Skip to content
Defensive · Service

Network Segmentation & OS / DB Hardening

Zero-trust that survives contact with production.

Network segmentation and OS/database hardening: design, deployment, and validation across corporate, OT, and cloud networks.

Request a scope All services
5 zones
Typical target architecture
CIS L2
OS / DB hardening baseline
14 days
Avg. traffic-learning window
0 downtime
Production cutover goal
Overview

We map actual traffic, design a segmentation model that survives change, harden OS and database baselines, and validate policy in production without breaking the business.

What you receive
  • Traffic map & flow analysis
  • Segmentation design (zone architecture)
  • OS & database hardening baselines
  • Policy validation report
  • Break-glass and rollback procedures
Cadence
7-day design sprint
Compliance mapping
CIS Benchmarks (OS/DB)DISA STIGPCI DSS 1.x (segmentation)NERC CIPISA/IEC 62443 (OT)
Outcomes
  • Reduced blast radius and lateral-movement paths
  • Hardened OS/DB baselines maintained through change
  • Segmentation model that your team can evolve
  • Auditor evidence for cardholder / PHI / OT isolation
Methodology

How the engagement runs. Phase by phase.

PHASE 01

Business-flow discovery

Workshops with app owners + passive Zeek capture; reconcile mental model with reality.

2 weeks
PHASE 02

Zone architecture design

Logical zones, trust boundaries, east-west policy framework.

1–2 weeks
PHASE 03

Hardening baseline creation

CIS / STIG profiles per OS + DB tier, with tested exceptions.

1 week
PHASE 04

Lab deployment + validation

Full deployment in a mirrored lab; run ATT&CK tests.

2 weeks
PHASE 05

Production cutover (graduated)

Observe → alert → block, wave-by-wave with rollback.

2–3 weeks
PHASE 06

Continuous drift monitoring

OpenSCAP / Wazuh continuous scan; quarterly validation.

Ongoing
Tools & stack

What we actually use. No secrets.

Every tool earns its place. We publish our stack so your team can audit, review, and integrate with what we bring.

ZE Zeek (formerly Bro)
Zeek
NT ntopng + nProbe
ntopng + nProbe
IL Illumio / Guardicore / VMware NSX
Illumio
CI Cisco ISE / Aruba ClearPass
Cisco ISE
AN Ansible + STIG / CIS roles
Ansible + STIG
OP OpenSCAP + SCAP content
OpenSCAP + SCAP content
LY Lynis / Wazuh
Lynis
DB
DB-specific baselines
CU Custom ATT&CK validation scripts
Custom ATT&CK validation scripts
ZE Zeek (formerly Bro)
Zeek
NT ntopng + nProbe
ntopng + nProbe
IL Illumio / Guardicore / VMware NSX
Illumio
CI Cisco ISE / Aruba ClearPass
Cisco ISE
AN Ansible + STIG / CIS roles
Ansible + STIG
OP OpenSCAP + SCAP content
OpenSCAP + SCAP content
LY Lynis / Wazuh
Lynis
DB
DB-specific baselines
CU Custom ATT&CK validation scripts
Custom ATT&CK validation scripts
Discovery
  • ZE Zeek (formerly Bro)
    Zeek (formerly Bro)
    Passive network traffic analysis for flow mapping
  • NT ntopng + nProbe
    ntopng + nProbe
    Real-time flow visualization and protocol decomposition
Segmentation
  • IL Illumio / Guardicore / VMware NSX
    Illumio / Guardicore / VMware NSX
    Host-based microsegmentation deployment
  • CI Cisco ISE / Aruba ClearPass
    Cisco ISE / Aruba ClearPass
    Policy-based network segmentation via 802.1X
Hardening
  • AN Ansible + STIG / CIS roles
    Ansible + STIG / CIS roles
    Automated OS baseline deployment at scale
Validation
  • OP OpenSCAP + SCAP content
    OpenSCAP + SCAP content
    Compliance scanning against DISA STIG / CIS
  • LY Lynis / Wazuh
    Lynis / Wazuh
    Continuous hardening posture and drift detection
Database
  • DB
    DB-specific baselines
    Oracle CIS, PostgreSQL, SQL Server, MongoDB hardening
Testing
  • CU Custom ATT&CK validation scripts
    Custom ATT&CK validation scripts
    Lateral-movement and pivot tests to prove segmentation
Techniques

How we do the work. Not just what.

