GigaOm Radar for Microsegmentation v3

Microsegmentation solutions define and enforce per-entity communications policies. In this context, an entity can be any information technology (IT) or operational technology (OT) resource that processes and stores data. Entities can range from workloads hosted in the cloud to containers running in an on-prem data center, or OT systems, applications, services, and end user devices. By defining policies for single entities, microsegmentation becomes a key technology for enforcing least privilege access.

While the concept of isolating individual entities is simple, two requirements of today’s microsegmentation solutions make them much more nuanced and complex:

• Microsegmentation policies apply to interactions between two entities. Each entity is isolated from others, and depending on the identity of the “from” entity, policies differ. For example, administrators may want to block all traffic from a category of workloads and allow traffic from others only on a specific port. If we’re isolating entity A, we need to consider the policies between A and B, A and C, and so on. Even solutions that adopt a default-deny approach still need to be evaluated for their extensibility, as they may not be able to enforce microsegmentation policies for some types of workloads, such as microservices, IoT devices, or end users.

• All entities are subject to microsegmentation. In heterogeneous environments, this makes microsegmentation exercises very complex because different underlying technologies require different types of policies. For example, the way containers communicate with each other is different from the way a developer accesses a server, so a solution supporting both instances must develop use case-specific features.

The scope for microsegmentation is enormous, and while all vendors featured in this report offer microsegmentation capabilities, they employ different approaches. For example, some vendors have developed purpose-built microsegmentation products with an architecture that is applicable across as many use cases as feasible. Others have created purpose-built solutions that focus on specific goals. Still others offer solutions that are part of the networking and virtualization stack, and they enforce microsegmentation from that vantage point. For IT buyers, the decision criteria defined below are indicative rather than prescriptive about what a solution needs to support. 

This is our third year evaluating the microsegmentation space. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 15 of the top microsegmentation solutions and compares offerings against capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria). It provides an overview of the market, identifies leading microsegmentation offerings, and helps decision-makers evaluate these solutions so they can make a more informed investment decision.

To help prospective customers find the best fit for their use case and business requirements, we assess how well microsegmentation solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): These organizations have simpler infrastructure stacks and require solutions that favor ease of use over granularity.

• Large enterprise: Given their complex and distributed environments, large enterprises require solutions that can handle a great number of dynamic entities and can enforce policies without adding too much friction to the development process.

• Regulated industries: These include government bodies, financial institutions, and healthcare organizations that must comply with a strict set of rules and require solutions that support and help enforce compliance with regulations.

• Managed service provider (MSP): These organizations are third parties that handle the operations of a customer’s digital infrastructure. They can leverage microsegmentation solutions to help customers enforce zero trust policies and require solutions that support multitenancy capabilities or flexible deployment models.

In addition, we recognize the following deployment models:

• Agentless: These typically use a physical or virtual network appliance and rely purely on network traffic analysis without any agents.

• Hypervisor agent: These are embedded in the hypervisor layer to enforce policy between VMs communicating internally and externally.

• Container network interface (CNI)-based: A Kubernetes plugin that defines networking policies and can define inbound and outbound traffic based on identity and security policies.

• Operating system (OS) agent: An agent is installed within the operating system (like Linux or Windows) to secure north-south and east-west traffic flows.

• Physical appliance: An integrated hardware appliance is installed on-prem to segment traffic through physical network ports.

• Network-based: This model leverages SDN infrastructure like switches and routers to enforce connectivity rules between endpoint groups or zones.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Single entity isolation

• Traffic filtering

• Traffic monitoring

• Centralized management

• Entity discovery

• Network agnostic

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a microsegmentation solution

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization

These decision criteria are summarized below. 

Key Features

• Automated discovery and mapping: Solutions can automatically discover and map an organization's entities across environments, such as cloud workloads, data centers, and on-prem entities.

• Traffic and behavior analysis: To understand traffic flow behavior within a network, microsegmentation solutions must analyze traffic patterns and place them within the wider environment. 

• Policy definition engine: Microsegmentation requires translating business needs into granular workload access policies. Policy definition capabilities describe how administrators can define a policy and how these policies are applied across entities on the network. 

• Network-based policy enforcement: Instead of simply allowing or blocking traffic between two entities, network policy enforcement features provide rules that allow more nuanced traffic flows.

• Integrations: A solution’s integration features enable it to become part of the customer’s wider technology stack. These integrations can be bidirectional, allowing the microsegmentation solution to both send information to third-party tools and receive information and commands from other applications. 

• Identity-based policy enforcement: Identity-based policy enforcement offers controls independent of network constructs. Access can be governed using attributes such as operating system type, patch status, VM name, Active Directory groups, and cloud-native identities like labels, tags, and namespaces.

Table 2. Key Features Comparison 

Emerging Features

• Authentication and authorization: Some microsegmentation solutions leverage various authentication techniques, such as certificates and tokens, to secure communication between workloads more effectively.

• Incident response: Microsegmentation solutions enable real-time containment of threats by dynamically isolating compromised entities. This is achieved by enforcing additional rules between microsegments to block lateral movement. 

• Risk-based policy enforcement: The solution can incorporate vulnerability data through custom fields populated by vulnerability management platforms, as well as metadata from IoT and OT security platforms.

• Process-based policy enforcement: Solutions can monitor the running processes on every entity, capturing detailed context for each process and its associated libraries. Process and library hashes can be assessed against a threat data feed to identify malicious code execution and detect variation from known good processes. 

Table 3. Emerging Features Comparison

Business Criteria

• Zero trust adherence: Microsegmentation solutions should deliver on the core tenets of zero trust frameworks, verifying explicitly, enforcing least privilege permissions, and always limiting blast radius. Granular workload isolation policies minimize lateral movement channels for threats. 

• Scalability: Microsegmentation tools should scale seamlessly across hybrid environments without introducing overhead. Top solutions in this space build in scaling capabilities to support massive workload counts and dynamic policy sets across regions while sustaining always-on high performance.

• Performance: Microsegmentation solutions must monitor and understand traffic to enforce policies, so they inevitably inject some overhead that affects performance.

• Extensibility: A solution’s extensibility refers to the range of entities on which it can enforce microsegmentation policies.

• Ease of use: Evaluating a solution’s ease of use comes down to determining its learning curve, its supporting technical documentation, and how frictionless policy design and deployment are. Ease of use is achieved by leveraging low-code and no-code builders, topological maps, and data-driven suggestions.

• Cost transparency: This takes into consideration the customer’s ability to self-serve in terms of pricing and get an estimation of the solution with respect to their needs. It requires vendors to provide information such as public pricing, calculators, and licensing options.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Microsegmentation

As you can see in Figure 1, vendors are distributed across all four quadrants of the chart, with the highest concentration of products in the Innovation/Platform play quadrant. These solutions offer comprehensive coverage of IT and OT infrastructure and also focus on emerging technologies, which describe capabilities such as enforcing microsegmentation policies using endpoint processes and risk-based analysis. This quadrant also features all outperformers who are defining novel and nuanced approaches to microsegmentation enforcement. 

