This domain focuses on securing network architecture design, and implementing network components, communication channels, and controls.
Agentic Browsers
-
- Scoping of the Definition: AI-enhanced web browsers or highly sophisticated browser extensions that possess the capability to autonomously perform complex, multi-step tasks online directly on behalf of a human user. They interact directly with the Document Object Model (DOM) of web platforms, logging into enterprise applications, and autonomously executing transactions.
- Definitional Technology, Feature, and Service Lines: Involves enforcing stringent browser isolation techniques, deploying advanced session monitoring, and establishing strict data governance policies.
Secure Access Service Edge (SASE) (Evolution)
-
- Scoping of the Definition: A cloud-delivered software as a service (SaaS) architectural evolution for network security, marking the transition from legacy on-premises network appliances.
- Definitional Technology, Feature, and Service Lines: Consolidates network access (firewall), Data Loss Prevention (DLP), threat prevention and advanced AI Security features into a single, cohesive cloud fabric and endpoint software with Zero Trust focused virtual private networking (VPN).
Cloud-Native Application Firewall (CNAF) / Distributed Cloud Firewall
-
- Scoping of the Definition: A modernized firewall model implemented directly within the cloud environment (e.g., as service mesh controls, VPC security groups, or vendor-managed services) rather than a centralized network appliance. It focuses on application-layer security, providing granular, identity-aware micro-segmentation and control over East-West traffic between cloud workloads and services. This is a critical component of Zero Trust in the cloud.
- Definitional Technology, Feature, and Service Lines: Micro-segmentation policies, identity-aware access control, API security gateway functionality, layer 7 inspection, and integration with Kubernetes and CI/CD pipelines for policy enforcement.
Intrusion Detection and Prevention Systems (IDS/IPS)
-
- Scoping of the Definition: Network-based security tools that continuously monitor network traffic for malicious activity or policy violations. An Intrusion Detection System (IDS) passively logs and alerts on suspicious behavior, while an Intrusion Prevention System (IPS) actively prevents threats by blocking malicious packets or terminating sessions in real time. They operate at the network perimeter or within internal segments.
- Definitional Technology, Feature, and Service Lines: Signature-based detection (matching known threats), anomaly-based detection (identifying deviations from baseline traffic), deep network traffic analysis (NTA), and active inline blocking and session termination capabilities.
Perimeter Security
-
- Scoping of the Definition: Establishing hard boundaries around corporate networks.
- Definitional Technology, Feature, and Service Lines: Traditional firewalls, secure web gateways, and demilitarized zones (DMZs).
Email Security
-
- Scoping of the Definition: Filtering malicious payloads, spam, and early-stage phishing attempts directly at the corporate communication gateway.
- Definitional Technology, Feature, and Service Lines: Filtering technologies (malicious payload, spam, phishing).
Network Security
-
- Scoping of the Definition: Monitoring and protection across internal corporate subnets.
- Definitional Technology, Feature, and Service Lines: Deep packet inspection, Intrusion Detection and Prevention Systems (IDS/IPS), and lateral movement monitoring.
Network Security Posture Management (NSPM)
-
- Scoping of the Definition: A discipline focused on continuously monitoring, analyzing, and ensuring the security policy compliance of network infrastructure devices, including routers, switches, traditional firewalls, and network access control (NAC) systems. NSPM provides a centralized, automated method for managing the vast complexity of network security rules, change control, and compliance across hybrid and multi-cloud network environments.
- Definitional Technology, Feature, and Service Lines: Automated network topology mapping, continuous policy change auditing and validation, firewall rule optimization (identifying and removing redundant/shadow rules), security policy simulation for proposed changes, and compliance reporting against standards like PCI DSS or internal security benchmarks.
Web Application and API Protection (WAAP)
-
- Scoping of the Definition: A converged platform protecting web applications and APIs from a wide array of attacks, including the OWASP Top 10, advanced botnets, and application-layer distributed denial-of-service (DDoS) attacks. WAAP provides continuous, application-layer inspection and policy enforcement, operating as the critical security control for external-facing digital experiences.
- Definitional Technology, Feature, and Service Lines: Includes traditional Web Application Firewall (WAF) functionality, API security discovery and enforcement, bot management, and L7 DDoS mitigation. Solutions are predominantly delivered as cloud-based services integrated with Content Delivery Networks (CDNs) or edge security platforms.
Virtual Private Network (VPN) and Remote Access
-
- Scoping of the Definition: Technologies used to create a secure, encrypted connection over a less secure network (like the internet), allowing remote users or branch offices to securely access internal corporate resources. This is the traditional model that predates Zero Trust Network Access (ZTNA) and SASE architectures.
- Definitional Technology, Feature, and Service Lines: IPsec and SSL/TLS tunnel creation, encryption protocols (e.g., IKEv2, OpenVPN), centralized access gateways, and multi-factor authentication (MFA) enforcement for remote users.
Zero Trust Network Access (ZTNA)
-
- Scoping of the Definition: A network security paradigm that replaces perimeter-based security with an identity-centric approach to resource access. ZTNA operates on the principle that no user, device, or application, inside or outside the network, should be trusted by default. Access is granted dynamically and minimally, based on the principle of least privilege, after continuous verification of identity and context.
- Definitional Technology, Feature, and Service Lines: Micro-segmentation, identity-aware proxies/gateways, continuous context-based access evaluation (device posture, user location, role), and integration with IAM/MFA systems to enforce strict access criteria.
