Universal Microsegmentation: Stop Lateral Movement Without Redesigning Your Network.
Microsegmentation delivered as policy, not network architecture — across every workload, with no VLAN redesigns and no firewall changes. Stand it up in an afternoon, one workload or your whole estate, and no routable path exists until identity and policy authorize it.
The Old Way to Segment Can’t Keep Up
One foothold becomes a full intrusion
However the attacker gets in, that single foothold becomes a full intrusion by moving system to system until it reaches the assets that matter. Breakout now happens in minutes, often without malware, so perimeter detection sees nothing unusual — and the legacy answer, VLANs and firewall rules, is too slow to deploy and too brittle to change to contain it.
- Boundaries defined by IP address and network location — policy drifts as infrastructure changes
- 15–20 rules across tools, teams, and firewalls, and roughly two weeks to make any single change
- VLAN redesigns and firewall reviews that slow every new application, vendor, or workload
- Visibility limited to IP and port — hard to trace activity by identity across boundaries
- Every flow must be discovered and defined up front before segmentation can be deployed
“We sometimes have 15-20 policies/rules across multiple tools, firewalls, and other infrastructure to allow communication between workloads. It takes two weeks to make any change.“
Microsegmentation as Policy, Not Network Architecture
NetFoundry replaces IP-based segmentation with an identity-first overlay. Every workload authenticates before any connection exists, and access is granted per identity and service — not per subnet. You define it as policy, change it in seconds, and start segmenting without having to discover and define every flow before you deploy.
Authenticate first. Connect second. Always.
Traditional microsegmentation is built on firewalls and IP addresses: reachability exists first, and rules try to filter it afterward — which is exactly what an attacker exploits to move east-west, and what forces teams to map every flow before they can write a rule.
NetFoundry inverts that order. Access is defined by cryptographic identity, not IP address or network location. Identity is verified and policy evaluated before any routable path is created — so the default is deny, the target is invisible until authorized, and policy no longer drifts as infrastructure changes.
- Access defined by identity and service, not IP address or network segment
- Default deny: no lateral movement is possible unless policy explicitly authorizes it
- Every workload — human, machine, and AI — carries a cryptographic identity bound to that workload
- Outbound-only connections, so no inbound ports and nothing for an attacker to scan
- Instant policy changes — adjust segmentation boundaries without touching the firewall or re-architecting the network
- Full visibility and audit by identity and service, not just IP and port
Deploy in an Afternoon, Not a Quarter
Legacy segmentation is a network project: map every flow, redesign VLANs, and open a ticket for each rule change. NetFoundry is policy you stand up on top of the infrastructure you already run — start with a single workload today and extend across the estate at your own pace.
Secure one workload
Spin up protection for a single critical workload in minutes — as code, with no firewall changes, no integrations, and nothing else in your environment disrupted. A low-commitment way to prove the model before you scale it.
Or your whole estate
Apply one identity-first policy model across cloud, datacenter, OT, AI, and third-party workloads — replacing a tangle of per-environment tools and control planes with a single way to define, change, and audit segmentation.
Legacy segmentation
- Discover and map every flow before you can deploy
- Redesign VLANs and re-architect subnets
- ~2 weeks per change across teams and firewalls
- A different tool and control plane per environment
- Rip-and-replace risk to roll anything back
NetFoundry
- Start segmenting Day 1 — no flow-mapping project first
- Runs on existing infrastructure, untouched
- Change a boundary in seconds with a policy update
- One policy model across every environment
- Add or revoke a segment incrementally, instantly
One Segmentation Model. Every Environment.
With legacy microsegmentation, every environment and architecture demands its own approach — complex, hard-to-change rules enforced at the workload, host, hypervisor, and network layers. A typical enterprise ends up running several different tools and control planes for segmentation, with no uniform policy and no single view across them. NetFoundry applies one identity-first policy model everywhere — including the workloads traditional tools can’t reach.
Contain agents, models, and tools
Give AI agents, MCP servers, and LLMs sovereign identities with policy-scoped access — so a compromised agent can only reach what it is explicitly authorized to reach.
East-west control across hybrid infrastructure
Segment VMs, containers, and Kubernetes workloads by identity across clouds and on-prem — with no changes to your infrastructure as code (IaC) or virtualization platforms, and no per-cloud firewall rules to maintain.
Reach devices agents can’t
Bring least-privilege segmentation to OT, IoT, and legacy or unmanaged devices using clientless, host, or gateway options — aligned to IEC 62443 zones and conduits.
Segment partner and vendor access
Replace broad VPN tunnels with service-level access scoped to a single partner identity — granted and revoked instantly, with a full audit trail.