Vendors in the Feature Play half provide microsegmentation capabilities from a specific vantage point, such as process-based segmentation, microsegmentation for cloud environments only, or via predeployed hypervisors.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

12Port

Solution Overview
12Port, founded in 2024, builds software for network microsegmentation. Following the principles of zero trust architecture, the 12Port platform allows businesses to segment their extended networks, block unauthorized traffic, and reduce the damage of potential breaches. The software visualizes internal east-west network traffic and isolates workloads across physical, virtual, and cloud environments. By leveraging an agentless architecture communicating with endpoints through a variety of RPC protocols, 12Port allows deployment, monitoring, and enforcement of network microsegmentation policies, ensuring protection across data centers and cloud platforms. Features include change control with multilevel approval process, asset discovery from a variety of on-prem or cloud services, auto-tagging, multitenant architecture, integration with SSO and MFA protocols, and hierarchical data organization with permissions and configuration inheritance for system adoption, maintenance, and scalability.

12Port offers device identity-based traffic management features that work by incorporating user identity-based control and Layer 7 protocol analysis, delivering a unique, comprehensive solution for identity-driven network management, control, and monitoring.

12Port is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
12Port scored well on a number of decision criteria, including:

• Automated discovery and mapping: 12Port can discover endpoints on the network by integrating with LDAP, Active Directory, Broadcom, and AWS. It also supports asset import via CSV files. A comprehensive REST API is provided, enabling third-party tools to load assets into the tool's asset database. All asset import methods leverage an intelligent tagging system to enrich endpoint metadata, creating an asset identity that can later be used for segmentation policies.

• Policy definition engine: The tool defines policies based on tags assigned to each entity. These tags are derived from a configurable, multilevel hierarchical taxonomy. The tag set can represent a single entity, a cluster of entities, or all entities, depending on how the tags are assigned. The policies defined by the tool specify the connection targets for inbound connections and establish criteria for selecting the connection source, which defines the outbound connections.

• Identity-based policy enforcement: The tool defines microsegmentation policies based on endpoint identities, which are described by a set of tags derived from terms within a configurable multilevel hierarchical taxonomy. It also includes an intelligent tagging option that automatically assigns tags based on existing or collected metadata. Additionally, the tool leverages user identities to make temporary exceptions to permanent policy-based enforcements. Users with the necessary permissions can request access to a specified workload on a designated endpoint for a defined period. The port and service is opened following the approval of the request, either through a configured multilevel approval process or by automatic approval.

Opportunities
12Port has room for improvement in a few decision criteria, including:

• Integrations: While 12Port exposes features via an API, supports syslog and API-based log forwarding, and integrates with major providers, the solution could further expand its integration portfolio to include widely deployed IT and security products such as ITSM and SIEM.

• Traffic and behavior analysis: Even though the tool logs workload connections, suggests connection patterns, and allows the definition of expected connection patterns through unpublished monitoring policies, it does not currently detect anomalies such as HTTP instead of HTTPS or decrypt traffic for inspection.

• Incident response: The solution does not support native automated incident response capabilities. It relies on an external application to update endpoint tags via the system API, which then applies incident response policies to the managed assets.

Purchase Considerations
12Port software is priced based on the number of assets. An asset is a device or an IP list that accepts inbound or originates outbound network traffic and is managed by segmentation policies. This price includes all features, and there are no additional charges. Discounts are available for annual and multiyear contracts, larger quantities, or certain large-quantity asset types. There is special MSP pricing for multitenant deployments.

Use Cases
12Port supports a range of use cases, including agentless network discovery, component identification, workflow-enabled remote device access, and dynamic microsegmentation.

Akamai: Guardicore Segmentation

Solution Overview
In 2021, Akamai acquired the microsegmentation provider Guardicore to integrate the product in its wider zero trust security portfolio. The solution includes both agent-based and agentless options. Agents are used to secure entities that reside on enterprise networks, while an agentless approach is used in cloud and OT environments.

The solution is known as Akamai Guardicore Segmentation. It is a unified zero trust platform that converges visibility, control, and detection and response capabilities across every asset, application, user, and interaction. Microsegmentation, ZTNA, DNS firewall, deception, and threat hunting are combined into a single agent and management console. The offering consists of the following components: a unified management console (available as SaaS, on-prem, or hybrid) for centralized policy management and visibility; lightweight agents that act as enforcement points for Windows, Linux, Unix, macOS, and containerized environments, which also provide ZTNA capabilities for endpoints; aggregators, a data optimization tier designed to support massive-scale deployments; PacketFence, an agentless enforcement component that supports segmentation for devices that cannot tolerate an agent (such as OT); and collectors, additional agentless components that provide visibility and control for PaaS environments, orchestration platforms, and next-generation data center smart switches.

Akamai is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Akamai scored well on a number of decision criteria, including:

• Automated discovery and mapping: Akamai Guardicore Segmentation enables dynamic discovery and mapping with a network map that creates a visual representation of the IT infrastructure, which security teams can use to view activity at the user and process levels in real time. Akamai Guardicore Segmentation supports application dependency mapping and policy enforcement, ensuring ongoing management of microsegmentation policies. 

• Policy definition engine: The solution supports multiple ways to define policies, including predefined templates for out-of-the-box policies for the most common use cases. Policy enforcement is decoupled from the underlying infrastructure, so security policies can be created or altered without requiring network changes or downtime. These policies can follow workloads across on-prem data centers or public cloud environments. Moreover, AI-powered policy workflows make creating segmentation policies fast, intuitive, and based on real workload context. 

• Process-based policy enforcement: Akamai Guardicore Segmentation utilizes a proprietary, lightweight agent with a kernel-level firewall driver. This allows the solution to enforce policies based on the specific process identity (binary path, file hash, process name) rather than just network addresses. This enables the authorization of specific workloads to communicate while blocking others on the same port. The agent monitors all running processes on every entity (Windows, Linux, Unix, macOS, and containers) and captures deep contextual telemetry for every flow. This includes process context such as process name, binary path, and process group; identity context; and execution context.

Opportunities
Akamai has room for improvement in a few decision criteria, including:

• Authentication and authorization: While the solution can automatically analyze workloads to identify applications and suggest appropriate labels, it does not currently support features such as mutual transport layer security (mTLS), Secure Production Identity Framework for Everyone (SPIFFE) and SPIFFE Runtime Environment (SPIRE), or token-based authentication (such as JWT).

• Network-based policy enforcement: The solution has strong features to define policies using network constructs such as 5-tuples and Layer 7-based policies, but it could further improve by natively enforcing encryption or filtering HTTP and API requests and methods. These features are available via the WAF and API Security products, which can be combined with Akamai Guardicore Segmentation. 

• Traffic and behavior analysis: The Akamai Hunt and GPE engines analyze historical traffic to establish normal communication baselines. However, the solution could improve by natively employing deep packet inspection and decrypting traffic. Integration with API security provides actual payload visibility for risk-based segmentation approach.

Purchase Considerations
Akamai Guardicore Segmentation mainly serves east-west traffic protection use cases, while other products, such as Enterprise Application Access, must be used for north-south traffic protection. Together with Akamai’s CDN and cloud services inherited from the Linode acquisition, Akamai offers a comprehensive platform for digital services.

Use Cases
Akamai Guardicore Segmentation supports use cases such as lateral movement protection, application ring-fencing, securing cloud and PaaS, and compliance assurance. The solution also expands its capabilities to solve use cases such as discovery and control for unmanaged devices and user-to-app access control, leveraging both ZTNA for north-south access and microsegmentation for granular east-west control.

