em> programs to <em>cyber resilience</em> at the same time. &nbsp;</p>

<p>As boards look for validation that security investments translate to uptime protection, security leaders need more than a Zero Trust strategy &ndash; they need a <a href="https://zeronetworks.com/blog/how-to-build-cyber-resilience-via-automated-containment-an-architectural-framework">resilient architecture that enforces that strategy</a>, and the outcomes to prove it. &nbsp;</p>

<p>But most security programs are still reporting on detection-centric metrics like alert volume that measure activity rather than impact. To effectively measure cyber resilience and communicate the ROI of Zero Trust investments, security teams need outcome-oriented metrics tied to operational continuity. &nbsp;</p>

<p>We&rsquo;ll walk through the cyber resilience metrics that demonstrate Zero Trust maturity, share strategies for <a href="https://zeronetworks.com/resource-center/guides/ciso-guide-business-impact-analysis-for-cyber-resilience">leveraging a business impact analysis (BIA) to assess resilience</a>, and lay out best practices for tying security investment to business outcomes. &nbsp;</p>

<h2>Zero Trust and Cyber Resilience: How Do They Connect? &nbsp;</h2>

<p><a href="https://zeronetworks.com/resource-center/topics/zero-trust-security-a-complete-guide-to-principles-architecture-and-best-practices">Zero Trust</a> and <a href="https://zeronetworks.com/resource-center/topics/zero-trust-architecture-how-to-achieve-cyber-resilience">cyber resilience</a> are built on the same foundational assumption: that compromise is inevitable. Where they differ is in emphasis &ndash;&#8239;<a href="https://zeronetworks.com/blog/what-is-zero-trust-security-without-the-marketing-bs">Zero Trust is a security philosophy</a>&#8239;that removes implicit trust, while <a href="https://zeronetworks.com/blog/what-is-cyber-resilience-how-to-protect-business-continuity">cyber resilience</a> is the business outcome that philosophy is meant to produce.&nbsp;</p>

<p>In other words, a Zero Trust architecture is <em>how</em> security teams <a href="https://zeronetworks.com/blog/zero-trust-pillars-fast-tracking-cyber-resilience">implement the &ldquo;never trust, always verify&rdquo; philosophy across key pillars</a>; cyber resilience is the <em>so what</em> &ndash; the underlying objective to absorb any attack without disrupting the business.</p>

<h3>How Zero Trust Drives Cyber Resilience Outcomes &nbsp;</h3>

<p>In a typical attack, adversaries gain a foothold, <a href="https://zeronetworks.com/resource-center/topics/lateral-movement-innovations-prevention-techniques">move laterally through the environment</a>, and escalate privileges to reach high-value systems. Unrestricted lateral movement is what turns a minor cyber incident into a major operational disruption. &nbsp;</p>

<p>Zero Trust eliminates the conditions that make attack progression possible by enforcing least privilege access across every identity and communication path, requiring explicit verification for every connection, and closing internal access by default. In other words, Zero Trust security strengthens cyber resilience by promoting proactive controls across every layer of network traffic.&nbsp;</p>

<p>When lateral movement is structurally constrained, attackers have no way to expand their footprint &ndash; blast radius stays small and critical operations continue running. &nbsp;</p>

<p>While properly implemented Zero Trust controls directly lead to cyber resilience, those outcomes are only provable when security leaders measure and report on the right metrics. &nbsp;&nbsp;</p>

<h2>4 Cyber Resilience Metrics Security Leaders Should Track &nbsp;</h2>

<p>Most security teams default to metrics that are easy to capture, like alert volume, detection coverage, or patch rates. But detection-centric metrics quantify security activity, not outcomes.&nbsp;</p>

<p>To effectively measure cyber resilience, security leaders have to begin tracking metrics that signal minimized impact from breaches and downtime avoided &ndash; prioritize reporting on these four dimensions to translate the business value of security spending. &nbsp;</p>

<h3>1. Blast Radius: Reducing the Potential Damage of a Breach &nbsp;</h3>

<p><a href="https://zeronetworks.com/blog/what-is-blast-radius-in-cybersecurity-best-practices-for-breach-containment">Blast radius</a> refers to the total scope of potential damage resulting from a breach &ndash; it&rsquo;s defined by the breadth of systems an attacker can reach, the volume of data they can access or encrypt, and the operational disruption they can trigger from a single foothold. &nbsp;Most enterprise networks operate with uncontrolled blast radius &ndash; a single compromised system can <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">enable access to 85% of the environment</a> within one hop, which is why <a href="https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report-2025">86% of cyber incidents&#8239;now cause operational downtime</a>, reputational damage, or both. &nbsp;</p>

