In a cloud-native environment, Kubernetes-based containerized orchestration has brought developer agility – but it has also fundamentally changed the security paradigm. Traditional “castle-and-moat” security designs that rely on a perimeter firewall are no longer enough to protect modern workloads. Once an attacker breaches that outer shell, the flat network architecture common in many Kubernetes environments allows them to move laterally with ease, potentially compromising many applications in their hunt for high-value assets to ransom. The cyber landscape is further exacerbated by recent cyberattacks that have halted business operations for weeks and months, causing massive financial losses (hundreds of millions of dollars or more) and the emergence of AI-driven autonomous attacks.

Bridging this lateral security gap with VMware vDefend is crucial for organizations leveraging vSphere Kubernetes Service (VKS) within VMware Cloud Foundation (VCF). The fact that vDefend is fully integrated with VKS and completely plug-and-play with VCF makes a comprehensive rollout of Zero Trust lateral protection across all VKS clusters operationally simple and fast. Businesses can finally implement a true Zero Trust security model consistently across Virtual Machines and Containers – the same policy model, the same management console and APIs, the same troubleshooting tools. The powerful combination of vDefend with VKS Clusters decouples security policy from static, ephemeral IP addresses and instead uses workload-based identity to enforce granular protection.

In a typical Kubernetes cluster, network identity is fleeting. Containers are designed to be short-lived; when a pod is terminated, and a new one is created, a completely different IP address is assigned. This “ephemeral” nature makes traditional IP-based firewall rules obsolete almost instantly, leading to administrative overhead or, worse, massive security holes.

The integration of VMware vDefend and vSphere Kubernetes Service (VKS) solves this by decoupling security from the networking layer. Instead of relying on static IPs, vDefend uses Antrea CNI, the default CNI with VKS, to enforce context-aware policies based on logical metadata – such as labels applied to namespaces, services, and pods. Because the security policy is tied to the workload’s identity rather than its IP address, the protection follows the Pod automatically, even as it scales or is recreated on a different node. Furthermore, this enforcement occurs at the immediate point of origin—the Pod interface for containerized workloads and the vNIC for Virtual Machines within the Hypervisor. This ensures that security is applied at the ‘first hop,’ neutralizing threats before they ever traverse the physical or virtual network. 

Unified Management: One Policy to Rule Them All

Operational silos, where separate security stacks have to be implemented for virtual machines and Kubernetes clusters, are a major hurdle in modern infrastructure, often leading to inconsistent protection and blind spots. vDefend addresses this by providing a unified security management solution for VMs and Kubernetes (VKS) workloads through a single pane of glass within VCF. This enables security administrators to define a global security posture that is consistently applied across the entire Supervisor cluster and all guest VKS clusters, without treating the VKS clusters as opaque entities.

Bridging the Gap: Securing the “In-Between”

The most critical vulnerability in modern architecture often lies at the intersection of different workload types. A typical application might host its frontend in a containerized VKS pod while keeping its mission-critical database on a traditional virtual machine. Traditionally, these two worlds lived in separate security boundaries, making inter-workload traffic difficult to monitor and secure. VMware vDefend bridges this critical gap. Because it is natively integrated into the ESXi hypervisor, vDefend can inspect traffic closest to the source, as it moves between a container and a VM – even if they are on the same host. This cross-workload security ensures that the “mixed-mode” applications are protected by a continuous zero-trust boundary, stopping lateral movements regardless of whether the threat is hopping from a pod to a VM or vice versa.

Control for Security Admins and Freedom for App Developers

In modern enterprises with Kubernetes workloads, security often becomes a shared responsibility between centralized security teams and application owners. While security teams typically define the organization’s overarching security model, application owners frequently control the security policies for their specific applications. While this ops model offers flexibility, it could create security gaps. vDefend addresses this by enabling security administrators and application owners to co-own container security policies through a central management view. Security administrators can control cluster-level firewall policies (ingress and egress traffic for a VKS cluster) to focus on environmental and infrastructure security. By utilizing vDefend’s distinct firewall categories, they can ensure these essential policies are always enforced first. Meanwhile, application owners retain complete autonomy to define application-tier Kubernetes networkPolicies without requiring explicit approval from security administrators. This collaborative approach ensures comprehensive protection across the board.

To truly understand the power of a unified security stack, it helps to look at how it handles real-world threats. By applying vDefend to VKS, administrators can move beyond broad “allow-all” rules and implement surgical precision in the security posture.

• Quarantining a Compromised Workload

One of the most important scenarios for a DevSecOps team is a “malicious-pod” – a container that has been compromised and is now attempting to scan the network for vulnerabilities and exfiltrate data. In a standard Kubernetes setup, this pod might have a “flat” path to every other service in the cluster. With vDefend firewall policies, you can execute a “Quarantine” strategy. By applying specific tags (e.g., quarantine = malicious) to the suspected pod, a high-precedence Emergency Category policy is instantly triggered. This policy overrides all other existing rules, immediately dropping all inbound and outbound traffic to the pod except for a secured connection to a “forensic pod” or a “jump host” for investigation. This drastically reduces the blast radius of the breach, stopping lateral movement before it starts.