Aviatrix: Distributed Cloud Firewall

Solution Overview
Aviatrix delivers secure cloud networking across multiple public clouds, offering microsegmentation capabilities with its Distributed Cloud Firewall product. This enables the embedding of security policy inspection and enforcement into the native cloud infrastructure and natural application communication flows, allowing all traffic to be seen without agents or any centralized appliance or service. 

Policies are defined with cloud-native tags and attributes, which are used to restrict inbound traffic. Aviatrix policies can deliver a zero trust architecture, leveraging least privilege restrictions in which microsegmentation can be applied between workloads operating in different VPCs/VNets or within a single VPC/VNet to isolate single workloads or groups of workloads.

Aviatrix’s Distributed Cloud Firewall is a true agentless solution, delivered in an as-a-service model. The vendor is moving rapidly to incorporate new features and use cases, such as integrations with Kubernetes.

Aviatrix is positioned as a Leader and Fast Mover in the Maturity/Feature Play quadrant of the microsegmentation Radar chart.

Strengths
Aviatrix scored well on a number of decision criteria, including:

• Automated discovery and mapping: With good visibility features, the solution can discover and map assets via API-based discovery and integrations with cloud service providers to identify cloud-based assets. Entities are asynchronously and automatically updated as soon as changes take place. Aviatrix uses an event-driven architecture to monitor cloud-native logs to make updates when resources migrate. 

• Policy definition engine: The policy definition engine can impact a single workload or apply globally, depending on how the policy is authored and its placement within the rulesets. The solution supports context-aware traffic analysis via egress traffic based on fully qualified domain name (FQDN) filtering, traffic decryption, and deep packet inspection (DPI).

• Integrations: Aviatrix leverages Terraform as its primary programmable interface in alignment with modern cloud infrastructure-as-code (IaC) practices. It can send logs to third-party security observability products such as Splunk SIEM and Kentik. In addition, Aviatrix will be releasing an open source log integration engine, which will allow customers to format logs and integrate with any SIEM tool in a way that aligns with log formatting for existing firewalls and other security products. SOAR, EDR, and XDR can be integrated using the product’s API. 

Opportunities
Aviatrix has room for improvement in a few decision criteria, including:

• Network-based policy enforcement: Although Aviatrix offers strong network-based security policies based on constructs such as 5-tuple, geolocation, VPC/VNET, subnet, and Kubernetes namespaces and pods, the solution currently focuses on egress traffic security, while ingress traffic security is slightly underdeveloped.

• Traffic and behavior analysis: While the solution can track data flows to establish baseline behavior of workload connections and identify deviations from expected patterns, this capability is currently limited to Layer 4 constructs, such as ingress and egress IP and port, and it doesn’t include Layer 7 constructs, such as HTTP requests.

• Identity-based policy enforcement: While Aviatrix can define microsegmentation policies using identities rather than static constructs such as IPs, it can further improve by using attributes such as operating system type, patch status, and IDP and AD groups in the policy definition process.

Purchase Considerations
Microsegmentation is a subset of Aviatrix’s capabilities and is best leveraged in conjunction with the wider Aviatrix platform for multicloud networking. Aviatrix customers can use the solution to define hybrid and multicloud networking constructs and enforce east-west and egress microsegmentation capabilities with a single tool.

Use Cases
Aviatrix’s solution supports use cases such as microsegmentation for east-west traffic, which includes service-to-service, workload-to-workload, and workload-to-service communication within public clouds and between cloud VPCs/VNets. It also includes segmenting internet-based resources via egress filtering for corporate and regulatory compliance.

Avocado Systems: Avocado Security Platform 

Solution Overview
Avocado Systems’ distinguishing process-based, microsegmentation-first approach is achieved via two software components: the Avocado Security Orchestrator and the Avocado Security Plugin. These deliver three capabilities: Avocado Reveal, Avocado Protect, and Avocado Encrypt. 

Avocado Protect is part of a bundled solution platform named Avocado Security Platform, wherein Avocado Reveal provides observability, threat modeling, and architecture model rendering. When the mode of the product is switched to Protect, automated microsegmentation starts, data protection policies are enforced, and threats are mitigated. The user interface consists of a single dashboard with provisions for configuring policies and visualizing the application architecture, threats, and threat models.

Avocado Protect provides application process-level zero trust by using automated microsegmentation. It secures applications at the process level, using deep observability and zero trust principles to stop attackers from moving laterally inside the enterprise application or environment.

Avocado Systems is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the microsegmentation Radar chart.

Strengths
Avocado Systems scored well on a number of decision criteria, including:

• Automated discovery and mapping: Avocado Reveal uses agentless runtime instrumentation to automatically discover and map entities across cloud workloads, data centers, and on-prem environments. It injects lightweight security logic into application processes without requiring code changes or agents. This provides identification of applications, subprocesses, and dependencies at runtime, as well as visibility across hybrid and multicloud environments and on-prem systems.

• Policy definition engine: The solution offers Policy Modeling and Simulation, which enables customers to run Avocado Reveal to discover and model policies based on the discovery and threat modeling process. Avocado Protect can be enabled via Avocado Reveal, which uses auto-generated policies. The process of modeling and simulation can be done in QA or preproduction setups before enabling it in production environments.

• Process-based policy enforcement: After discovery collects process name, path, process ID, arguments, various contexts, user/owner contexts, base TCP ports, and checksums, the runtime enforces microsegmentation, zero trust verifications, attack detection, and malicious activity detection. Avocado Reveal builds runtime threat models, vulnerability reports, and compliance and architecture governance reports.

Opportunities
Avocado Systems has room for improvement in a few decision criteria, including:

• Integrations: While the solution exposes features via APIs and can be integrated with WAF, SIEM, and network security solutions, it could improve by offering out-of-the-box integrations with industry-standard IT and security solutions.

• Identity-based policy enforcement: As Avocado Protect policies are based on application-level transactions after the sessions are offloaded following authentication and authorization, policies are not defined or enforced based on identity.

• Incident response: Though the solution can respond to incidents by terminating or marking noncompliant behaviors for rejection, it does not currently revoke individual user access sessions that are identified as suspicious, rotate credentials or certificates as a containment measure, or adjust the microsegment boundaries based on identified breach pathways.

Purchase Considerations
Product licenses are sold per business application, which may include thousands of application processes. Additional Avocado Reveal AI-based analytics are charged at a premium. Avocado Security Platform is an on-prem software solution for enterprises. Avocado Systems does not offer SaaS versions to enterprises.

Use Cases
The use cases supported by Avocado Systems include zero trust enforcement, where every process, user, and service must be verified continuously; microsegmentation at the process level; threat detection and remediation; observability; and forensics, where the solution provides deep visibility into application behavior and enables continuous threat modeling and forensic analysis.

Byos: Secure Networking Platform

Solution Overview
The Byos Secure Networking Platform is composed of the Byos Secure Edge, which provides asset cloaking and traffic route enforcement; the Byos Secure Lobby, which is an SDN overlay network; and the Byos Management Console, the control plane where administrators can centrally manage all Byos Secure Edge devices.

With centralized security policy management, administrators can group devices by attributes, set custom routing policies, and monitor usage from a single location. They can control how assets connected to Byos Secure Edge devices are accessed, using a port- and protocol-based allow list for granularity. The solution provides real-time monitoring and incident response.

Byos is positioned as an Entrant and Fast Mover in the Maturity/Feature Play quadrant of the microsegmentation Radar chart.

