Micro-Segmentation Pilot (App Pair)

Summary. Pilot identity‑/label‑based segmentation for one application pair (e.g., web ➜ DB) to reduce lateral movement risk without major network changes.

Who it's for. Teams concerned with ransomware spread or compliance who need demonstrable east‑west controls before expanding to more apps.

Business Outcomes

Application dependency map built for the pilot pair.
Allowlist policy deployed with monitored block events.
Reduced lateral movement paths confirmed in tests.
Operational procedure for change control established.

What’s Included

Scope	Description
Core Inclusions	Discover flows between pilot app pair; build dependency map. Label assets and define least‑privilege allowlist policy. Enforce policy in monitor‑then‑block mode with rollback.
Optional Add‑Ons	EDR signal fusion for process‑level policy. vCenter/K8s integration for dynamic labels. SIEM export and dashboards.

Timeline & Deliverables

Note: estimates may vary depending on the level, tier and tenant complexity.

Phase	Deliverables
01 — Discover	Extended Discovery (client‑signed), environment read‑in, inventory & stakeholders.
02 — Identify & Mitigate RDC/L	Initial RDC/L register; mitigations, dependencies & constraints agreed.
03 — Plan	Label model, success criteria, test plan, change & rollback plan, schedule.
04 — Implement	Visibility → draft policy; ring‑0 controls; HA & logging verified.
05 — Test	Execute UAT; fix exceptions; ring‑1/2 as per tier; evidence captured.
06 — Close‑out	Close‑out report, scale‑out proposal, next steps.

Service Levels (Summary)

Plan	Coverage	Response / Restore	Governance
Bronze	Business hours (Mon–Fri 08:30–17:30 NZT)	P1: 2h / NBD • P2: 4h / 2BD	Email support • Change log • Close‑out report
Silver	Extended hours (Mon–Fri 08:00–20:00 NZT)	P1: 1h / Same day • P2: 2h / NBD	Weekly check‑in (Std/Plus) • Findings register • Acceptance criteria
Gold	Business + after‑hours (24×7 P1 only)	P1: 30m / ASAP • P2: 1h / Same day	Executive summary • CAB‑ready rollback • Handover pack

Success criteria (from our perspective)

Dependency map for the selected app pair (e.g., web ↔ DB) validated with stakeholders.
Allowlist policy enforced in monitor→block with no critical outage; exceptions documented.
Reduction in east-west paths demonstrated (before/after evidence).
Runbook for change control and rollback accepted.

Prerequisites

Access to endpoints/VMs/agents (per chosen tech), and change window.
Visibility tooling enabled (flow logs/agents) for the pilot pair.
Contact for app owner(s); test cases available.

Assumptions

Single app pair in scope; production impact must be near-zero.
Labeling source (tags/EDR/group) is stable for the pilot duration.
SIEM export optional; basic log access is available.

Risks & mitigations (examples)

Hidden dependencies causing blocks: start in visibility/staged mode; pre-populate known flows; rapid exception path.
Change collisions: book CAB window; freeze unrelated changes during cutover.
Tooling limits on legacy OS: ring-fence with compensating controls.

Next steps (after-pilot)

Expand policy to additional app pairs; integrate with CMDB/labels.
Wire dashboards to SIEM; define SLOs for change cadence.
Consider managed service: Network Security Management (Managed).

Start the pilot

Start intake — Lite Start intake — Standard Start intake — Plus Extended Discovery

Early Adopter Program (limited): 10% off the pilot package for customers who start by 31-Dec-25. Not combinable with other offers. May be applied as a credit on close‑out.

For pricing, terms and conditions see the Pricing Annex .

Micro-Segmentation Pilot (App Pair)

Business Outcomes

What’s Included

Timeline & Deliverables

Service Levels (Summary)

Success criteria (from our perspective)

Prerequisites

Assumptions

Out of scope

Risks & mitigations (examples)

Next steps (after-pilot)

Start the pilot

Happy with the outcome?

Related Resources