Skip to main content
MICROSEGMENTATION

Segmenting is in every report. Almost no one pulls it off without disrupting operations.

Ransomware lives on lateral movement. Segmentation decides whether a breach stays one system or reaches your whole estate.

NIS2NIST SP 800-207ISO 27001IEC 62443

Proven at global scale

Microsoft secures its own environment with the same segmentation technology.


  • Runs on your existing Microsoft stack: Windows Firewall on your hosts and Azure NSGs in the cloud, no new appliance.

  • Aligns with Zero Trust (NIST SP 800-207), the model Microsoft itself runs.

  • Proven at a scale no other approach could handle.

Microsoft
ControlsNIST SP 800-207, ISO 27001 A.13.1, NIS2 art. 21, IEC 62443 (OT)
For whomCISO, CIO, security operations, network and OT teams
Lead timeFirst traffic picture 2-4 weeks, first critical environment segmented 6-10 weeks

Key challenges

The problem is not the advice. It is that it will not land.

Your network grew flat without anyone designing it that way. The advice to segment is right; making it work is the problem.

11

days median dwell time

A breach goes unnoticed for days

The time between entry and discovery has fallen, but an attacker still has days to move laterally across a flat network. In an estate without segmentation, that is ample time to reach the critical systems.

Mandiant M-Trends 2025, median dwell time 11 days, ransomware 6.

46%

saw lateral movement last year

The advice is right, and still does not happen

Segmentation is broadly on the agenda, but in an estate of legacy, OT and live production, segment everything will not simply land. The adviser who wrote it down rarely takes the step back to make it executable in your context.

Order of magnitude; Omdia 2026 and Akamai 2025, vendor research.

30%

have done fine-grained microsegmentation

Policy on paper is not tested segmentation

Most organisations have some form of segmentation, but only a minority have segmented the critical systems finely. A policy that exists but was never carried through or tested will not stop an attacker at the moment it has to.

Order of magnitude; Cisco/Vanson Bourne and Akamai 2025, vendor research.

The question for the board

Does a breach stay where it starts?

Regulators and leadership do not ask whether a segmentation policy has been signed off. They ask whether a breach stays contained to where it enters, and whether that holds. That is the difference between a control that exists on paper and a control that works in practice.

The difference

Policy on paper, or tested containment.

Not whether you segment, but whether the segmentation sits where your exposure is, and whether it holds once an attacker is inside.

Classic segmentationWith Radian

Segment everything, one uniform policy

A policy across the whole estate that is nowhere fully carried through. Too broad and too fine-grained at once stalls.

Scope

Critical-first, phased

We segment first where your exposure is greatest, one critical environment at a time. Not a multi-year project that has no owner anywhere.

One method across the whole estate

Agent-based enforcement everywhere does not work on OT, IoT and much legacy, and adds operational load. The method then dictates the environment.

Approach

Executable per environment

Identity-driven where it can be, network-based where legacy and OT require it. The environment sets the approach, not the other way round.

Enforcing rules on assumption

Segmentation goes live on how the traffic should flow. Operations fears downtime, application owners fear compatibility, and the rollout stalls.

Rollout

Map the real traffic first

We observe what systems actually do before we enforce anything, alongside the business and application owners. The disruption is addressed up front, not after the fact.

The policy exists

Success is measured by whether the policy is signed off. Whether the segments stop an attacker under pressure stays unanswered.

Evidence

The segmentation is tested

We test whether lateral movement is actually stopped, and keep that current in an ongoing cadence. Design and existence become operating effectiveness.

How it works

From a flat network to segmentation that holds.

On the left, what gets segmented; in the middle, the order that decides and tests; on the right, what you keep. Your existing network and solutions stay in place.

Your estate
Workstations and server workloads
Cloud and online software
Applications and APIs
Industrial systems and smart devices
Identity and access rights
External exposure
Unmanaged and unknown IT
normalises›››
Five steps, continuous
The frameProtect surface: what you protectWhere your material exposure sits
01
Define
What must be segmented first: the protect surface, chosen on criticality.
02
Map
The real traffic flows between systems, in a visibility mode that blocks nothing. You see what actually happens before a single rule closes.
03
Segment
Executable through the controls you already run: Windows Firewall on your hosts, Azure NSGs in the cloud. Identity-driven where it can be, network-based where legacy and OT require it.
04
Test
Whether the segments actually stop lateral movement under pressure.
05
Sustain
An ongoing cadence: the estate changes, the segmentation and the test move with it.
Continuous
delivers›››
What you keep
A breach contained to where it begins
Critical systems demonstrably segmented
Segments that are tested, not assumed
An answer for the board that holds up
Visibility into east-west traffic, including AI agents
A demonstrable measure under the duty of care
A rollout that does not bring the business down

The distinction

The standard advice is right on paper.

In a real estate, legacy, OT, live production, it falls over.

The standard approachWith Radian

A central firewall that all your traffic has to pass through.

Works with what you already run

The segmentation runs on the controls you already have: Windows Firewall on your hosts, Azure NSGs in the cloud, not on a central chokepoint. A means is a means, not an end.

Hundreds of IP-bound rules that age the moment workloads move; you lose the thread, with no east-west visibility.

Moves with you, without slowing you down

Policy follows the workload by identity, not by an IP address that changes. You keep a readable policy and your delivery pace does not get stuck on segmentation.

A central firewall in a hub-spoke does not see traffic within a segment; whoever is in moves freely to their neighbours in the spoke. And freely over every open port between segments.

Granular, down to the workload

Protection reaches down to the workload, not to a coarse network zone an attacker still roams. The exact paths ransomware uses to spread laterally, closed.

Know the CVE first and patch in time, and hope you are faster than the attacker.

Holds, known vulnerability or not

The segmentation stops lateral movement regardless of the vulnerability: known, unknown, or just discovered. Now that flaws are exploited faster than they can be patched, that is the difference between a breach and a disaster.

A report saying "segment your network", with the execution left to you.

Our seniors also execute

The same senior who decides what to segment helps land it in practice and tests it. We do not leave the hardest phase with you.

A tool bought, and you left to recruit and retain scarce specialists yourself.

The capability without building a team

Microsegmentation needs scarce expertise and a method you cannot build cost-effectively for a single environment. You get the capability without standing up a team of your own: we run it with you.

A provider runs a black box; you are locked into tool and contract.

The decisions and ownership stay yours

We run the cadence, but the decisions on segmenting, excepting or accepting and the ownership stay with you. Policy, runbooks and content are documented and transferable: no black box, no lock-in.

Get started

Does an attacker who gets in stay where they got in?

Not a hundred-page segmentation plan. One conversation in which we decide what must be segmented first in your estate, and whether an attacker could move laterally right now.

Plan a conversation

30 minutes with a senior, no pitch.

Request a conversationCall directly088 - 163 23 25