Strengths
Byos scored well on a number of decision criteria, including:

• Policy definition engine: Byos provides a flexible and granular policy definition engine to enforce microsegmentation. Its multilevel policy definition capability can define policies per device, per logical zone, or globally across deployments. Unidirectional communication control policies can enforce strict one-way communication rules to limit access between endpoints. Policies are configured via the management console, enabling easy rule creation and enforcement. Byos provides out-of-the-box templates for common use cases, such as isolating OT assets, securing remote endpoints, and segmenting critical infrastructure. 

• Incident response: Byos can instantly isolate a compromised device by revoking its access or moving it into a restricted zone, preventing further spread. Microsegmentation enforces strict per-device access policies, ensuring threats cannot move freely across the network. Byos can block a compromised endpoint’s network access to stop unauthorized activities in the event of a ransomware attack. It also enables rapid deployment of new segmentation rules to mitigate vulnerabilities and prevent any further compromise.

• Traffic and behavior analysis: Administrators can analyze network flow logs to enforce least privilege access based on real-world traffic patterns. Customers can monitor allowed and blocked traffic flows between protected endpoints.

Opportunities
Byos has room for improvement in a few decision criteria, including:

• Automated discovery and mapping: While Byos Secure Edge can automatically discover and map assets connected to it, the solution doesn’t map the traffic flow of these devices directly. Instead of performing traditional automated discovery and mapping like agent-based solutions or network scanners, Byos enforces zero trust microsegmentation by cloaking assets and controlling access on a per-device basis.

• Integrations: The Byos Management Console can integrate with other security tools through APIs but could further improve by offering a wide range of out-of-the-box integrations with widely deployed IT products.

• Network-based policy enforcement: While Byos blocks out-of-policy traffic by restricting communication to explicitly defined ports, protocols, and destinations, it does not currently enforce policies at Layer 7 for payload awareness or HTTP methods and protocols such as gRPC, Kafka, or DNS.

Purchase Considerations
Byos licenses its solution in a hardware-as-a-service model. Customers pay a one-time fee for the hardware, with annual recurring licensing for the service. They can choose 1-, 3-, or 5-year term lengths.

Use Cases
Byos is suitable for a range of use cases, such as security for remote, distributed workforces, government and defense secure communications, secure machine data capture in OT environments, and securing utilities and critical infrastructure.

Cisco: Secure Workload

Solution Overview
Cisco Secure Workload (formerly Tetration) is a microsegmentation solution that can enforce security policies across workloads, environments, or locations from a single console. Secure Workload reduces the attack surface, identifies workload behavior anomalies, helps remediate threats rapidly, and continuously monitors compliance.

Software agents can be deployed on bare metal servers, VMs, and containers. Other discovery and mapping features are based on encapsulated remote switched port analyzer (ERSPAN) sensors, NetFlow sensors, and cloud networking constructs.

For end user devices, the solution can collect telemetry from the Cisco AnyConnect Network Visibility Module running on endpoint devices such as laptops, desktops, and smartphones, or it can collect endpoint device information from Cisco Secure Workload software agents.

Secure Workload can identify software vulnerabilities by gathering inventory and version information installed on servers. This is then used to determine whether any of the package versions have known vulnerabilities or exposures, along with their potential severity using a CVSS score, and prioritizes the vulnerability based on the Cisco Security Risk Score. Vulnerability data can be used in policies to enable remediation actions such as quarantining an entity.

Cisco is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Cisco scored well on a number of decision criteria, including:

• Traffic and behavior analysis: Secure Workload continually monitors and baselines running processes on every server, capturing context for each process and its associated libraries. Process and library hashes are assessed against a threat data feed to identify malicious code execution and detect variation from known good processes. Workloads are monitored for behavioral indicators of compromise (IoCs) through a configurable set of forensic event indicators, such as detecting operating system events. 

• Policy definition engine: The tool auto-generates microsegmentation policies by analyzing application communication patterns and dependencies. The policy definition engine defines microsegmentation default and absolute policies using ML algorithms and groups based on asset tags based on users and user groups that need access, which are imported from CMDB integrations. It enforces consistent policies through distributed control of native host firewalls and infrastructure, including application delivery controllers and third-party firewalls. The generated policy intent is also streamed across a secure Kafka broker and API for further enforcement in the infrastructure and is delivered to application delivery controllers (ADCs) through direct integration for consistent policy enforcement to workloads across the data center and cloud.

• Risk-based policy enforcement: Secure Workload delivers near-real-time compliance monitoring of all communications to identify and alert against policy violations or potential compromise. It also identifies IoCs and does workload behavior baselining and proactive anomaly detection, as well as common vulnerability detection with dynamic mitigation and threat-based quarantine.

Opportunities
Cisco has room for improvement in a few decision criteria, including:

• Automated discovery and mapping: While the solution can discover entities based on collection from agents, ERSPAN sensors, NetFlow sensors, and cloud networking constructs, it could further improve by asynchronously discovering new devices and updating policies, dashboards, and graphs.

• Network-based policy enforcement: Cisco Secure Workload’s network-based policy enforcement capabilities are limited. The solution is natively integrated with Cisco Secure Firewall, and the two solutions are excellent when working together, with extensive Layer 7 capabilities. However, Cisco Secure Firewall is out of this report’s scope.

• Process-based policy enforcement: While the solution can determine the baseline behavior of workloads from communication activities and processes, it could further expand these capabilities by isolating assets or terminating communications when a suspicious or forbidden process is detected.

Purchase Considerations
Cisco Secure Workload covers a wide range of entities, making it suitable for organizations that require only one microsegmentation solution to enforce policies across the environment. The solution does not have any prerequisites, such as requiring other Cisco products before being used to enforce microsegmentation policies.

Use Cases
Secure Workload can be used to enforce microsegmentation policies for end users and data center and cloud workloads. This is done using software agents on bare metal servers, VMs, and containers. End user device policies are enforced at the OS firewall level.

ColorTokens: Xshield Enterprise Microsegmentation Platform

Solution Overview
ColorTokens Xshield Enterprise Microsegmentation Platform is a SaaS-delivered solution that can enforce policies across data centers, cloud workloads, user endpoints, containerized microservices applications, and OT and IoT devices.

Xshield uses both agent-based and agentless policy enforcement points, as appropriate. For microsegmentation of OT and IoT devices, the solution uses an agentless gatekeeper appliance that can be deployed as a discrete hardware device on location or as a VM in the data center. For containers and microservices, the solution integrates with Kubernetes’s service mesh solution to enforce policies at the API level.

ColorTokens is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
ColorTokens scored well on a number of decision criteria, including:

• Automated discovery and mapping: The solution’s dynamic discovery and mapping capabilities display network assets, applications, and dependencies. Xshield can discover entities via agents, configuration management database (CMDB) integrations, cloud integrations, container management platforms, IP scanning, and dynamic host configuration protocol (DHCP). It also leverages MAC-based discovery, service mesh and sidecar proxies for microservice API discovery, and identity management tools for user and group information. Xshield policies and visualizations are based on tags and tag sets, all fully automated with tag automation rules. Any attribute change is mapped automatically with tag automation to appropriate tags. This updates all visualizations and policies.

• Policy definition engine: Xshield’s policy definition engine can define policies at individual, group, and global levels. The policy learning engine recommends and classifies policies for each use case. For example, policies for infrastructure services may be classified by location, while others are by specific application. Xshield creates on-demand recommendations from real-time data, suggesting ports, paths, network, and other attributes for a selected set of assets. All traffic from an entity is analyzed, and based on analysis of similar assets, a confidence factor is associated with the analysis. 

