TL;DR: 80% of servers are reachable from anywhere inside the network, 87% accept broad inbound RDP or SSH, and 43.2% of internal authentication still runs on NTLM, according to Zero Networks research analyzing 54 trillion activities across 312 enterprise environments. The exposure is not theoretical: internal trust is still giving attackers fast paths to move laterally once they land.
At a glance
What this is: This report shows that enterprise internal trust remains highly permissive, with broad server reachability, exposed remote access paths, and legacy authentication still common.
Why it matters: For IAM, PAM, NHI, and broader security teams, the finding matters because lateral movement often depends on identity and access design, not just perimeter defence.
By the numbers:
- Zero Networks analyzed 54 trillion activities across 312 live enterprise environments.
- 80% of enterprise servers are reachable from anywhere inside the network.
- 87% accept inbound RDP or SSH from broad internal sources.
- 43.2% of internal authentication still runs on NTLM.
👉 Read Zero Networks' report on lateral movement exposure and internal trust
Context
Internal lateral movement is the stage where a breach turns from access into business disruption. Once an attacker lands on one host, broad internal trust, legacy authentication, and over-permissive remote access determine how quickly they can expand their reach. That is why lateral movement exposure is as much an identity and access problem as it is a network segmentation problem.
For IAM and PAM teams, the key issue is not whether credentials exist, but whether internal paths let those credentials work far beyond their intended scope. For NHI governance, the same pattern applies to service accounts, automation tokens, and privileged workflows that can be reused across systems with too little friction.
Key questions
Q: What breaks when internal trust is too broad in enterprise networks?
A: When internal trust is too broad, a single compromise can become a lateral movement platform. Attackers do not need to defeat each system individually if network reachability, remote access protocols, and reused identities let them move laterally with minimal friction. The result is larger blast radius, faster escalation, and much harder containment.
Q: Why do broad internal access paths increase breach severity so much?
A: Broad internal access paths increase breach severity because they let attackers convert one foothold into many reachable targets. Once a compromised host can talk to most of the environment, the attacker’s next step is usually privilege reuse or service abuse, not more initial compromise. That compresses response time and expands impact.
Q: How do security teams know whether lateral movement exposure is actually improving?
A: Teams should measure how many systems remain reachable from a single internal foothold, how many critical hosts accept broad RDP or SSH, and how much authentication still depends on legacy protocols. If those numbers are not falling, the environment is still highly reusable for attackers.
Q: Who is accountable when internal trust turns into a business outage?
A: Accountability sits across IAM, PAM, network engineering, and resilience leadership. Identity teams own privilege scope and authentication strength, infrastructure teams own segmentation and protocol exposure, and security leadership must treat lateral movement reduction as a measurable control objective, not an isolated tuning exercise.
Technical breakdown
Why internal trust makes lateral movement so easy
Internal trust usually assumes that traffic originating inside the network is safer than traffic from outside it. In practice, that assumption collapses after initial compromise. If servers accept broad internal connections, attackers can probe more systems without needing new credentials at every step. Remote access protocols such as RDP and SSH often become the fastest route from foothold to expansion when they are allowed across wide internal ranges. The problem is not just connectivity. It is the combination of discoverability, weak segmentation, and over-broad trust paths that turns one compromised host into a launch point for more access.
Practical implication: restrict east-west reachability before attackers can reuse a single foothold across large internal segments.
How legacy authentication expands identity risk
Legacy authentication protocols such as NTLM can preserve compatibility, but they also preserve older trust assumptions. When a large share of internal authentication still depends on NTLM, defenders inherit weaker controls around modern verification, session assurance, and constrained delegation patterns. That matters because lateral movement often depends on the attacker reusing a harvested token, password hash, or delegated session to impersonate trusted activity. Identity governance becomes harder when the authentication layer cannot express tighter policy boundaries. This is why authentication modernisation is not just a hygiene exercise. It is a direct limiter on the attacker’s ability to move with stolen trust.
Practical implication: prioritise NTLM reduction and stronger authentication paths where internal reuse would otherwise enable rapid spread.
Why one compromised host can become a network-wide problem
A single host becomes dangerous when it can reach most of the estate and when local privileges can be translated into broader access. Attackers often start with one endpoint or server, enumerate reachable targets, and then use remote management, password reuse, or over-privileged service accounts to expand. In environments with weak segmentation, one initial compromise can produce outsized blast radius. For identity teams, that means standing privilege, shared credentials, and unconstrained administrative paths are part of the same lateral movement equation. The technical issue is not merely that access exists. It is that access is reusable across too many systems.
Practical implication: pair segmentation with tighter privilege scoping so one compromised system cannot enumerate and access most of the environment.
Threat narrative
Attacker objective: The attacker’s objective is to turn one compromised internal foothold into broad reach across the enterprise so disruption, theft, or ransomware can be executed at scale.
- Entry begins when an attacker compromises a single internal host or credential-bearing endpoint and uses that foothold to start exploring reachable systems.
- Escalation happens when broad internal trust, remote access paths, or legacy authentication let the attacker reuse access and obtain more privileges without fresh verification.
- Impact follows when the attacker reaches enough internal systems to disrupt business operations, expand control, or prepare data theft and ransomware deployment.
NHI Mgmt Group analysis
Internal trust exposure is now a governance issue, not just a network design issue. When 80% of servers are reachable from anywhere inside the network, defenders are effectively relying on internal trust as a control. That is fragile because it assumes compromise stays local. In reality, attackers look for the easiest reuse path, and broad reachability gives them one. Practitioner conclusion: treat internal reachability as an access governance problem with board-level resilience implications.