<p>A mature Zero Trust architecture shrinks blast radius by design: <a href="https://zeronetworks.com/blog/what-is-microsegmentation-our-definitive-guide">microsegmentation</a> isolates assets into secure zones and identity-based access controls <a href="https://zeronetworks.com/blog/a-practical-guide-to-least-privilege-access-zero-trust-security-in-action">enforce comprehensive least privilege</a>, creating a closed-by-default network. By tracking how blast radius contracts over time, security leaders can <a href="https://zeronetworks.com/resource-center/breach-map">clearly demonstrate that controls are effectively preventing</a> a minor breach from cascading into an operational crisis.&nbsp;</p>

<h3>2. Lateral Movement Pathways: Containing Attackers by Default &nbsp;</h3>

<p>Most enterprise networks accumulate excessive internal access paths over time through legacy configurations, over-scoped permissions, and standing privilege that outlives its purpose. With <a href="https://zeronetworks.com/blog/10-common-lateral-movement-techniques-how-to-stop-them">every lateral movement pivot</a> across one of these pathways, attackers capitalize on an uncontrolled blast radius. &nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report"><img alt="" src="https://zeronetworks.com/images/uploads/blog/LMER_Download_CTA_%281%29.png" /></a></p>

<p>Tracking lateral movement pathways as a measure of cyber resilience requires actively quantifying how many internal communication routes exist that aren&#39;t operationally justified and deliberately reducing that number. Fewer pathways mean less room for attackers to operate, which directly translates to smaller blast radius and faster containment when incidents do occur. Reporting on the reduction in open lateral movement pathways over time demonstrates <a href="https://zeronetworks.com/resource-center/guides/resilient-by-design-architecting-security-that-keeps-operations-running">proactive cyber resilience</a> via structural risk reduction <em>before</em> an incident occurs. &nbsp;</p>

<h3>3. Time-to-Containment: Stopping Attacks in Real Time &nbsp;</h3>

<p>Time-to-containment measures how quickly a breach is locked down after initial access. The faster an attack is contained, the less likely it is to have a significant operational impact. Many organizations still rely on manual detection and response workflows, and it shows: the <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">mean time to contain (MTTC) a breach is 60 days</a> &ndash; on top of the 181 days it takes to detect a breach in the first place. &nbsp;</p>

<p>When internal access is closed by default and lateral movement pathways are governed by identity controls enforced at the network layer, containment doesn&#39;t wait for an analyst to act &ndash; it&#39;s a <a href="https://zeronetworks.com/resource-center/guides/resilient-by-design-architecting-security-that-keeps-operations-running">built-in property of the network itself</a>. Tracking time-to-containment clearly demonstrates the shift from reactive coordination to architectural enforcement, validating that security investment is reducing operational exposure and not just improving detection scores.&nbsp;</p>

<h3>4. Uptime and Continuity During Cyber Incidents&nbsp;</h3>

<p>Operational uptime during a cyber incident is the most direct business-facing resilience measure &ndash; and the one that resonates most at the board level. When critical services continue running through a breach, the organization has demonstrated true cyber resilience under pressure. &nbsp;</p>

<p>Tracking this metric starts with knowing what "critical" means in your environment: which services cannot tolerate disruption, what their maximum tolerable downtime is, and which systems and dependencies they rely on. Using a business impact analysis (BIA) to build that foundation, security leaders can tailor enforcement to identified business priorities and prove alignment by measuring uptime as a consistent post-incident benchmark. Over time, a strong uptime record during incidents is the most compelling evidence a security leader can bring to a board conversation about whether Zero Trust and cyber resilience investments are working.&nbsp;</p>

<h2>How to Conduct a Cyber Resilience Assessment&nbsp;</h2>

<p>Measuring cyber resilience requires a baseline. To establish it, security leaders need a structured assessment grounded in business priorities, not just technical exposure. CISOs can <a href="https://zeronetworks.com/blog/from-documentation-to-enforcement-translating-bia-to-real-cyber-resilience">take a BIA from documentation to enforcement</a> in three steps: identifying what matters most to the business, mapping exposure to those priorities, and building the controls to proactively close attack paths.&nbsp;</p>