• Network-based policy enforcement: Xshield has policies based on port, protocol, and process. The Layer 7 policies primarily consist of API attributes, HTTP methods, URIs, and paths. The platform auto-learns, recommends, and classifies APIs, ignoring variable values used in the APIs. 

ColorTokens was classified as an Outperformer due to its consistent year-over-year releases and developments across key and emerging features.

Opportunities
ColorTokens has room for improvement in a few decision criteria, including:

• Process-based policy enforcement: Xshield has rich capabilities related to processes, which include applications, services, daemons, or scripts, and details such as process name, path, arguments, user context, and parent processes. However, it has some limitations around process-based policies for legacy operating systems.

• Authentication and authorization: The solution could further improve these capabilities by implementing time-limited credentials, mTLS, and service and user MFA.

• Incident response: While the solution can integrate with security operations solutions such as SIEM and SOAR to facilitate incident response, it does not currently offer native response workflows or threat hunting features.

Purchase Considerations
To deliver on a broad range of use cases, ColorTokens’ microsegmentation solution is comprehensive, with multiple integrations and agent-based, network appliance, and agentless deployment models. Xshield is one of the only solutions to deliver segmentation capabilities across all these types of entities.

Use Cases
Xshield is able to enforce microsegmentation policies for cloud services, microservices, end user devices, and OT and IoT environments. This wide set of use cases should satisfy most organizations’ segmentation requirements without any need to deploy additional solutions.

Elisity: Microsegmentation Platform 

Solution Overview
Elisity’s solution is a comprehensive cybersecurity platform that leverages the principles of zero trust to provide microsegmentation and identity-based policy enforcement across an organization’s network. The platform enables dynamic policy enforcement based on user, device, and application identity rather than static network constructs. Access to network resources is granted based on the identity of users and devices, adhering to the principle of least privilege by ensuring that entities have access only to what they need.

Elisity is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Elisity scored well on a number of decision criteria, including:

• Automated discovery and mapping: The Elisity IdentityGraph discovers entities by observing network traffic and using flow data, DHCP requests, HTTP user agents, and access switch data. It matches user login information from Active Directory or other connected identity providers to authentication events. It can profile devices and users effectively and integrate with connectors such as Medigate, Claroty, Armis, Nozomi, CrowdStrike, and ServiceNow to enrich device discovery and identity. Elisity’s graphical policy visualization shows how assets may or may not communicate, how traffic flows, and how devices are classified by class, type, vendor, and location. There is a graphical policy matrix that allows users to deploy static or dynamic policies and make informed decisions based on the representation of learned traffic flows.

• Policy definition engine: The virtual edge control plane nodes use existing access infrastructure as policy enforcement points and translate data and policy between switches and the Elisity Cloud Control Center. Policies can be defined using a flexible match criterion, which includes identity-based attributes such as Active Directory groups, device types, and device vendors. When a workload is migrated, the system detects the change and updates policies in real time to reflect the new state of the network. Administrators can use the policy matrix to create, visualize, and manage policies, and they can drill down to see the details of traffic flows and the associated policies for better decision-making. Before applying policies, administrators can use a simulation mode to visualize the effects of segmentation policies without affecting the live environment. 

• Integrations: Elisity offers a wide range of integrations, including bidirectional integrations for EDRs, Claroty xDome, ServiceNow, and SIEM tools such as Splunk. It offers a comprehensive API along with a usage guide that provides guidelines and procedures for accessing Elisity APIs, detailing the necessary steps and requirements. 

Opportunities
Elisity has room for improvement in a few decision criteria, including:

• Traffic and behavior analysis: While the tool actively monitors and identifies traffic that violates configured policies, it does not currently support DPI, decryption, or payload awareness.

• Network-based policy enforcement: With its focus on identity-based segmentation policies, the solution does not offer comprehensive network-based policy enforcement features like content-aware and Layer 7 capabilities. Moreover, use cases associated with Layer 7 filtering policies typically target data center, microservices, and web requests, and these are not supported by the Elisity platform.

• Process-based policy enforcement: While the solution offers integrations with EDR tooling and their risk score values, it doesn’t offer process-based microsegmentation, meaning the solution does not have visibility over running processes or the ability to segment entities based on them.

Purchase Considerations
Organizations best suited to deploying Elisity’s microsegmentation are those with extensive IoT and OT footprints, such as in healthcare and manufacturing, particularly in their edge locations. Elisity is the only solution in its quadrant that can be deployed in conjunction with other microsegmentation solutions that focus on use cases such as data center and cloud microsegmentation.

Use Cases
Elisity’s microsegmentation solution can be used for IoT and OT security, compliance, data protection, and automated policy management. The solution’s architecture enables organizations to deploy it without making changes to the existing network topology. 

Illumio: Core, CloudSecure, Endpoint*

Solution Overview
Illumio’s microsegmentation solution is composed of three products: Core, CloudSecure, and Endpoint. Illumio Core provides segmentation for on-prem and cloud data center workloads, CloudSecure does so for public cloud applications and workloads, and Endpoint does so for end user devices.

The actual microsegmentation process is handled by its policy compute engine (PCE), which enables centralized visibility and policy management for globally distributed environments, and by virtual enforcement nodes, which are agents installed in discrete operating system instances. Workloads are paired with the policy compute engine when they have a virtual enforcement node installed. The discovery process for Illumio is based on the agent, which provides information about the device identity and running processes.

Illumio is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Illumio scored well on a number of decision criteria, including:

• Automated discovery and mapping: CloudSecure’s visualization feature, Cloud Map, displays the cloud inventory as a network topology map for the cloud infrastructure. The map displays the relationships among resources using cloud-native constructs and shows traffic flows between cloud entities, including bidirectional flows for resources that are sending and/or receiving traffic. 

• Identity-based policy enforcement: Illumio’s security policy uses a label-based system to sort and describe the functions of workloads. Illumio users assign four-dimensional labels to their workloads to identify their roles, applications, environments, and locations. Users can specify labels in the scopes for rulesets and in the providers and consumers components of rules, which allows the workloads in their organization to communicate with each other. By labeling workloads and creating the corresponding rulesets, users enable rules to define the security policies for workloads. The PCE converts these label-based security policies into the appropriate rules for the OS-level firewalls of the workloads.

• Policy definition engine: Illumio offers segmentation templates that are prepackaged, tested security policies providing baseline rules for common enterprise applications. The solution can support load balancer configurations to enable administrators to write policy for workloads whose traffic is managed by load balancers. Illumio's adaptive user segmentation (AUS) allows organizations to use Active Directory user groups to control access to computing resources. Administrators can create user groups in the PCE that map directly to Active Directory groups.

Opportunities
Illumio has room for improvement in a few decision criteria, including:

• Traffic and behavior analysis: The solution is not currently able to decrypt traffic, detect out-of-policy traffic, log and analyze communication patterns between entities, or perform DPI.

• Network-based policy enforcement: The solution does not filter traffic based on protocols and encryption, such as defining policies at Layer 7 for protocols such as SSH, FTP, TFTP, SQL, and DNS. It does not limit the HTTP methods available between microservices, nor does it allow microservices to call only certain URL paths of another service’s API rather than all APIs.