• Hardening External Egress Traffic

In a Zero Trust environment, what goes out of your VKS cluster is just as important as what comes in. Many modern attacks, such as the Log4Shell exploit, rely on compromised workloads contacting malicious command-and-control systems. Protecting egress traffic in VKS is uniquely challenging because IPs are typically lost behind a generic Source Network Address Translation (SNAT) at the node. The solution is to leverage Antrea Egress to provide a stable, predictable identity for outbound traffic. By associating specific pods with an Egress IP, you can create granular vDefend firewall rules that allow only a specific production application to talk to an external database while blocking the rest of the cluster. This ensures that even if a workload is compromised, it cannot reach unauthorized external endpoints.

Future-Proofing with VCF and vDefend

By deeply integrating vDefend with VKS, the platform eliminates the traditional trade-off between developer agility and enterprise security.

Key Benefits for VCF Customers:

• Zero-Trust by Default: Organizations can now enforce a granular, Zero Trust model that covers the entire stack – from legacy virtual machines to ephemeral Kubernetes pods. This intrinsic security model stops ransomware and other sophisticated threats from moving laterally across your environment.
• Operational Simplicity: VCF and vDefend introduce a “single pane of glass” for policy management. Instead of juggling fragmented tools for container and VM security, administrators use a unified operational model that reduces the learning curve and eliminates manual configuration drift.
• Accelerated Time-to-Market: With self-service capabilities and automated policy orchestration, developers can spin up secured applications in minutes rather than months. Security is applied as soon as a workload is provisioned – security at the speed of apps, ensuring compliance from the very first packet without requiring tickets to multiple infrastructure teams.
• Deep Insights and Troubleshooting: The vDefend integration with VCF and VKS provides unparalleled insights into VM and container traffic flows. Features like Antrea Traceflow allow teams to synthetic-test their network paths, ensuring that every firewall rule functions as intended before an issue escalates.

Making VKS clusters vDefend Ready – video demo

Safeguarding your containerized workloads on VKS with vDefend shouldn’t be a complex hurdle. This video demonstrates just how simple it is to make the VKS cluster vDefend ready. By following the streamlined process, you can make your clusters vDefend-ready in minutes, unlocking powerful macro and microsegmentation capabilities. Whether you are managing existing deployments or spinning up new environments, this tutorial shows how remarkably easy it is to have your VKS cluster ready for vDefend.

Core insights from the video:

• Seamless Integration: Learn how the registration process acts as the “handshake” between your VKS cluster and vDefend
• Operational Simplicity: See firsthand that making a VKS cluster vDefend ready doesn’t require complex coding; it’s a straightforward workflow within the management console
• Automated Discovery: Discover how VKS namespaces, pods, and services are automatically recognized, enabling set-and-forget policies that scale as your cluster grows

Securing Modern Applications with VMware vDefend – video demo

Here is a video walkthrough of the simple steps for protecting modern applications deployed across a virtual machine environment and a VKS cluster. It showcases how robust security policies can be implemented in vDefend to prevent lateral movement between services in VKS clusters and also easily block unauthorized access to external systems from the VKS cluster.

Core insights from the video:

• Simplified Management: See how a single pane of glass with VKS and vDefend allows administrators to quickly and efficiently manage policies for both containerized workloads and virtual machine workloads
• Unified Security Policy: Understand how registering a VKS cluster allows you to apply consistent firewall rules across both traditional virtual machines and modern containerized workloads
• Egress Security: As mentioned above, Antrea Egress provides a stable, predictable identity for outbound traffic. This can be used to create granular vDefend firewall rules to allow only a specific service to communicate with an external database

vDefend is Key to a Secure and Agile Private Cloud

By adopting the models described above, VCF operators who deploy vDefend are building resilient, scalable, and automated security foundations. As applications continue to evolve into complex webs of containers and VMs, having a unified security layer is no longer just a “best practice” – it is the key to maintaining a secure and agile private cloud.

Further Reading:

Check out the detailed Securing vSphere Supervisor and VKS with vDefend reference design, which serves as both an architectural blueprint and a practical implementation handbook for using VMware vDefend security solutions. It offers essential design insights and security recommendations to enhance the protection of vSphere Supervisor and the mixed-form-factor workloads running on it: Virtual Machines, vSphere Pods, and VKS.

The post VMware vDefend: Zero Trust Lateral Security for Kubernetes Workloads on VCF appeared first on VMware Security Blog.

In September 2025, the cybercriminal group Storm-1175 exploited a zero-day vulnerability in GoAnywhere Managed File Transfer to deploy Medusa ransomware across multiple organizations. The attack succeeded despite perimeter defenses because no signature existed to detect it, and by the time one did, attackers had already established persistence and were moving freely through victim networks.

This incident illustrates a fundamental truth: perimeter firewalls alone cannot protect modern enterprises. Organizations must adopt a defense-in-depth strategy that provides visibility across every phase of an attack.

The Anatomy of a Zero-Day Attack

What Is a Zero-Day?