<p><a href="https://zeronetworks.com/resource-center/guides/ciso-guide-business-impact-analysis-for-cyber-resilience"><img alt="" src="https://zeronetworks.com/images/uploads/blog/BIA_Guide_Download_%281%29.png" /></a></p>

<h3>Step 1: Identify Critical Assets and Quantify Business Exposure&nbsp;</h3>

<p>Before any technical measurement is possible, security leaders need organizational alignment on what actually matters. For each asset, the goal is to understand its criticality across five dimensions:&nbsp;</p>

<p>Regulatory classification: Would a breach trigger reporting obligations, fines, or disclosure requirements?&nbsp;</p>

<ul>
	<li><strong>Revenue exposure:</strong> Would downtime disrupt goods, services, or measurable revenue streams?&nbsp;</li>
	<li><strong>Financial sensitivity:</strong> Does the asset have the ability to issue or redirect payments?&nbsp;</li>
	<li><strong>Customer notification burden:</strong> Would a compromise require customer notification that could damage relationships? &nbsp;</li>
	<li><strong>Reputational sensitivity: </strong>Does the asset touch communications, brand, or the organization&#39;s core value proposition?&nbsp;</li>
</ul>

<p>With a prioritized critical asset inventory and a business exposure profile for each, security leaders establish the foundation for effectively assessing cyber resilience. &nbsp;</p>

<h3>Step 2: Map Attack Paths and Baseline Controls &nbsp;</h3>

<p>Once critical assets are identified, the security team&#39;s job is to map realistic paths from common ingress points, such as a compromised user, compromised cloud identity, technical perimeter entry, or <a href="https://zeronetworks.com/use-cases/limit-3rd-party-access">trusted third-party access</a>. For each path, the analysis documents three dimensions:&nbsp;</p>

<ul>
	<li><strong>Path distance:</strong> How many network segments, authentication boundaries, or inspection points sit between the ingress point and the critical asset? Fewer barriers mean bigger blast radius. &nbsp;</li>
	<li><strong>Privilege requirements: </strong>How many escalation steps does an attacker need? Vulnerabilities like <a href="https://zeronetworks.com/blog/stopping-privilege-escalation-how-to-neutralize-stolen-credential-threats">persistent privileged access</a>, over-scoped service accounts, and cached credentials can collapse multiple escalation steps into one.&nbsp;</li>
	<li><strong>Data layer controls:</strong> If an attacker reaches the critical asset, what limits what they can do? For example, <a href="https://zeronetworks.com/platform/identity-segmentation">identity-based access controls</a> can reduce the business consequences of a breach, even when an attacker gets inside the network. &nbsp;</li>
</ul>

<p>This analysis delivers clarity around the enterprise&rsquo;s highest-cost path: the easiest attack against the costliest asset, which represents the most urgent starting point for investment.&nbsp;</p>

<h3>Step 3: Prioritize Structural Controls and Measure Progress&nbsp;</h3>

<p>With paths mapped and exposure quantified, security leaders can easily prioritize investments and report on their impact. Structural controls that increase path distance, such as <a href="https://zeronetworks.com/blog/network-segmentation-all-you-need-to-know">network segmentation</a> or just-in-time authentication boundaries are the highest-leverage interventions because they can eliminate entire compromise scenarios. &nbsp;</p>

<p>Critically, each control should be tied back to the business priorities identified in Step 1: which attack path does it break, which critical asset does it better protect, and how does it reduce business exposure? That direct line from investment to risk reduction is what makes budgetary conversations concrete and cyber resilience metrics meaningful.&nbsp;</p>

<p>As <a href="https://zeronetworks.com/resource-center/infographics/fast-track-cisas-phases-automate-microsegmentation-optimize-zero-trust">Zero Trust maturity advances</a>, the Step 2 analysis should be re-run. When attack paths get longer (or disappear), escalation requirements increase, and blast radius contracts, CISOs gain the evidence they need to prove that a cyber resilient architecture has delivered meaningful business value. &nbsp;</p>