• Process-based policy enforcement: Being based on agents, Illumio has some visibility over endpoint processes and services, but does not enforce policies based on daemons, scripts, or details such as process name, path, arguments, user context, or parent processes.

Purchase Considerations
To deliver on the extensive range of use cases, Illumio’s microsegmentation solution is complex. It consists of three products, offers both agent and agentless approaches, orchestrates native OS firewalls, and integrates with third-party services such as application load balancers and container management platforms. It’s worth noting that this extensibility is a strength because Illumio is one of the only solutions to deliver segmentation capabilities across all these types of entities.

Use Cases
Illumio delivers on all the use cases described in this report, which include containers, servers, endpoints, clouds, VMs, and applications. It can enforce policies at the network, identity, and process levels. By supporting microsegmentation at these levels, Illumio offers customers a wide range of policy definition choices that can provide granular control over how entities communicate.

Isovalent (Cisco): Isovalent Enterprise Platform

Solution Overview
Acquired by Cisco in April 2024, Isovalent provides microsegmentation for container and Kubernetes environments enforced at the CNI level and managed through a comprehensive policy engine. Microsegmentation can be enforced between container constructs such as pods, clusters, services, and namespaces, and the solution also handles communication with external workloads such as VMs and servers.

With Cilium as a part of the networking infrastructure stack, Isovalent’s solution is aware of Kubernetes and cloud constructs. Visualization and policy definition engines are offered via Timescape, Isovalent’s networking and security observability platform, which includes a visual policy builder, out-of-the-box policy templates, and suggested policies based on real-world traffic.

Isovalent is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Isovalent scored well on a number of decision criteria, including:

• Policy definition engine: Using Cilium and Hubble, administrators can automatically create network policy rules based on traffic. Access from the host can be controlled for each individual container or pod. The policy can differentiate among local node traffic, traffic from an ingress controller running on the node, and NodePort traffic being masqueraded by the local node via a component such as kube-proxy. Administrators can enable cluster-wide and cross-cluster encryption of traffic with IPsec or WireGuard. The solution can inspect TLS traffic, which provides API-aware visibility and policy functionality, even for connections with client-to-server communication protected by TLS, such as when a client accesses the API service via HTTPS. 

• Network-based policy enforcement: The solution supports traffic filtering and policies at Layer 3 to Layer 7, which include protocols such as gRPC, Kafka, and HTTP. Users can define API-based policies, limiting HTTP methods or specific API paths. Network policies can be very granular, with filtering based on source and destination FQDN; pod, container, namespace, and cluster labels; service accounts; cloud provider metadata such as tags or VPC subnet IDs; Layer 4 protocols and ports; and Layer 7 constructs such as HTTP path values.

• Authentication and authorization: The solution can enforce mutual authentication between endpoints. Mutual authentication is backed by SPIRE, a production-ready implementation of SPIFFE. The SPIRE server is automatically configured and deployed by Cilium, certificates are automatically managed and rotated, and applications can be secured without the need for a sidecar proxy.

Opportunities
Isovalent has room for improvement in a few decision criteria, including:

• Traffic and behavior analysis: Even though the solution offers features such as analyzing traffic patterns between entities to define policies and having awareness of what kind of traffic is being sent to detect anomalies such as HTTP instead of HTTPS or other encrypted traffic, it does not currently offer capabilities to detect out-of-policy traffic or provide DPI.

• Process-based policy enforcement: Isovalent’s solution can achieve comprehensive process-based policy enforcement capabilities through Tetragon, a separate runtime security and observability tool. 

• Incident response: While the solution can deliver good capabilities such as containment measures via initiation of rotation of service credentials and certificates upon detection of suspicious behavior, it could improve by orchestrating third-party tools and services to isolate workloads in accordance with wider security operations processes. Some of these capabilities can be delivered via integrations with Splunk.

Purchase Considerations
Isovalent is the creator and maintainer of the widely deployed Cilium CNI, which is used to enforce microsegmentation policies. Cilium is open source, meaning organizations can leverage it free of charge. Organizations that need an enterprise-grade solution can opt for Isovalent Enterprise Platform. This model is likely to continue even well after the acquisition by Cisco.

Use Cases
The solution can enforce microsegmentation policies for pods, clusters, services, namespaces, and external workloads such as VMs and servers. These use cases are particularly important in cloud environments, but they can also be found in on-prem data centers. Microsegmentation is a native use case for CNIs, meaning that for Kubernetes deployments, Isovalent’s solution is a natural first choice.

NetFoundry: OpenZiti

Solution Overview
NetFoundry is a software company specializing in secure networking and connectivity, which aims to build secure, connected solutions by embedding zero trust networking directly into applications, products, and enterprise environments. 

NetFoundry delivers identity-defined microsegmentation by eliminating ambient network reachability. Instead of breaking networks into smaller segments, NetFoundry only creates connections after identity verification, ensuring services have no exposed listening ports and can only be reached by authorized identities. NetFoundry’s microsegmentation solution is built on the OpenZiti open source project, offering enterprise-grade features of the OSS.

NetFoundry’s identity-first, policy-driven connectivity at the overlay layer enables API calls and agent-to-agent interactions to be privately routed, mutually authenticated, and microsegmented by identity.

NetFoundry is positioned as a Challenger and Fast Mover in the Innovation/Platform play quadrant of the microsegmentation Radar chart.

Strengths
NetFoundry scored well on a number of decision criteria, including:

• Automated discovery and mapping: The solution can automatically discover and map an organization's entities across various environments, including cloud workloads, data centers, and on-prem entities. NetFoundry’s overlay performs network scanning and passive traffic analysis to continuously detect workloads based on traffic behaviors. 

• Authentication and authorization: NetFoundry’s starting point ensures authentication and authorization before connectivity can be established using PKI and x.509. It ensures secure authentication and authorization of nonhuman workload identities by being able to work with external x.509 providers, being interoperable with other workload identities (such as mTLS, SPIRE, and SPIFFE), and using cloud-native authentication services and JSON Web Tokens (JWTs). 

• Identity-based policy enforcement: Policies are defined based on identities to reduce reliance on static network constructs like IP addresses. They leverage posture checks and attributes, such as operating system type and patch status, and provide temporary one-time password-based MFA. The platform dynamically associates policies with identities, ensuring real-time adherence to zero trust principles.

Opportunities
NetFoundry has room for improvement in a few decision criteria, including:

• Traffic and behavior analysis: NetFoundry does not currently provide Layer 7 decryption and inspection, though it plans to address this with future development.

• Policy definition engine: With a deny-by-default model, the solution’s policy definition engine lacks features such as a visual policy builder, out-of-the-box policy templates, the ability to make real-world traffic-based policy suggestions, and the ability to detect traffic changes and recommend new policies.

• Integrations: NetFoundry can integrate with third-party products via APIs, SDKs, and out-of-the-box integrations. However, it could further improve by extending its prepackaged integrations portfolio to include predefined policies tailored for specific third-party applications.

Purchase Considerations
Prospective buyers can initially opt for OpenZiti, a free open source project, to build and trial low-risk, low-investment proof-of-concept solutions before upgrading to the commercially available feature-rich platform. 

Use Cases
NetFoundry's platform supports a variety of use cases, including integrating zero trust security directly into applications and DevOps workflows, securing OT systems and industrial IoT devices, and providing secure access to applications and services and secure connectivity for third-party integrations.