A zero-day vulnerability is a security flaw unknown to the vendor and the security community. Because no one knows it exists, no signature can detect its exploitation. These vulnerabilities are prized by threat actors precisely because they bypass traditional perimeter defenses.

According to CISA guidance, the most dangerous vulnerabilities, particularly those affecting widely-deployed shared services, are often kept secret by threat actors for extended periods. They remain “zero-day” until discovered by researchers or defenders, sometimes only after significant damage has occurred.

The GoAnywhere MFT Incident

On September 11, 2025, Microsoft Threat Intelligence observed Storm-1175 exploiting CVE-2025-10035, a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet with a CVSS score of 10.0.

The timeline reveals the problem:

• September 11, 2025: Storm-1175 begins exploiting the vulnerability
• September 18, 2025: Fortra publishes security advisory
• September 18+, 2025: IDS signatures become available

For seven days, every organization running GoAnywhere MFT was vulnerable. No perimeter firewall could help, as there was nothing to detect.

Why Perimeter Defenses Failed

The Signature Problem

Perimeter firewalls rely on Intrusion Detection System (IDS) signatures to identify malicious traffic. These signatures are pattern-matching rules created by security researchers after a vulnerability becomes known.

This model has an unavoidable weakness: signatures are reactive. They cannot detect attacks using unknown vulnerabilities. When Storm-1175 exploited GoAnywhere MFT on September 11, there was no signature because no one outside the attacker group knew about the vulnerability.

Signatures Cannot Undo a Breach

Newly released detection signatures address future exploitation attempts; they do not remediate existing intrusions.

This limitation proved critical in the Storm-1175 intrusion. Microsoft’s analysis indicates that the threat actors established persistence mechanisms immediately following initial access, deploying:

• SimpleHelp and MeshAgent (legitimate remote monitoring tools)
• .jsp web shell files within the GoAnywhere MFT directories

Once these backdoors were in place, the attackers no longer needed the vulnerability. A signature detecting CVE-2025-10035 exploitation would catch future attacks, but the attackers were already inside, communicating through legitimate-looking channels.

Inside the Attack: What Happened After Initial Access

The Storm-1175 intrusion demonstrates how attackers operate once past the perimeter. Each phase was designed to evade detection by traditional security tools.

Phase 1: Persistence

The attackers dropped remote monitoring and management (RMM) tools directly under the GoAnywhere MFT process. SimpleHelp and MeshAgent are legitimate software used by IT departments worldwide. To a perimeter firewall, or even many endpoint tools, this looks like normal administrative activity.

Web shells (.jsp files) provided an additional backdoor, giving attackers persistent access to the compromised server even if the RMM tools were discovered.

Phase 2: Discovery

With persistence established, Storm-1175 began mapping the victim environment:

• User and system discovery commands identified accounts and system configurations
• Netscan deployment revealed the internal network topology

This reconnaissance happened entirely within the network perimeter. No external traffic to analyze. No signatures to trigger.

Phase 3: Command and Control

The attackers established a command-and-control infrastructure using two techniques specifically chosen to evade detection:

• RMM tools: SimpleHelp and MeshAgent traffic looks identical to legitimate IT administration
• Cloudflare tunnel: C2 communications were encrypted and routed through Cloudflare’s trusted content-delivery network

A perimeter firewall sees encrypted traffic to a reputable CDN provider. There is nothing inherently malicious about this pattern; hundreds of legitimate applications use Cloudflare daily.

Phase 4: Lateral Movement

This is where the attack becomes entirely invisible to perimeter defenses.

Storm-1175 used mstsc.exe, the built-in Windows Remote Desktop client, to move across systems within the compromised network. This east-west traffic never touches the perimeter. The firewall has no visibility into:

• A Confluence server connecting to the backup server via RDP
• That same server pivoting to the file server
• Subsequent connections to the domain controller and exchange server

The attackers moved freely through the network using a legitimate Windows tool over legitimate protocols.

Phase 5: Exfiltration

Before deploying ransomware, Storm-1175 exfiltrated data using Rclone, a command-line tool designed for syncing files to cloud storage. Rclone supports dozens of cloud providers and encrypts data in transit.

To a perimeter firewall, this looks like an employee backing up files to cloud storage, a routine, sanctioned activity in most organizations.

Phase 6: Ransomware Deployment

The attack culminated with the deployment of the Medusa ransomware across victim environments. By this point, the attackers had:

• Maintained access for days or weeks
• Mapped the entire network
• Compromised critical systems, including domain controllers
• Exfiltrated valuable data for double extortion

The ransomware deployment was the final, visible symptom of an infection that had spread silently through the organization.

The Need for Defense-in-Depth

The GoAnywhere MFT incident proves that perimeter-centric security creates a brittle defense. Once breached, whether through a zero-day vulnerability, stolen credentials, or a social engineering attack, threat actors operate with impunity if internal visibility is lacking.