<h2>Build a Cyber Resilient Architecture with Zero Networks &nbsp;</h2>

<p>Zero Trust security maps directly to meaningful cyber resilience outcomes, but most teams struggle when it comes to implementation &ndash; <a href="https://www.csoonline.com/article/4048002/88-of-cisos-struggle-to-implement-zero-trust.html">88% of CISOs report significant challenges</a> operationalizing Zero Trust, and the gap between strategy and structural enforcement makes it difficult to prove the value of cyber resilience investments. &nbsp;</p>

<p>Zero Networks closes that gap with <a href="https://zeronetworks.com/platform">automated, identity-based microsegmentation</a>. Zero provides immediate visibility into every identity and asset on the network, then&#8239;<a href="https://www.scworld.com/perspective/navigating-the-8d-city-why-multi-dimensional-network-security-is-no-longer-optional">automatically enforces adaptive, identity-aligned policies</a>&#8239;that prevent lateral movement by default. The&#8239;<a href="https://zeronetworks.com/company/customer-stories">average Zero customer</a>&#8239;achieves 90%+ segmentation within 90 days, fast-tracking Zero Trust maturity to preserve uptime, protect revenue, and strengthen cyber resilience. &nbsp;</p>

<p>Find out how Zero Networks can help you build a cyber resilient architecture with measurable business value &ndash; <a href="https://zeronetworks.com/request-demo">request a demo</a>. &nbsp;&nbsp;</p>]]></content:encoded>
        </item>
      
        <item>
          <title>Securing Shadow AI: How to Detect and Govern Unsanctioned AI Tools</title>
          <link>https://zeronetworks.com/blog/securing-shadow-ai-how-to-detect-and-govern-unsanctioned-ai-tools</link>
          <dc:creator><![CDATA[Mikella Marley]]></dc:creator>
          <pubDate>Fri, 12 Jun 2026 14:34:00 +0000</pubDate>
          <dc:date>Fri, 12 Jun 2026 14:34:00 +0000</dc:date>
          <category><![CDATA[Network Security]]></category>
          <dc:subject><![CDATA[Network Security]]></dc:subject>
          <guid isPermaLink="false">https://zeronetworks.com/blog/securing-shadow-ai-how-to-detect-and-govern-unsanctioned-ai-tools#When:1197</guid>
          <description><![CDATA[Nearly&#8239;90% of organizations use AI&#8239;in at least one business function as the number of employees that regularly use AI on their corporate devices has increased 3x year over year. But just 22% of individuals rely exclusively on tools provided by their employers &ndash; that gap between adoption and oversight is where shadow AI lives. &nbsp; As AI usage outpaces governance, nearly two-thirds of organizations don&rsquo;t have the necessary policies to manage or detect shadow AI. The&#8230;]]></description>
          <content:encoded><![CDATA[<p>Nearly&#8239;<a href="https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai">90% of organizations use AI</a>&#8239;in at least one business function as the number of employees that regularly use AI on their corporate devices has <a href="https://www.verizon.com/business/resources/T766/reports/2026-dbir-data-breach-investigations-report.pdf">increased 3x year over year</a>. But <a href="https://www.ibm.com/think/insights/rising-ai-adoption-creating-shadow-risks">just 22% of individuals rely exclusively</a> on tools provided by their employers &ndash; that gap between adoption and oversight is where shadow AI lives. &nbsp;</p>

<p>As AI usage outpaces governance, <a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">nearly two-thirds of organizations don&rsquo;t have the necessary policies</a> to manage <em>or</em> detect shadow AI. The challenge for security leaders is twofold: uncovering unsanctioned AI usage in the first place, then implementing controls to effectively secure AI. &nbsp;</p>

<p>We&rsquo;ll provide a comprehensive overview of shadow AI, how it&rsquo;s contributing to an evolving threat landscape, and what security leaders can do now to detect <em>and</em> govern AI across the environment. &nbsp;</p>

<h2>What Is Shadow AI? &nbsp;</h2>

<p>Shadow AI refers to the use of any AI tool or application without formal IT and security oversight or approval. &nbsp;</p>

<p>Examples of shadow AI can include everything from unsanctioned generative AI platforms accessed on corporate devices and AI agents deployed by developers without security visibility to autonomous workflows embedded in third-party software and LLM integrations that live inside tools organizations already trust. &nbsp;</p>