Nutanix: Flow Next-Gen

Solution Overview
Nutanix Flow Next-Gen is an integrated network security solution for the Nutanix AHV hypervisor, its widely deployed virtualization technology, and Kubernetes. FNS offers distributed stateful firewall functionality and microsegmentation for enhanced usability, scalability, and performance. It features an advanced policy framework for customized VM security policies and integrates with Nutanix’s Security Central, a web-based management console that enables administrators to define and manage microsegmentation policies as part of a unified security suite.

Nutanix is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the microsegmentation Radar chart.

Strengths
Nutanix scored well on a number of decision criteria, including:

• Automated discovery and mapping: The solution provides a visualizer that displays interactive elements, including a policy builder and traffic details between entities, enabling administrators to refine access controls with greater accuracy. By leveraging category-based policies and topological maps, it automatically detects workload migrations and updates rules, ensuring enforcement within the virtual switch.

• Policy definition engine: Security Central analyzes traffic between VMs and recommends secured groups for the selected VMs along with inbound and outbound rules. Policy recommendations are based on near-real-time traffic between entities along with category assignment. FNS’s monitor mode also helps identify live traffic, which helps create relevant security policies.

• Integrations: FNS offers a variety of integrations, including IaC tools such as Terraform and Ansible; third-party security tools such as SIEM, which ingest IPFix and syslog audit records; and networking software such as Cisco ACI. It also provides out-of-the-box integrations with security vendors such as Palo Alto Networks and Check Point to support service chaining or policy-based routing.

Opportunities
Nutanix has room for improvement in a few decision criteria, including:

• Process-based policy enforcement: Currently, Nutanix does not offer process-based microsegmentation, meaning the solution does not have visibility into running processes or the ability to segment entities based on them.

• Identity-based policy enforcement: While Nutanix’s solution can define policies based on tags and tag sets, the vendor could further improve identity features using attributes such as operating system type, patch status, and VM name.

• Network-based policy enforcement: While Nutanix offers some good network-based policy enforcement features, such as defining policies using network 5-tuples, it does not support Layer 7 use cases out of the box, which include policies based on FQDN or using HTTP methods. For these capabilities, Nutanix needs to integrate with third-party solutions, such as web application firewalls.

Purchase Considerations
Organizations with an existing AHV deployment can easily turn on Nutanix’s microsegmentation solution for granular VM policies rather than opting for other agent-based or network-based solutions. Leveraging existing AHV deployments makes the product easier to use for administrators familiar with the product family and reduces the overhead associated with deploying a microsegmentation solution.

Use Cases
Nutanix’s solution is suitable for defining microsegmentation policies on-prem for VMs running on the AHV hypervisor and in AWS, GCP, and Azure for Nutanix Cloud Clusters. These use cases are particularly important for cloud and data center deployments, where the communication patterns between entities are complex and often change.

Tigera: Calico Cloud, Calico Enterprise

Solution Overview
Calico Cloud and Calico Enterprise are container networking and security solutions based on the widely adopted open source Calico. Delivered as SaaS (Cloud) or self-hosted (Enterprise), Calico provides security for cloud-native applications running on containers and Kubernetes. It enables organizations to prevent attacks using zero trust and to detect, troubleshoot, and automatically mitigate exposure risks from security breaches across multicloud and hybrid deployments.

Calico’s network sets can be used in network policy to create microsegmentation. Network sets are a grouping mechanism that allows users to create a set of IP subnetworks, CIDR blocks, or domains that can be matched by standard label selectors in Kubernetes or Calico Enterprise network policy. Tigera offers control over the grouping, naming, and labeling, allowing extensive customization. When creating network sets, administrators can get more granular visibility into what's leaving the cluster to public networks. 

Network sets can be used in network policy to create microsegmentation. Calico can identify workloads based on pod labels, namespace labels, service accounts, service labels, CIDR blocks, and FQDNs alone. Rather than creating default-deny policies, Tigera’s automatic namespace isolation and recommendation engine provides actionable insights to prevent lateral movement of threats within the clusters and accelerates zero trust deployments. 

Tigera is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Tigera scored well on a number of decision criteria, including:

• Automated discovery and mapping: Tigera’s Dynamic Service and Threat Graph displays a comprehensive pod-to-pod traffic map. Calico Enterprise and Calico Cloud automatically detect IPs for pods and nodes that fall into the standard IETF public and private network designations and then display those as entities in the graph.

• Network-based policy enforcement: For network-based policy enforcement, Calico Cloud filters traffic at Layers 3 to 7. Calico can limit HTTP methods available between microservices through Layer 7 policy and apply restrictions on egress that can be placed on workloads invoking external APIs through DNS or FQDN policy. Administrators can set rules constraining a microservice to call only certain URLs or paths of another service’s API rather than all APIs. 

• Policy definition engine: Calico’s policy engine recommends policies based on traffic flow, and all recommended policies are modifiable before enforcement. Policies can be previewed and staged prior to enforcement to secure workloads and understand a policy’s impact on an application. Calico provides a hierarchical construct called Tiers to group policies and enforce higher-precedence policies that can’t be circumvented by other teams, enforced with organizational RBAC in each tier. Administrators can set top-priority policies as guard rails to avoid interference with the microsegmentation of specific applications and namespaces.

Tigera was classified as an Outperformer due to its consistent year-over-year releases and developments across key and emerging features.

Opportunities
Tigera has room for improvement in a few decision criteria, including:

• Integrations: While Calico has extensive APIs and supports some out-of-the-box integrations with tools like SIEM, it should further develop integrations with other security products. The product is not generally a target for third-party tools to integrate with. For example, cloud detection and response tools don’t usually integrate with CNIs to respond to incidents.

• Risk-based policy enforcement: Even though Tigera can integrate with third-party risk scoring tools, it does not currently support risk-based policy enforcement, meaning it does not define policies based on CVE, risk scores, or vulnerabilities detected in installed software packages. 

• Identity-based policy enforcement: While Tigera can define policies with persistent identity-based constructs rather than ephemeral ones such as IP addresses, the solution does not inherit identities and policies from other IAM and NHI management tools.

Purchase Considerations
Tigera’s microsegmentation solution leverages its widely deployed open source Calico. While organizations can use the Calico CNI free of charge and take advantage of its microsegmentation capabilities, Tigera’s enterprise-grade Calico Cloud solution offers a wide range of features, such as a comprehensive and intuitive GUI and extensive visualization capabilities, to support large and complex deployments.

Use Cases
Tigera’s microsegmentation solution is best deployed in cloud and on-prem data centers where workloads are containerized and their communication patterns can be defined at the CNI level, leveraging Calico. Tigera’s policy definition engine enforces policies across hosts, VMs, containers, Kubernetes, and applications.

VMware (Broadcom): vDefend Distributed Firewall

Solution Overview
The VMware vDefend Distributed Firewall is a software-defined Layer 7 firewall purpose-built to secure private cloud traffic across virtualized workloads. It is a Type 1 hypervisor microsegmentation solution that distributes the firewalling to each host for workload segmentation.

The vDefend manager console is where administrators can define policies and manage all vDefend Distributed Firewall deployments across multiple sites and clouds. The solution scales with workloads automatically to enable high levels of traffic inspection. It can enforce ingress security to protect applications on the internal network against known malicious IP addresses on the internet, such as botnet masters. The list of malicious IP addresses is dynamically updated from the VMware global threat intelligence network. 