Defense-in-depth addresses this by providing multiple detection opportunities across the attack lifecycle:

Lateral Movement: The Critical Detection Point

Of all post-exploitation activities, lateral movement represents the most reliable detection opportunity. Here’s why:

1. It must happen: Attackers rarely achieve their objectives from a single compromised host. They need to reach domain controllers, file servers, and backup systems.
2. It creates observable patterns: Even when using legitimate tools like RDP, lateral movement generates anomalous traffic patterns. A web server initiating RDP connections to a backup server is unusual.
3. It happens inside the network: Unlike C2 traffic, which can be tunneled through CDNs or encrypted channels, lateral movement occurs on the internal network, where organizations have full visibility.

The following is a breakdown of how each technology can help detect and prevent lateral movement attempts.

Distributed Firewall (DFW)

The VMware Distributed Firewall (DFW) can block lateral movement entirely by enforcing microsegmentation policies at the workload level. With DFW, even if an attacker compromises an application server, they cannot establish RDP, SMB, or other connections to systems outside their authorized communication scope. In the scenarios illustrated in Figures 2 and 3, a properly configured DFW policy would have blocked both the RDP connections, stopping the attack chain before lateral movement could occur.

Distributed IDPS

While NTA/NDR focuses on behavioral anomalies, a Distributed IDPS provides signature-based detection at every workload. Unlike traditional perimeter IDPS that only inspects north-south traffic, a distributed architecture applies intrusion detection to east-west traffic as well.

During lateral movement, attackers frequently use protocols and techniques with known signatures, such as exploitation of remote services, pass-the-hash attacks, or specific tool fingerprints. A Distributed IDPS can identify these patterns regardless of where they occur in the network.

Network Traffic Analysis / Network Detection and Response (NTA/NDR)

NTA/NDR solutions monitor east-west traffic precisely for lateral movement patterns. They establish behavioral baselines and identify anomalies that signature-based tools cannot detect. Key detection capabilities include:

• Unusual authentication patterns between systems (lateral movement): For example, in vDefend ATP, the Intelligence component raises an alert when it detects  MS-SCMR (Microsoft Service Control Manager Remote Protocol). Figure 2 shows an example of this detection when confluence_server-59tt tries to login into the domain_controller-59tt

Lateral Movement between Confluence Server and Domain Controller

• Protocol anomalies (RDP from a server that has never initiated RDP): In vDefend ATP, the Intelligence component raises an alert when it detects an RDP connection within internal hosts. Figure 3 shows an alert raised when an RDP connection between confluence_server-59tt and backup_server-59tt was detected.

RDP connection from Confluence Server to Backup Server

• Credential abuse across multiple systems
• First-time connections between hosts

These behavioral indicators are invisible to perimeter firewalls but clearly visible to NTA/NDR solutions monitoring internal traffic flows.

The true value of NTA/NDR resides in improved triage capabilities that correlate individual events together into campaigns, enabling security teams to understand the full scope of an attack rather than investigating isolated alerts.

Sandbox Analysis

Furthermore, sandbox analysis provides visibility into attacker tooling and behavior. The ability to detonate suspicious samples in an isolated environment (see Figure 4) allows defenders to understand which tools the attacker executed and dropped in the environment.

Sandbox analysis for the SimpleHelp tool used by Storm-1175 for persistence

Without this layered internal visibility and enforcement capability, attackers like Storm-1175 move undetected from their initial foothold to complete network compromise.

Recommendations

Based on the GoAnywhere MFT incident and the broader threat landscape, organizations should:

Accept That Perimeter Breaches Will Occur

Zero-day vulnerabilities, stolen credentials, and sophisticated phishing will periodically succeed: Design your security architecture assuming the perimeter will be bypassed.

Segment Your Network

A compromised web server should never have direct RDP access to a domain controller. Implement network segmentation to restrict lateral movement opportunities and contain potential breaches. 

Where possible, deploy macro- and microsegmentation using distributed firewalls to enforce least-privilege network access between workloads. Unlike traditional network segmentation that operates at the VLAN or subnet level, microsegmentation applies granular policies at the individual workload level, blocking unauthorized east-west traffic regardless of network topology.

In the Storm-1175 intrusion, attackers moved laterally via RDP from the initial compromised host to various workloads within the network. With microsegmentation policies in place, each of these connections would have been denied and logged. 

Deploy Distributed Intrusion Detection and Prevention (DIDPS)

Unlike perimeter-based IDPS that only inspects north-south traffic, distributed IDPS operates at every workload, providing signature-based detection for lateral movement techniques such as MS-SCMR, PsExec, and exploitation attempts between internal hosts. 

Deploy distributed IDPS to detect malicious activity that occurs entirely within the network perimeter.

Implement Network Traffic Analysis / Network Detection and Response (NTA/NDR)

NTA/NDR solutions monitor east-west traffic for behavioral anomalies that signature-based detection may miss. These include RDP connections from servers that have never initiated RDP, unusual authentication patterns, beaconing behavior indicative of C2 tunnels, and anomalous data transfers suggesting exfiltration. 

Deploy NTA/NDR capabilities to identify attacker activity that leverages legitimate tools and encrypted channels.

Monitor for Legitimate Tool Abuse

Attackers increasingly use built-in operating system tools (mstsc.exe, PowerShell) and legitimate software (RMM tools, Rclone) to avoid detection. 