“We moved beyond the perimeter with NetFoundry. It delivers a strictly least-privileged access model that is incredibly easy to deploy. The management console turns what used to be a tangle of firewall rules into a streamlined, visual command center.”
Viktor Szabo, Deputy CTO, Ominimo
Segmentation in Four Moves
No flow-mapping project, no VLAN redesign, no firewall tickets — each move is policy you apply on top of the infrastructure you already run.
Define access by identity, not network
Each workload gets a cryptographic identity bound to it. Policy is written in terms of which identity may reach which service — independent of IP address, subnet, or location. Nothing to map first.
Authenticate before any path exists
Mutual authentication with X.509 certificates establishes an encrypted, outbound-only conduit only after identity and policy are verified. Until then, the target is unreachable and invisible — no inbound ports to open or expose.
Enforce least privilege east-west
Authorized identities reach only the specific services policy permits — nothing more. Lateral movement to anything else is structurally impossible, regardless of which network the identity sits on.
Change in seconds, audit by identity
Adjust a segmentation boundary by updating policy — no firewall rule changes, no VLAN edits, no two-week change window. Every connection is logged by identity and service for investigation, change control, and compliance.
Smaller Blast Radius. Less Operational Drag.
Contained blast radius
A compromised identity reaches only what policy allows. One foothold stays one foothold instead of becoming a network-wide intrusion.
Invisible east-west surface
No routable path exists until identity and policy authorize it. There’s nothing to scan, discover, or exploit between workloads.
Instant segmentation changes
Tighten or extend boundaries with a policy update. No change-control cycle, no firewall rules, no VLAN redesign.
Visibility by identity, not IP
See which identity reached which service, across every environment — meaningful, auditable insight instead of IP-and-port guesswork.
Reduced compliance scope
Identity-based isolation shrinks the systems in scope for audits and maps cleanly to segmentation mandates in PCI-DSS, IEC 62443, and NIST 800-207.
No network redesign
Works across existing infrastructure. Deploy incrementally, add segments progressively, and leave VLANs and underlay routing untouched.
Built for Regulated, Segmented Environments
Network segmentation is moving from a best practice to a requirement across frameworks and cyber-insurance criteria. NetFoundry maps identity-based segmentation directly to those mandates — and runs it at the scale critical infrastructure demands.
Built by the creators and maintainers of OpenZiti, the world’s most-used open-source zero-trust networking platform.
Contain Every Breach Before It Spreads
See how identity-first microsegmentation stops lateral movement across your cloud, datacenter, OT, AI, and third-party environments — without a single network change.
Frequently Asked Questions
What is microsegmentation?
NetFoundry defines microsegmentation as the practice of isolating individual workloads (vs. entire network segments) so that a compromised system can’t reach anything beyond what policy explicitly allows. Traditional segmentation isolates whole subnets; microsegmentation isolates down to the individual workload or service.
How is microsegmentation different from VLANs or firewall rules?
NetFoundry’s approach to microsegmentation defines access by cryptographic identity rather than IP address or network location, so policy doesn’t drift as infrastructure changes. VLANs and firewall rules depend on where a workload sits on the network; identity-based segmentation doesn’t care where a workload sits — only who or what it is.
Does microsegmentation require managed switches or network redesign?
NetFoundry’s microsegmentation runs as a policy layer on top of existing infrastructure, with no VLAN redesign, no managed switch dependency, and no firewall rule changes required. A single workload can be protected in minutes, and the rest of the environment is left untouched.
Can microsegmentation work on OT and IoT devices with unmanaged switches?
Yes, and this is one of the gaps NetFoundry was built to close. Flat OT networks typically run on unmanaged switches, which gives switch- or VLAN-based segmentation nothing to enforce against. Because NetFoundry segments by identity instead of network position, it brings least-privilege zones to OT, IoT, and legacy devices without requiring any change to the underlying switching infrastructure.
How long does it take to deploy microsegmentation?
NetFoundry customers can typically protect a single critical workload in an afternoon, since there’s no flow-mapping project or VLAN redesign required before deployment starts. Broader rollout across an estate can then proceed incrementally, at whatever pace the organization chooses.
Does microsegmentation help with compliance?
Yes — NetFoundry’s identity-based microsegmentation maps directly to segmentation requirements in frameworks including PCI-DSS, IEC 62443, NIST 800-207, and NIST 800-171, and narrows the scope of systems included in an audit by isolating sensitive workloads at the identity level rather than the network level.
- Average eCrime breakout time from initial access to lateral movement, and share of malware-free detections. CrowdStrike, 2026 Global Threat Report (Feb. 2026). crowdstrike.com