T.01

Passive traffic learning

Before any firewall change, we run Zeek spans for 10–14 days across business-cycle peaks (week, month-end) to capture real flows.

T.02

Zone modeling

Typical target: user, server, DMZ, management, OT. Each zone has explicit ingress/egress policy and break-glass procedure.

T.03

Graduated enforcement

Observe → alert → block. No rule goes from zero to block. Minimum 2 weeks in alert mode to find legitimate exceptions.

T.04

Hardening baselines

CIS L2 for user workstations, CIS L1 for servers (with justified exceptions), DISA STIG for federal-facing systems.

T.05

Break-glass procedures

Every rule has a documented bypass and revert path. Segmentation must be survivable in incident response.

T.06

Lateral-movement validation

Post-deploy we run ATT&CK techniques T1021, T1570, T1210 across zones to prove the policy.

From the field

Real problems. Real fixes.

Anonymized incidents from actual engagements: what broke, why it mattered, and how we fixed it.

01
Problem

Manufacturing client had 900 undocumented flows between ERP and shop-floor PLCs.

Impact

Any segmentation attempt risked halting a production line costing $180k/hour.

Resolution

Ran 14-day Zeek capture during month-end (worst case). Discovered 180 real flows (not 900, most were retransmits). Built policy from observed reality, not tribal knowledge. Cutover happened with zero production halt.

02
Problem

Legacy HL7 medical device used hardcoded credentials and couldn't authenticate to modern zones.

Impact

Hospital risked losing device certification if we changed its auth; risked data exposure if we didn't.

Resolution

Placed device in an isolated micro-zone with source-IP-locked policy, deployed a broker service for modern protocol translation. Device kept its certification; blast radius reduced to one subnet.

03
Problem

First segmentation wave blocked legitimate backup traffic on night of cutover. SOC got 200 alerts.

Impact

On-call rolled back the rule; all progress lost for that zone.

Resolution

Added a pre-cutover checklist step: 'observe for 2 business cycles including backup window.' Instituted a freeze on cutovers during month-end. Zero rollback events in next 11 waves.

Data model

Segmentation lifecycle

Discover → design → validate → enforce → monitor.

input
process
store
output
validated Observed flows (Zeek) App owner workshops Zone model Policy generator Lab validation Graduated enforcement Drift monitor
Metrics we ship against

Targets, not promises.

Metric
Our target
Baseline (industry avg)
East-west blast radius
Reduce 75% in 90 days
Flat network: 100%
Production cutover incidents
0 unplanned outages
Industry avg: 2–4 per project
Hardening baseline drift
< 3% within quarter
Industry avg: 22%
Lateral-movement test success
0 cross-zone success
Flat network: ~100%
Questions we hear

Answered plainly.

Have something we didn't cover? Ask us directly →

Will this break our applications?
Not with our graduated process. We observe for weeks before blocking anything, and every rule has a rollback. Our track record is zero unplanned outages in the last 40 cutovers.
Do we need to rip-and-replace our firewalls?
No. We work with what you have: Palo Alto, Cisco, Fortinet, host-based (Illumio/Guardicore), or cloud-native. Design first, tooling second.
What about OT / ICS networks?
We have dedicated playbooks for OT with Purdue-model zoning, passive-only discovery where required, and coordinated change-control with plant operations.
How is this different from a standard NSX / Illumio deployment?
We bring the process. Tooling without traffic learning and graduated enforcement creates the very outage it's supposed to prevent.
Next step

Scope a network segmentation engagement.

30-minute scoping call. You'll talk to an operator, not a BDR.

Request a scope All services
Often paired with
Dark Web Monitoring & Threat Intelligence
Continuous monitoring of dark web sources and underground forums to detect exposed credentials, leaked data, and emerging threats.
Cloud Security Management
Comprehensive review of cloud environments: configuration validation, identity and access control analysis, and continuous monitoring.