Configure security tools to baseline normal behavior and generate alerts when anomalies occur.

Conclusion

The Storm-1175 intrusion against GoAnywhere MFT demonstrates why defense-in-depth is not optional. A sophisticated threat actor exploited a zero-day vulnerability, established persistence using legitimate tools, communicated through trusted infrastructure, and moved laterally using built-in Windows capabilities.

At every phase after initial access, the perimeter firewall was irrelevant. The attack unfolded entirely within networks that had no visibility into their own internal traffic and lacked the controls to prevent unauthorized lateral movement.

Organizations that rely solely on perimeter defenses are not asking if they will be breached, but when, and whether they will detect or prevent the attack before ransomware encrypts their systems.

The solution is defense-in-depth: layered security controls that provide detection opportunities at every phase of the attack lifecycle. 

Distributed IDPS identifies malicious patterns at the workload level. Network Traffic Analysis detects anomalous lateral movement and command-and-control activity. The Distributed Firewall enforces microsegmentation policies that block unauthorized connections before they occur.

When the perimeter fails, internal visibility becomes the difference between a contained incident and a catastrophic breach.

To learn more about vDefend and its closed-loop security capabilities, read this blog.

The post Why Perimeter Firewall is Not Enough: Lessons from the GoAnywhere MFT Zero-Day appeared first on VMware Security Blog.

The “Invisible Corridor”

Security doesn’t break all at once; it erodes in the shadows. The alert didn’t appear to be a crisis because, to your perimeter, everything looked normal. An authorized user, a permitted port, and a standard protocol—on paper was a valid connection. In reality, it was the “keys to the kingdom” being handed over. This is the new reality of East-West traffic: the most dangerous threats aren’t trying to break in; they are already inside, moving through the invisible corridors of your network.

This is the new reality of the modern datacenter. It isn’t just about the “front door” anymore; it’s about the invisible corridors an attacker creates once they are already in. According to the Verizon 2025 Data Breach Investigations Report, ransomware was involved in 44% of all confirmed breaches last year. We have entered an era where attacks occur at machine speed; with some ransomware campaigns now completing in as little as 25 minutes, the traditional “human-in-the-loop” response is no longer fast enough. As documented in The Dawn of AI-Orchestrated Cyberattacks, when AI can autonomously execute 90% of an attack chain, defenders can no longer rely on manual triage. The consequences of this speed are devastating across every industry. From healthcare, where a single ransom payout can be dwarfed by a total operational impact exceeding $2 billion, to manufacturing, where a single breach can trigger billions in economic losses, the pattern is the same. Even iconic public institutions have been taken down for months, forced back to pen and paper. The message is clear: when attackers use AI and automation to move laterally, “good enough” security becomes an invitation for disaster.

The Gap: Why Traditional Security Fails

Traditional security models fail in the modern data center because they are architecturally blind to “East-West” traffic—the communication flowing between application workloads. To provide security, legacy models force this internal traffic out of the virtual layer and onto legacy hardware appliances, a process known as “hairpinning.” This inefficient routing creates massive network complexity by forcing convoluted VLAN management and halving link capacity, while these centralized security stacks become performance bottlenecks that introduce latency and application timeouts. Ultimately, these fragmented tool silos leave security teams with a patchwork of data, creating invisible corridors that allow attackers to move laterally and unchallenged across the private cloud.

The VMware vDefend Advantage

VMware vDefend eliminates the “blind spots” and performance penalties of traditional security by fundamentally changing the architecture of the defense. Rather than trying to pull traffic out of the virtual layer for inspection, vDefend embeds security directly into the hypervisor.

vDefend delivers integrated security by operating natively within the VCF private cloud. Every hypervisor acts as a built-in sensor, providing continuous visibility and protection where application workloads actually communicate. This architecture provides security teams with essential capabilities that external tools lack, including 360-degree visibility into both east-west and north-south traffic and consistent protection that moves dynamically with application workloads.

The Foundation: vDefend Distributed Firewall 

Before addressing advanced threats, security starts with a hardened environment. The VMware vDefend Distributed Firewall (DFW) provides the essential structural foundation for Zero Trust. By moving security directly to the workload, the DFW enables precise microsegmentation that “shrinks” the attack surface, ensuring that if one VM is compromised, the threat is isolated.

To accelerate this journey, vDefend introduces the DFW 1-2-3-4 automated workflow built into the product. It is a prescriptive journey that moves you from initial visibility and “quick wins” (like securing DNS and NTP services) to full application-level microsegmentation in just a few weeks. Learn more about the DFW 1-2-3-4 approach here.

The Power of Closed-loop Security

However, walls alone—even virtual ones—are only half the story. While DFW answers, “Is this connection allowed?”, advanced threat prevention (ATP) answers the harder question: “Is this activity malicious?”

