TL;DR: Project Glasswing argues that federal and OT environments cannot rely on patching as the primary defence because adversaries weaponise vulnerabilities in hours while patch cycles often take weeks or months, according to ColorTokens. The security shift is toward containment, not hope that remediation will always arrive first.
At a glance
What this is: This is a ColorTokens analysis arguing that patch-based security cannot keep pace with modern exploitation timelines in federal and OT environments, and that microsegmentation is the better resilience control.
Why it matters: It matters to IAM and security teams because once compromise is assumed, the decisive question becomes whether a foothold can escalate through identity, privilege, and east-west movement.
👉 Read ColorTokens's analysis of patch-based security limits in federal environments
Context
Patch management reduces exposure, but it does not stop initial compromise or the lateral movement that follows. In large federal and OT environments, the operational problem is not whether a vulnerability exists. It is whether a compromised system can be contained before it becomes a wider access path. That is where identity, privilege, and segmentation intersect.
Microsegmentation changes the control objective from perfect prevention to bounded impact. For IAM and PAM teams, that means the real value is not just network containment but restricting how stolen credentials, service accounts, or elevated access can be used after the first foothold. The article’s starting position is typical for resilience discussions in critical infrastructure, where patching alone is rarely a viable control strategy.
Key questions
Q: How should security teams reduce breach impact when patching is slow?
A: Security teams should assume some systems will remain vulnerable and design for containment first. The practical response is to reduce reachable services, isolate high-value systems, and ensure privileged access cannot spread freely after compromise. When patch cycles are longer than exploit cycles, resilience depends on limiting what the attacker can do next, not only on closing the original flaw.
Q: Why do legacy and OT environments make lateral movement harder to stop?
A: Legacy and OT environments often preserve broad connectivity, long-lived access, and operational exceptions that were acceptable before threat actors weaponised fast exploitation. That combination gives an intruder more ways to pivot after the first foothold. Security teams need to treat those trust relationships as attack paths, especially where segmentation and privileged access rules are inconsistent.
Q: What do teams get wrong about patching and resilience?
A: Teams often mistake patch completion for risk reduction after compromise, but patching only addresses known vulnerabilities. Resilience is about whether an attacker can move, escalate, or disrupt beyond the original asset. If a single compromised system can still reach critical services, the environment is exposed even when remediation metrics look healthy.
Q: Who is accountable when a contained vulnerability still leads to operational disruption?
A: Accountability usually sits across infrastructure, identity, and security governance, because disruption occurs when access paths, privilege, and segmentation are not managed as one control system. NIST CSF and NIST SP 800-53 both reinforce that containment, access control, and monitoring are shared responsibilities, not separate technical chores.
Technical breakdown
Why patching fails as a primary defence in federal and OT environments
Patch-based defence assumes remediation can outrun exploitation. In practice, federal environments are heterogeneous, interconnected, and often constrained by uptime, legacy dependencies, and safety requirements. That creates long remediation windows, especially in OT where outages can be unacceptable. Adversaries do not need to defeat every control. They need one exploitable weakness and a short path to expand from it. Once the initial foothold exists, the security question is no longer whether a flaw is present, but whether the environment is structured to stop the attacker from using it operationally.
Practical implication: teams should treat patching as one control in a resilience stack, not the containment mechanism that determines breach scope.
Microsegmentation as blast-radius control
Microsegmentation creates policy-defined barriers between assets, workloads, and network zones. Instead of trusting flat or broadly reachable environments, it allows only explicitly required communication paths. This matters because many intrusions become damaging only after the attacker can move laterally, reach sensitive services, or reuse access in adjacent systems. In identity terms, segmentation limits what compromised credentials or over-privileged service accounts can reach after authentication succeeds. The control does not prevent exploitation, but it can prevent a small compromise from becoming a larger operational incident.
Practical implication: map east-west traffic and identity dependencies first, then enforce per-asset communication policies around the highest-value systems.
Resilience metrics should measure containment, not just remediation speed
A security programme that only measures patch latency misses the operational question that matters most after compromise. Resilience depends on whether an attacker can pivot, whether critical systems can be isolated without breaking operations, and whether privilege paths collapse after initial access. This reframes governance from vulnerability closure to blast-radius reduction. For IAM, PAM, and network security teams, that means success is shown by limiting reachable services, reducing standing privilege exposure, and preventing a single credential or host from becoming a launch point.
Practical implication: build metrics around lateral movement resistance, privileged path reduction, and isolation readiness rather than patch completion alone.
Threat narrative
Attacker objective: The attacker aims to turn one vulnerable foothold into broader operational disruption by moving beyond the first compromised asset.
- Entry occurs when an attacker exploits one unpatched vulnerability in a federal or OT environment and gains an initial foothold.
- Escalation follows as the attacker uses reachable systems, credentials, or trust relationships to move laterally and expand control.
- Impact occurs when the compromised system becomes a launch point for disruption instead of being contained at the original boundary.