<p>Cyber pros aren&rsquo;t strangers to the challenge of securing unseen and unsanctioned tech after years of contending with shadow IT, but the AI era has added urgency to this fundamentally familiar threat. &nbsp;</p>

<h2>AI Security Risks: Expanding Attack Surfaces, Lateral Movement, and Compliance Gaps&nbsp;</h2>

<p>Cyber risks related to AI vulnerabilities&#8239;<a href="https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf">rank as organizations&rsquo; fastest growing concern</a>, but most security teams don&rsquo;t have the necessary capabilities to effectively control AI &ndash; traditional tools were designed for a different threat model.&nbsp;</p>

<p>For example, application-layer controls see managed endpoints and known SaaS traffic routed through a proxy. They were built to govern what human users access through browsers and approved applications, not to see what AI agents access through APIs, what machine identities are doing across cloud workloads, or how AI capabilities embedded in sanctioned tools are behaving on the network. That enforcement blind spot is what makes shadow AI so risky, leaving security teams to manage: &nbsp;</p>

<ul>
	<li><strong>Access path proliferation: </strong>Every unsanctioned AI tool creates new connections to corporate data, external APIs, and internal systems that are often undocumented, over-permissioned, and persistent. <a href="https://zeronetworks.com/blog/agentic-ai-cybersecurity-risks-how-to-secure-ai-agents">AI agents compound the problem</a> as they accumulate permissions over time through policy drift, tool chaining, and expanding task scope, frequently without security team visibility. &nbsp;</li>
	<li><strong><a href="https://zeronetworks.com/resource-center/reports/2026-lateral-movement-exposure-report">Lateral movement exposure</a>: </strong>Shadow AI tools and agents typically operate with implicit trust inside the network, contributing to a rapidly expanding AI attack surface. In environments where a single compromised host can <a href="https://zeronetworks.com/blog/one-compromised-system-and-boom-meet-your-blast-radius">reach 85% of internal systems in the first hop</a>, over-privileged and under-monitored AI creates a new <a href="https://zeronetworks.com/resource-center/topics/lateral-movement-innovations-prevention-techniques">lateral movement</a> highway adversaries can exploit without triggering alarms.&nbsp;</li>
	<li><strong>Cyber compliance gaps: </strong>Organizations <a href="https://zeronetworks.com/blog/cybersecurity-compliance-playbook-standards-requirements-best-practices">subject to frameworks like</a> NIS2, DORA, or CIS Benchmarks cannot demonstrate policy adherence for connections they don&#39;t know exist. In other words, shadow AI creates operational and regulatory exposure that only compounds over time as AI usage scales.&nbsp;</li>
	<li>The collective result? Security incidents linked to AI usage are skyrocketing, with <a href="https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf">57% of organizations</a> already reporting an uptick &ndash; and the impact is quantifiable. The&#8239;<a href="https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91">average cost of a data breach is $670,000 higher</a>&#8239;for organizations with high levels of shadow AI, and it takes 247 days to identify and contain a breach involving shadow AI. &nbsp;</li>
</ul>

<p>To effectively address AI security risks before they spiral into disruptive breaches, teams need both <a href="https://zeronetworks.com/platform/network-map">comprehensive visibility</a> and network-layer control.&nbsp;</p>

<h2>How to Detect Shadow AI: Real-Time Network Visibility &nbsp;</h2>

<p>Most detection tools are calibrated to catch anomalies that shadow AI doesn&rsquo;t produce. When an employee accessing an unsanctioned AI service looks like ordinary web traffic, organizations can&rsquo;t rely on alerts and dashboards built for a different threat landscape to uncover shadow AI. &nbsp;</p>

<p>Instead, security teams need <a href="https://zeronetworks.com/blog/how-real-time-network-visibility-enables-automated-zero-trust-enforcement">continuous, live visibility</a> into every asset and identity on the network, delivering the granular clarity to answer three key questions: &nbsp;</p>