If DFW represents the structural strength of your vault—the steel doors and locked compartments—then ATP is the behavioral intelligence monitoring everything inside. Together, they create a closed-loop security that doesn’t just block known bad actors—it senses anomalies, isolates compromised assets, and neutralizes threats in one unified, automated motion.

vDefend: Hypervisor-Embedded Security

vDefend isn’t a bolt-on appliance; it is built directly into the ESXi hypervisor to disrupt the kill chain at every stage: Initial Access, Lateral Movement, and Encryption/Exfiltration.  This approach allows us to disrupt the kill chain through four unified pillars aligned with the NIST cybersecurity framework:

1. Visibility: The All-Seeing Eye

Before you can defend, you must see. vDefend turns every hypervisor into a built-in sensor, providing ubiquitous visibility into the East-West corridor.

• Security Intelligence: Integrated directly with the DFW, Security Intelligence provides a real-time, interactive “flow-map” of your entire network. It automates application flow discovery and analyzes ingested data to provide ML-based firewall rule recommendations aligned with design best practices. This streamlines lateral security and accelerates the journey to a Zero Trust private cloud.

2. Prevention: Policy-Based Hardening

Prevention is about stopping the threat before it can take root in your environment.

• Microsegmentation (DFW Policies): The Distributed Firewall (DFW) acts as the first line of defense by enforcing a “Least Privilege” model. By dividing the network into granular, isolated segments, DFW ensures that only authorized traffic can flow between specific workloads.
• Distributed intrusion detection and prevention system (IDS/IPS): By inspecting every packet at the vNIC, we can “virtually patch” workloads. By blocking an exploit attempt for a known vulnerability at the network layer, the attack is neutralized at Stage 1.
• Malware Prevention (MPS): When an attacker attempts to download a malicious payload, MPS intervenes at the hypervisor I/O layer. We inspect the file before it is fully written to disk, preventing the infection from ever reaching the guest OS.

3. Detection: Behavioral Intelligence

When adversaries use zero-day exploits or stolen credentials, detection becomes the “behavioral brain” of your defense.

• Network Traffic Analysis (NTA): vDefend ATP monitors for the subtle “tells” of lateral movement—such as DNS Tunneling, DGA, or unusual protocol misuse. By establishing a baseline of normal network behavior, NTA identifies anomalies that signatures alone would miss.
• MPS/IDS Detection Mode: Even when active blocking is not yet enabled, running IDS and MPS in “Detect-Only” mode serves as a vital control. It provides the high-fidelity early warning needed to trigger a response before an attacker can escalate.
• Network Detection and Response (NDR): NDR acts as the centralized intelligence engine, automatically mapping detections from across the VCF network to the MITRE ATT&CK framework. It “stitches” together hundreds of isolated events into a Campaign—a single, navigable narrative that shows the entire attack chain from initial exploit to final exfiltration

4. Mitigation: Limiting the Damage

Mitigation is vDefend’s strategy for containing a breach and minimizing the “blast radius” once a threat is identified.

• Containment via Segmentation: While the firewall acts as a preventive gatekeeper, proper Microsegmentation is a powerful mitigation tool. If a VM is compromised, pre-defined segmentation rules contain the spread, preventing the attacker from reaching your “crown jewels.”
• Rapid Response Playbooks: Using the insights from NDR, a breach can be neutralized in seconds. For example, a suspicious endpoint can be automatically quarantined using security tags, instantly severing its ability to move laterally or communicate with external Command & Control (C2) servers.

This closed-loop security, from visibility, prevention, detection, to mitigation, is implemented through vDefend’s VCF integration in a unique way, as depicted in the diagram below.

vDefend: Why it Matters

In the traditional data center, security has often been a trade-off. Legacy security models force you to choose between deep protection and high performance. By embedding intelligence directly into VMware Cloud Foundation, vDefend eliminates that compromise.

• Operational Simplicity: No separate agents to manage. Security policies and firewall “states” move dynamically with your workloads.
• Reduced TCO: A software-defined, closed-loop security architecture significantly reduces CAPEX by eliminating the need for expensive hardware appliances.
• Integrated Solution: Distributed Firewall, IDS, MPS, NTA, and NDR all reside “under the same roof” within a single VCF management plane, eliminating the “swivel chair” effect between tools.
• Faster MTTD/MTTR: By correlating 1,000 noisy alerts into a single MITRE-aligned Campaign, we turn a mountain of data into an actionable story.

For more information on vDefend, watch the vDefend webinar series on demand here.

The post Advancing Zero Trust Private Cloud with vDefend Lateral Security appeared first on VMware Security Blog.

This article was originally published May 2025 in:

AI can transform Zero Trust security implementation and management from a complex manual and multi-year task into an highly-automated, rapidly-deployable solution for modern enterprises.

As enterprises increasingly move workloads to private cloud for reasons such as performance, compliance and to leverage AI on-premise, security leaders face a critical challenge: implementing Zero Trust architecture at scale.

While Zero Trust has become the gold standard for enterprise security, operationalizing it manually presents significant obstacles that AI can help overcome.

Unlike perimeter-focused security models, Zero Trust for private cloud assumes no implicit trust and requires continuous verification of every transaction.

A practical deployment of Zero Trust for applications requires a comprehensive understanding of the complex connections and dependencies between each asset in a constantly changing environment — and that’s just the starting point. Traditional tools have been engineered for perimeter security and have significant gaps in procuring data to understand these complex interactions of private cloud applications. Simply engaging in this first step with traditional tools is extremely cumbersome and costly.