NHI Mgmt Group analysis
Patch lag is now a governance problem, not just a remediation problem. The article correctly describes a structural asymmetry between exploit speed and enterprise remediation speed. That asymmetry means control assurance cannot rest on the expectation that every vulnerability will be patched before weaponisation. Practitioners should read this as a failure of time-to-fix assumptions, not a failure of effort.
Blast-radius control is the right organising concept for resilient environments. Microsegmentation works because it limits what a compromised asset can touch, which is especially important where identity controls still permit broad east-west reach. The article’s key insight is that prevention does not have to be perfect if lateral movement is materially constrained. Practitioners should align segmentation with least privilege across both network paths and identity paths.
Standing reachability is the hidden risk in many legacy environments. OT and federal systems often preserve access paths for operational convenience, then inherit the security cost later. That creates a governance model where the presence of a valid credential or routable service is enough to expand an incident. Practitioners should treat persistent reachability as an exposure class, not a neutral architectural choice.
Microsegmentation only delivers value when identity policy and network policy are aligned. A segmented network that still grants broad administrative access leaves an attacker room to pivot through privileged accounts or unmanaged service identities. The practical lesson is that segmentation, PAM, and workload identity need to be governed together. Practitioners should evaluate them as one control plane, not separate teams.
Resilience programmes are moving from patch velocity to containment fidelity. That shift will continue as critical infrastructure teams accept that some systems cannot be quickly remediated. The stronger governance question is whether compromise can be isolated before it becomes an outage or mission failure. Practitioners should benchmark the environment by containment outcomes, not only vulnerability counts.
What this signals
Containment fidelity: the next maturity test for critical infrastructure teams is whether a compromised asset can be isolated without breaking operations. That shifts the programme from patch speed to exposure boundary design, with identity and network policy working together to shrink the blast radius.
The strongest signal in this article is that resilience is becoming an access-governance problem as much as a network design problem. If privileged paths, service accounts, and routable systems remain broadly reusable, the environment will keep converting small defects into larger incidents.
For practitioners
- Map the east-west trust graph Inventory which workloads, subnets, and administrative identities can reach critical systems, then remove communication paths that are not operationally required. The goal is to expose standing reachability before it becomes an incident path.
- Align PAM with segmentation policy Ensure privileged accounts can only administer the systems they genuinely need, and make those paths consistent with segmentation rules so that a stolen admin credential cannot bypass micro-perimeters.
- Isolate OT and legacy assets by blast radius Place fragile or unpatchable systems behind narrowly scoped access boundaries and test whether they can be contained without disrupting essential operations. This is especially important where patch windows are long.
- Measure containment, not just remediation Track how quickly a compromised host can be quarantined, how many systems remain reachable from it, and how much privileged access collapses after isolation begins. Those metrics show whether resilience is real.
Key takeaways
- Patch cycles that take weeks cannot reliably defend environments where adversaries weaponise vulnerabilities in hours.
- Microsegmentation matters because it limits what a compromised host can reach after the first foothold, especially in legacy and OT settings.
- For IAM and PAM teams, the operational goal is no longer only faster remediation, but lower blast radius and fewer reusable access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article centers on blocking attacker movement after initial compromise. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access path control are central to the article's containment argument. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement aligns directly with microsegmentation policy boundaries. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | The article focuses on network boundary design and segmented connectivity. |
| ISO/IEC 27001:2022 | A.8.20 | Network security controls are relevant where segmentation protects critical systems. |
Map containment gaps to lateral movement and impact tactics, then close east-west paths around critical assets.
Key terms
- Microsegmentation: Microsegmentation is the practice of dividing an environment into small, policy-controlled zones so only explicitly approved communication is allowed. It reduces the chance that one compromised host or identity can reach everything else, which makes it a containment control as much as a network design choice.
- Blast Radius: Blast radius is the amount of damage an attacker can cause after the first compromise. In security operations, it measures how far an intrusion can spread across systems, identities, or workloads before it is contained, and it is one of the clearest indicators of resilience.
- East-West Traffic: East-west traffic is communication between internal systems, workloads, or services rather than between the network edge and the internet. It becomes a major risk when internal paths are broad, because lateral movement often depends on trusted internal connectivity rather than obvious perimeter access.
- Standing Reachability: Standing reachability is the condition where systems, services, or identities remain continuously accessible without tight policy limits. It creates hidden exposure because an attacker who gains one foothold may be able to reuse persistent internal paths long before defenders can intervene.
What's in the full article
ColorTokens's full article covers the operational detail this post intentionally leaves for the source:
- The article expands on how microsegmentation changes the security model for federal and OT networks that cannot rely on rapid patching.
- It explains why resilience should be measured by containment and continuity outcomes rather than remediation speed alone.
- It outlines the specific operational logic behind policy-driven asset-level perimeters and restricted east-west communication.
- It connects the control model to critical infrastructure environments where downtime, legacy constraints, and patch risk shape security decisions.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives security and identity practitioners a common foundation for reducing exposure across access, privilege, and lifecycle controls.
Published by the NHIMG editorial team on 2026-04-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org