<ol>
	<li><strong>Which SaaS AI destinations are users and devices reaching?</strong> If an organization has standardized on Copilot, nothing on the network should be reaching ChatGPT, Gemini, or other unapproved services. Real-time traffic visibility surfaces misalignment between AI policies and behavior, making enforcement possible the moment an unauthorized connection appears, not after a log review.&nbsp;</li>
	<li><strong>Which AI agents are running and what are they connecting to?</strong> In many environments, AI agents are deployed by developers and business units without security team visibility, meaning there&#39;s no reliable inventory of what&#39;s running, what it&#39;s authenticating to, or what it can reach. Real-time visibility into asset-to-asset and identity-to-asset communication allows teams to identify and govern AI agents before they become a liability. &nbsp;</li>
	<li><strong>Where does AI access exceed operational need? </strong>Even sanctioned AI can lead to hidden vulnerabilities &ndash; for example, an agent might be deployed for a narrow task but connecting to a CRM, a production database, and a set of external APIs. When the gap between operational need and real-world connectivity remains invisible, it can&rsquo;t be mitigated.&nbsp;</li>
</ol>

<p>Visibility into every AI tool and agent across the environment is a critical starting point, but it must feed directly into control. &nbsp;</p>

<h2>Securing AI: 4-Step Framework for Visibility and Control&nbsp;</h2>

<p>Security teams understand the urgent need to detect shadow AI, but <em>seeing</em> the full scope of exposure is only valuable when that visibility drives enforcement. Rather than prioritizing shadow AI detection in a vacuum, leverage this four-step approach for translating real-time network visibility into enforceable controls that govern every AI tool, agent, and integration in the environment.&nbsp;</p>

<h3>1. Maintain a Real-Time Inventory of AI in Your Environment &nbsp;&nbsp;</h3>

<p>Start by implementing continuous network monitoring that maps every AI-related identity, tool, and connection in the environment through observed traffic rather than relying on declared inventories or deployment logs. This end-to-end visibility forces shadow AI into the spotlight, enabling security policies tailored to network realities rather than best guesses or point-in-time snapshots. &nbsp;</p>

<h3>2. Block Unsanctioned AI by Default &nbsp;</h3>

<p>Define an approved list of cloud AI services and automatically block any connection to a SaaS AI destination outside of that list. With network-layer enforcement, security teams can ensure policies are applied universally across users, devices, and workloads regardless of how they&#39;re connecting.&nbsp;</p>

<h3>3. Govern AI Agents with Least Privilege Policies&nbsp;</h3>

<p>Every AI agent running in your environment is a process with an identity &ndash; like any other identity, agents should only be able to reach what&rsquo;s explicitly necessary. Apply <a href="https://zeronetworks.com/platform/identity-segmentation">identity-based access controls</a> to every AI agent in the environment with permissions tightly scoped to operational need. &nbsp;</p>

<h3>4. Automate AI Security Policy Lifecycles &nbsp;</h3>

<p>As the network changes, security gaps can emerge if AI governance relies on manual upkeep. <a href="https://zeronetworks.com/blog/6-processes-to-automate-when-implementing-microsegmentation">Automated policy lifecycle management</a>&#8239;&ndash; powered by a deterministic, human-on-the-loop engine &ndash; adapts controls as the environment evolves, enforcing access deterministically and continuously without creating long-term operational debt.&#8239;&nbsp;</p>

<h2>Identify, Segment, and Contain AI with Zero Networks &nbsp;</h2>

<p>With Zero Networks, security teams can easily uncover shadow AI and gain true control over the AI running in their environments. Zero&rsquo;s <a href="https://zeronetworks.com/platform/ai-capabilities">AI Segmentation capabilities</a> deliver complete AI visibility, deterministic enforcement, and built-in control to transform AI from a risk into a governed, enforceable part of the environment: &nbsp;</p>

<ul>
	<li><strong>SaaS AI Control</strong> governs which cloud AI services users and devices can access, automatically blocking every unapproved destination.&nbsp;</li>
	<li><strong>AI Agent Control</strong> applies the same identity-based least-privilege controls governing every user and device to every agent in the environment.&nbsp;</li>
	<li><strong>AI Lateral Movement Control</strong> eliminates the open network that compromised AI tools and agents would otherwise move through by enforcing granular least privilege access controls everywhere. &nbsp;</li>
	<li><strong>LLM Protection</strong> segments the model infrastructure at the network layer so only authorized systems can reach it.&nbsp;</li>
</ul>

<p>Learn how you can detect shadow AI and scale network-layer security policy enforcement to achieve true control with Zero Networks &ndash; <a href="https://zeronetworks.com/request-demo">request a demo</a>. &nbsp;</p>]]></content:encoded>
        </item>
      

    </channel>
  </rss>