But does that mean the solution is to focus on protecting critical apps with Zero Trust?

Actually, no, according to Ranga Rajagopalan, CTO of the Application Networking and Security Division at Broadcom.

“You may think, oh that’s good enough,” Rajagopalan said. “I’ll protect my critical apps through Zero Trust and not worry about non-critical apps. But that ‘partial Zero Trust’ approach won’t work. Modern attackers identify less-secure environments and systems, enter through them and then move laterally toward high value assets. True Zero Trust demands that every application, every asset has the same level of cyber defense.”

Zero Trust implementation in private cloud faces three primary challenges that often derail enterprise initiatives.

Vendor complexity: Organizations typically require multiple specialized tools—firewalls, microsegmentation solutions, network detection and response systems—from different vendors. This fragmented approach creates operational complexity with multiple APIs, operating systems, and management consoles that must be integrated and maintained.

High costs: The high-volume app-to-app traffic in private cloud environments demands significant processing power from security tools. Traditional solutions become prohibitively expensive when scaled to handle comprehensive application-level traffic analysis.

Data quality: Effective Zero Trust requires comprehensive, contextual data for high-fidelity threat detection. Operating in silos without integrated visibility across networking, computing, and storage systems severely limits detection capabilities.

AI addresses these challenges by automating the complex, manual processes that make Zero Trust implementation daunting. AI can discover applications automatically, map communication patterns, detect anomalies, and generate security policies. AI is more effective when it has access to comprehensive data sets with contexts.

Understanding ‘tribal’ knowledge

The technology excels at understanding unique application behaviors that typically exist as undocumented tribal knowledge within organizations. By ingesting information about applications and performing automated forensics, AI can create appropriate security rules that are always validated and approved by humans prior to activation and enforcement.

This automation reduces the inter-team dependencies that often create deployment bottlenecks. Instead of requiring extensive coordination between security, networking, and application teams, AI handles the bulk of the heavy lifting of assessing the environment, creating policies and verifying their behavior for correctness.

VMware vDefend exemplifies how AI can transform Zero Trust implementation in private cloud environments. The platform unifies multiple security functions into a single, integrated stack that’s natively integrated with private cloud infrastructure.

vDefend’s AI capabilities enable rapid deployment and operationalization of Zero Trust for applications, reducing implementation timelines from months to days or weeks.

The solution can scale to multi-terabit environments through software upgrades without additional licensing costs, addressing the economic barriers that often limit Zero Trust scope in private cloud.

Additionally, the platform’s integration with private cloud infrastructure enables organizations to protect their entire application environment rather than just critical systems, closing the security gaps that attackers exploit.

Finally, by combining AI automation with self-service capabilities, vDefend allows development and operations teams to deploy new applications with security policies already in place, eliminating the traditional gap between compute deployment and security implementation that creates vulnerability windows.

As enterprises continue their digital transformation journey, AI-powered Zero Trust solutions represent the most practical path to comprehensive security. AI transforms an otherwise complex, resource-intensive, multi-year initiative into a rapidly deployable and operationally scalable security strategy that can keep pace with an ever-evolving threat landscape.

Learn more about how VMware vDefend can simplify and accelerate affordable Zero Trust implementation and management in private cloud.

The post Game changer: How AI simplifies implementation of Zero Trust security objectives appeared first on VMware Security Blog.

When deploying Zero Trust to quickly address security gaps and improve segmentation posture in a brownfield or greenfield environment, customers need a prescriptive, multi-stage segmentation workflow designed to progressively secure east-west traffic in the VMware Cloud Foundation (VCF) private cloud. vDefend delivers Distributed Firewall (DFW) 1-2-3-4* — an automated workflow that helps security administrators systematically strengthen their private cloud security posture. Customers can now simplify and fast-track the path to Zero Trust with a structured sequence of segmentation phases — from protecting critical infrastructure services to securing traffic between zones, and ultimately achieving application-level microsegmentation. Additionally, over time, security policies can become bloated and inefficient. The new Firewall Rule Analysis feature efficiently manages this by analyzing DFW rules, so organizations can ensure their security policies are lean and effective.

Why Comprehensive Segmentation is the Need of the Hour

In today’s ransomware threat landscape, protecting only the perimeter has proven to be insufficient. Traditional security solutions, such as perimeter firewalls, protect only north-south traffic. Given that east-west (lateral) application traffic is approximately four times the volume of north-south traffic, it is critical and urgent to deploy lateral security to extend defenses beyond the perimeter. 

As a result, large portions of the private cloud workloads remain vulnerable, enabling attackers to compromise underprotected workloads and laterally move to compromise high-value assets—the “crown jewels”. In 2025, cyber attacks caused substantial business downtime in days and weeks across various industries (including automobile, retail, and manufacturing), leading to financial losses in hundreds of millions.