NTLM persistence is a control debt signal, not just a compatibility concern. A large residual NTLM footprint means the environment still depends on older authentication expectations that are harder to constrain and monitor. That weakens the boundary between identity proof and access reuse, especially when an attacker has already harvested a valid trust artifact. Practitioner conclusion: modernise authentication where legacy protocols still preserve lateral movement options.
Standing internal privilege creates a blast-radius problem that traditional perimeter models miss. If one compromised host can reach 85% of internal systems on the first hop, then access policy is already shaping breach severity. This is where IAM, PAM, and segmentation converge. Identity governance must account for where privilege can be reused, not just who owns it. Practitioner conclusion: reduce standing internal paths before assuming detection can catch up.
Lateral movement exposure is a named concept this report sharpens: trust reuse density. That is the density of systems, protocols, and privileges an attacker can reuse after the first compromise. The higher the density, the faster an intrusion becomes a business outage. Practitioner conclusion: measure how much of the environment can be reached with one internal foothold and treat that metric as a resilience indicator.
Machine and service identities are part of the same internal exposure equation. Service accounts, automation tokens, and remote administration paths often inherit the same broad trust that human accounts do. That means NHI governance cannot stop at secret storage or rotation. Practitioner conclusion: extend internal trust reviews to non-human identities and privileged automation paths.
What this signals
Trust density will become a board-level resilience metric. The report’s numbers point to a simple problem. If too many servers remain reachable from too many internal locations, the organisation is carrying a hidden outage multiplier that adversaries can exploit before detection even starts. Teams should expect more pressure to prove that internal trust paths have been reduced, not just monitored.
Legacy authentication will be treated as an availability and identity issue at the same time. NTLM persistence shows that protocol modernisation is no longer just an architectural preference. It affects how quickly attackers can reuse internal access, how far they can travel, and how confidently defenders can contain them. That makes authentication debt visible to both IAM and resilience programmes.
Machine identity reviews will need to include movement potential, not only secret custody. Service accounts and automation credentials matter because they can inherit broad internal paths just as human accounts do. A practical next step is to connect NHI governance to reachability analysis, so secret exposure and lateral movement risk are reviewed together instead of in separate silos.
For practitioners
- Map internal reachability by privilege tier Inventory which servers, admin interfaces, and service paths are reachable from broad internal segments, then reduce exposure around high-value systems first. Use segmentation tests to identify where a single compromise can still touch most of the estate.
- Eliminate legacy authentication where lateral reuse is possible Prioritise NTLM reduction on systems that can authenticate to critical infrastructure or privileged services, and replace it with stronger, modern authentication flows wherever compatibility allows.
- Constrain internal remote access protocols Restrict RDP and SSH to tightly scoped admin paths, remove broad internal source ranges, and require step-up controls for access to servers that can trigger downstream movement.
- Tie PAM controls to network exposure Do not treat privileged access as separate from lateral movement risk. Limit standing administrative access on hosts that can reach large portions of the environment and review those paths on the same cycle as PAM entitlements.
- Include non-human identities in movement reviews Check service accounts, automation tokens, and workload credentials for the same broad reachability problems that affect human admin accounts, especially where internal trust lets them authenticate widely.
Key takeaways
- Internal trust remains a major exposure multiplier because attackers can move laterally once they obtain a single foothold.
- The reported levels of server reachability, remote access exposure, and NTLM use show that many enterprises still preserve broad attacker reuse paths.
- Reducing lateral movement now requires tighter segmentation, stronger authentication, and explicit governance over machine and privileged identities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Broad internal reachability reflects weak access enforcement across enterprise systems. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central when internal trust lets one host reach most systems. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0006 , Credential Access | The report focuses on how attackers expand after the initial compromise. |
| CIS Controls v8 | CIS-5 , Account Management | Account scope and reuse directly affect how far compromised identities can move. |
| NIST Zero Trust (SP 800-207) | Zero Trust principles apply when internal trust is no longer a safe boundary. |
Map movement paths to ATT&CK and prioritise controls that block credential reuse and remote hop expansion.
Key terms
- Lateral Movement: Lateral movement is the stage of an attack where an intruder expands from one compromised system to other systems inside the environment. It usually relies on reusable credentials, over-broad internal connectivity, or weak segmentation that lets the attacker turn one foothold into wider access.
- Internal Trust: Internal trust is the assumption that activity originating inside a network or environment is inherently safer than external activity. In modern enterprises, that assumption often creates hidden risk because it allows attackers or abused identities to reuse access across many systems once they get in.
- Trust Reuse Density: Trust reuse density is the concentration of systems, protocols, and privileges an attacker can repurpose after the first compromise. Higher density means fewer barriers between an initial foothold and broad enterprise impact, which is why it is a useful resilience metric for identity and network governance.
- Standing Privilege: Standing privilege is persistent elevated access that remains available unless someone removes it. It increases breach severity because attackers who capture the account or its credentials can use the privilege immediately, without waiting for a just-in-time approval flow or a temporary grant.
What's in the full report
Zero Networks' full report covers the operational detail this post intentionally leaves for the source:
- Benchmark breakdowns of server reachability and remote access exposure across live enterprise environments
- The 10-risk framework for lateral movement exposure and how each risk changes containment priorities
- Real-world attack scenarios that show how internal trust becomes business outage
- A first look at AI-Driven Lateral Movement and why it compresses breach timelines
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the lateral movement risks that shape enterprise resilience.
Published by the NHIMG editorial team on 2026-06-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org