Reducing Network Reachability: A Practical Approach to Zero Trust

In a recent conversation with Snehal Antani , CEO and co-founder of Horizon3.ai, we explored one of the most actionable strategies for improving cybersecurity maturity—reducing network reachability. While #ZeroTrust is often wrapped in buzzwords and vendor promises, Snehal’s practical insights provide a clear roadmap for taking meaningful steps toward reducing risk.

Here are some of the key lessons from our discussion and how they can help you in your #ZeroTrust journey.

Zero Trust Is an Evolution, Not a Product

As Snehal emphasized during our conversation: "Zero Trust isn’t a product; it’s an evolution of your existing security capabilities, processes, and culture."

At its core, Zero Trust is about minimizing risk by reducing reachability—whether it’s network reachability, credential reachability, or device reachability. This shift requires a combination of strong identity management, network segmentation, and continuous validation to make sure your controls are always effective.

Reducing Reachability: Where to Begin

In the conversation, Snehal broke down reachability into three key areas that organizations should focus on:

1. Network Reachability: This involves reducing unnecessary access to critical systems. As Snehal pointed out, a flat, open network makes lateral movement easy for attackers. The solution? Segment high-risk users and isolate sensitive data.
2. Credential Reachability: Take a close look at privileged accounts and reused credentials. Ask yourself: Do all users need the access they have? Reducing over-privileged accounts is one of the fastest ways to limit potential damage.
3. Device Reachability: Personal devices on the corporate network can pose a significant risk. Snehal suggested a simple step—set up a separate guest network for personal devices to prevent unintended exposure.

The goal is clear: reduce how far an attacker can move once they gain access, effectively minimizing the blast radius.

Vulnerable vs. Exploitable: Prioritizing What Matters

Another crucial point Snehal made was the distinction between being vulnerable and being exploitable. Not every vulnerability is an immediate threat. As he explained, context is everything.

For instance, you may have a vulnerable Log4j instance in your environment, but if strong network egress controls prevent external connections, it might not be exploitable. That means you can prioritize fixing truly critical risks and address lower-priority issues during regular maintenance windows.

Continuous Security Validation: An Ongoing Process

Traditional security assessments like annual audits and periodic penetration tests no longer keep pace with today’s dynamic environments. Snehal summed it up perfectly: "For every Patch Tuesday, I want a pen test Wednesday."

Continuous security validation helps verify that your security controls remain effective over time and ensures that your exploitable attack surface keeps shrinking. This approach allows organizations to move beyond simple vulnerability scanning and adopt a more attacker-oriented mindset.

Maximizing Impact with Return on Effort (ROE)

During the discussion, we also tackled one of the most valuable metrics in security—Return on Effort (ROE). Unlike traditional ROI, ROE helps organizations prioritize actions that provide the greatest reduction in risk for the least amount of effort.

As Snehal explained, fixing a single misconfiguration—like enabling SMB signing—can eliminate 80% of exploitable attack paths in some environments. This high-ROE work should be at the top of every security leader’s list.

Final Thoughts: Take a Methodical Approach

Zero Trust isn’t a one-size-fits-all solution, nor is it something you can buy and implement overnight. It’s a continuous journey that evolves as your organization matures.

As Snehal and I discussed, one of the best ways to make progress is to start with high-risk areas, focus on reducing reachability, and continuously measure your improvements. Each step brings you closer to a more resilient security posture.

For more insights like this, check out our full conversation with Snehal Antani at Horizon3.ai.

Listen here: https://ztjourney.com