The solution is a targeted one based on the widely deployed ESXi virtualization technology. This approach means it supports fewer use cases but also that VMware’s vDefend is a natural choice for customers who already have the virtualization solution deployed.

VMware is positioned as a Challenger and Forward Mover in the Maturity/Feature Play quadrant of the microsegmentation Radar chart.

Strengths
VMware scored well on a number of decision criteria, including:

• Network-based policy enforcement: The vDefend Distributed Firewall can deliver Layer 2 to Layer 7 traffic filtering, application and user identity awareness, flow visualization, and policy recommendation. Users can automatically generate policy recommendations based on an intrinsic understanding of application topology. The solution offers DPI to enable matching packet payloads against signatures. Layer 7 service objects can be used for port-independent enforcement or to create new service objects that leverage a combination of Layer 7 application identity, protocol, and port.

• Policy definition engine: The solution can use grouping mechanisms for object-based policy application with granular application-level controls independent of network constructs. It can use dynamic constructs, including OS type and VM name, or specific static constructs, such as Active Directory groups, logical switches, VMs, and port groups.

• Identity-based policy enforcement: vDefend can help in creating identity-based rules to enforce access control as defined in the enterprise Active Directory. This feature supports the use of virtual applications on a laptop or mobile device on which Active Directory is used for user authentication. Enforcement based on application identity enables users to allow or deny applications to run on any port or to force applications to run on their standard port. 

Opportunities
VMware has room for improvement in a few decision criteria, including:

• Integrations: While VMware has integrations with major security and networking providers and offers service chaining capabilities, the solution could further improve by offering prepackaged policies designed specifically for integration with third-party products.

• Authentication and authorization: VMware supports workload authentication and authorization features such as mutual TLS and x.509-based authentication, but it does not currently support features such as JWT, OAuth Access Tokens, API Request Signing, time-limit credentials, or multifactor authentication.

• Automated discovery and mapping: vDefend Distributed Firewall provides some good visualization features, but the solution is mainly applicable for VMware-based environments.

VMware is a Forward Mover due to its slower release cadence with respect to microsegmentation features since the last iteration of the report.

Purchase Considerations
Organizations leveraging VMware’s microsegmentation capabilities also have access to the VMware Advanced Threat Prevention (ATP) portfolio, which includes IDS/IPS, sandbox, network traffic analysis, network detection and response (NDR), and encrypted traffic monitoring.

Use Cases
The use cases supported by the VMware Distributed Firewall are agent-based and enforced at the hypervisor level. The solution is best deployed in virtualized data centers to protect east-west traffic or in other instances where VMware virtualization solutions are deployed. This is a narrower set of use cases compared to other microsegmentation tools featured in the report, but it addresses one of the most important scenarios: data center protection.

Zero Networks: Segment

Solution Overview
Zero Networks’ microsegmentation solution, Segment, automatically analyzes network behavior and tags and groups assets. It then generates recommended rules that customers can review and apply manually or automatically based on their preferences, giving them full control to segment when ready and at their own pace. This creates access rules and provides patented just-in-time MFA applied at the network layer (specifically for privileged protocols such as RDP and SSH to secure lateral movement paths). The solution can segment entities residing on-prem, in the cloud, and in OT and IoT environments. 

Segment can be purchased as a standalone solution and is part of Zero Networks’ unified platform for identity and network security, which also includes identity segmentation and secure remote access.

A distinguishing feature of Zero Networks is the solution’s MFA service, which applies MFA at the protocol, port, and app level, enabling just-in-time and time-limited MFA to protect sensitive resources, including privileged protocols such as RDP and SSH.

Zero Networks is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the microsegmentation Radar chart.

Strengths
Zero Networks scored well on a number of decision criteria, including:

• Policy definition engine: The solution leverages a patented deterministic automation engine that analyzes observed traffic and asset metadata to recommend firewall rules, which customers can apply manually or automatically as they prefer. The solution adapts policies, constantly learns the customer environment, and will suggest both new policies and changes to existing ones. For each entity, the solution knows the name, IP address, port, process, and user name and then enforces a host-based firewall.

• Network-based policy enforcement: The solution can define network-based policies using a wide range of constructs, including 5-tuple rules, Layer 7 rules for apps and processes, URL-level restrictions, HTTP method control, rate limits, regex filtering, and domain-based rules.

• Identity-based policy enforcement: Zero Networks' solution enforces microsegmentation based on identities by leveraging attributes such as operating system type, patch status, VM name, Active Directory groups, and cloud-native identities like labels, tags, and namespaces. This approach allows for granular access controls that are independent of network constructs, providing a more flexible and adaptable security posture.

Zero Networks was classified as an Outperformer thanks to its strong development pipeline and consistent feature releases since the last iteration of the report.

Opportunities
Zero Networks has room for improvement in a few decision criteria, including:

• Process-based policy enforcement: The solution can define policies based on services, paths, and process names, and it supports process-based policy enforcement for Windows services. However, it could further expand these advanced features for non-Windows environments such as Linux. 

• Integrations: While the solution offers APIs, SDKs, integrations with SIEM systems, EDRs, and third-party vendors to enrich the data, it could further improve by offering out-of-the-box integrations with more IT and security products.

• Traffic and behavior analysis: Zero Networks analyzes historical traffic to establish normal communication baselines, but it could improve by employing deep packet inspection and decrypting traffic.

Purchase Considerations
Zero Networks suggests policies based on traffic patterns but does not autonomously enforce them. Administrators retain full control to review and apply rules manually or automate enforcement if desired. This flexible approach helps organizations maintain operational control while benefiting from automation. This is an opinionated approach that has been validated with Zero Networks’ existing customer deployments. Organizations must take into consideration some prerequisites, such as ensuring traffic flows are production-ready and operating as intended. When the solution is executed successfully, organizations will benefit from the low overhead associated with defining and enforcing policies and overall ease of use.

Use Cases
Zero Networks Segment can define microsegmentation policies for entities running on-prem and in the cloud, for virtual and physical appliances, and in OT and IoT environments. The solution’s ability to enforce MFA for end users that access IT resources is unique and secures one of the biggest avenues that malicious actors use to infiltrate networks.

The demand for microsegmentation will continue to increase as organizations look to improve their security posture, making the microsegmentation use cases that a solution supports one of the most important factors in purchase decisions. Organizations that need to segment entities such as VMs and containers may well first consider the solutions offered by their providers, such as Nutanix and VMware for VMs, and Calico and Cilium for containers. Though these solutions can enforce segmentation policies beyond VMs and containers, respectively, they also offer other benefits, such as incumbency and lower-level awareness of virtualization and containerization technologies. If the scope of an organization’s security needs is wider, such as including end user and IoT microsegmentation, vendors on the Platform Play half can offer more extensive solutions.

Another aspect to consider is segmentation using process and identity rather than networking constructs. While the process of isolating an entity must be done at the network level, solutions can monitor processes that run on a machine to determine whether they are malicious or anomalous. Similarly, identity-based segmentation can make segments easier to manage compared to those based on IP addresses or other networking constructs.

The evolution of the microsegmentation market is likely to be driven by the leading vendors in the Innovation/Platform Play quadrant. These can provide an as-a-service delivery of the microsegmentation solution, through which the vendor hosts the security modules (firewalls) using existing third-party EDRs to enforce microsegmentation policies or provides medium-term analysis of traffic patterns to enforce segmentation policies without having to define rules.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today's technology landscape, and his research covers networking and security.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Microsegmentation" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.