Network — Zero Trust, not perimeter trust.
Zero Trust segmentation, firewall and WAF tuning, VPN-to-ZTNA migration, network detection and response. The perimeter walked out the door when remote work shipped.
Network security program scope
Segmentation review
Current VLANs, subnets, security zones, and east-west traffic mapped. Recommendations against NIST SP 800-207 (Zero Trust Architecture) and CISA Zero Trust Maturity Model.
Firewall + WAF tuning
Fortinet, Palo Alto, Cisco, Cloudflare — depending on your estate. Rule-set rationalization, unused-rule cleanup, geo-blocking review, IDS/IPS signature tuning.
VPN → ZTNA migration
Cloudflare Zero Trust, Zscaler, Netskope, or equivalent. Identity + device posture replacing network-perimeter trust. Phased rollout with rollback path.
Network detection + response
Flow logs, DNS logs, and network telemetry shipped to your SIEM. Anomaly detection rules tuned for your environment. Threat intel feeds aligned to your industry.
Wi-Fi + IoT segmentation
Guest networks isolated from corporate. IoT devices (cameras, printers, HVAC, building management) on their own VLAN with explicit allow-list. Critical for healthcare and manufacturing.
DDoS posture
Cloudflare or AWS Shield review, regional failover plan, runbook for sustained attacks. Pre-incident relationships with provider SOCs.
Standard versions should be verified from the official source before contractual reliance.
Questions before we start.
Do we really need ZTNA? Our VPN works.
Your VPN works for connectivity. It does not enforce device posture or per-application access. The day a compromised laptop connects, your VPN is the attacker's tunnel into the LAN. ZTNA replaces network-level trust with identity-and-device-level trust.
What about our legacy systems that need flat-network connectivity?
Air-gap, segment, or proxy them. Legacy ICS / OT systems get isolated VLANs with explicit gateway controls. Industrial-protocol awareness (Modbus, BACnet, etc.) added to the SIEM.
Will tuning the firewall break anything?
Not if done carefully. Audit mode first — logging-only — for 14 days to catch legitimate traffic that current rules allow. Then enforce. Rollback documented for every change.
Start with your domain.
Free passive external assessment. 60 seconds. No signup to start.