Additionally, attackers are adopting AI/GenAI technologies to identify weaknesses in enterprise environments. These AI-driven attacks are not only faster, but in many cases, autonomous. Now more than ever, organizations need segmentation to get deployed faster. However, many organizations jump to app-level microsegmentation and then face deployment challenges due to the lack of visibility into application communications and time-consuming coordination between infrastructure and app team silos. What they need is a guided zero-trust journey to quickly deploy comprehensive segmentation for all their workloads. 

vDefend is purpose-built to auto-discover application communications, provide guidance on security rules, and verify policy correctness in a non-disruptive manner. The result: 360-degree segmentation with built-in automated workflows that include both macro- and microsegmentation and continuous monitoring, all in a prescriptive manner.

vDefend DFW 1-2-3-4

A practical Zero Trust deployment in a datacenter requires detailed visibility into workload communication, accurate zone and application mapping, and coordination across multiple IT teams. vDefend makes this process intuitive and data-driven, with real-time segmentation assessment of an organization’s security posture. DFW 1-2-3-4 provides a single, unified workflow guide through segmentation planning, auto-tagging and grouping, continuous monitoring pre- and post-deployment of DFW rules, and alerting on changes to enforcement. This new capability leverages an analytics engine that discovers communication patterns, identifies unprotected traffic, and recommends segmentation rules. 

Customers can:

• Speed up microsegmentation deployment without guesswork
• Improve efficiency through automated multi-stage segmentation workflow
• Secure VCF workloads quickly and easily 

4 Stage Prescriptive Segmentation Deployment Journey

DFW provides a 4 stage prescriptive deployment process that follows lateral traffic patterns to quickly secure each of them, with guidance built-in that mirrors lateral traffic components and policy categories inside the vDefend DFW table.

Stage 1: Security Segmentation Assessment & Report

Administrators can activate DFW 1-2-3-4, visualize host clusters, and generate a Security Segmentation Report that highlights their current security posture and identifies opportunities for improvement. Learn more about this assessment in this blog. 

As each phase is completed, customers can generate a Security Segmentation Report to assess their current segmentation score. The score recalibrates automatically whenever your environment changes, providing continuous feedback and helping customers track progress over time. This visibility helps teams demonstrate measurable progress toward Zero Trust objectives – and communicate outcomes clearly to executives and auditors.

Stage 2: Infrastructure (Shared) Services Segmentation

Start with the foundational layer of your datacenter – shared services such as DNS, NTP, Syslog, SNMP, DHCP, and LDAP/LDAPs. DFW 1-2-3-4 automatically discovers infrastructure services to identify service endpoints and allows the user to validate and automatically create protection rules to these services. Alternatively, users can feed their known infrastructure service endpoints via CSV file for the system to add infrastructure services. This step delivers quick security gains with minimal disruption—the ideal “low-hanging fruit” for teams beginning their Zero Trust journey. Locking down these services, especially DNS servers, allows the user to remove the most common Command & Control (C&C) and exfiltration paths for malicious actors.

Stage 3: Environment (Zone) Segmentation

Once infrastructure (shared) services are protected, users can proceed to defining environment (zone) boundaries – for example, Development and Production. Users can import this metadata using a CSV file. The system supports CSV files that are exported from a CMDB system (such as from ServiceNow) or even from vCenter, or users can create a CSV file from a simple spreadsheet template provided by DFW 1-2-3-4. The platform assigns security tags for these workloads, validates relationships, and provides default environment-level rules through the DFW, while Zone Segmentation for existing workloads using traditional firewalls requires complicated Network and IP Address.

Users can monitor traffic leakage between zones and ask the system for either the list of traffic or a set of recommended rules that can then be granted exceptions. DFW 1-2-3-4 continuously monitors for these leakages and alerts the users to take action on newly discovered leakages. This phase ensures that environments remain isolated, minimizing cross-environment exposure and tightening your organization’s overall security posture.

Stage 4: Application Microsegmentation

Zero Trust for datacenter traffic requires defining controls for each application. In this stage, there are three steps: a. defining application boundaries used to convert them into tags and groups; b. defining application ring-fencing controls that control over which ports and protocols communication is allowed; c. defining microsegmentation by defining controls within each application across tiers (web front end, application server and database). This fine-grained segmentation not only enforces least privilege but also strengthens resilience against east-west threats.

Stage 4a: Workload to Application Mapping 

Users can upload into the system via a CSV file, VM-to-application mapping. DFW 1-2-3-4 will then auto-tag and create these application groups. These application groups can then be subsequently used for monitoring and defining DFW rules.

Stage 4b: Defining Application Ring-fencing Controls

DFW 1-2-3-4 can now monitor these tagged applications, and the system recommends application-specific firewall controls that allow communications only between permitted entities while locking down the applications.

Stage 4c: Continuous Monitoring of Application Traffic and Fine-Tuning Microsegmentation Controls for Application Tiers

DFW 1-2-3-4 continues to monitor each application, both before and after rule publishing. The system continues to track application flow metrics and security posture for rules in real-time. Users can fine-tune rules for application tiers to progressively harden their microsegmentation posture.

Mission Accomplished – Macro/Microsegmentation in Record Time

With DFW 1-2-3-4 multi-stage security journey, a typical Zero Trust deployment can be rolled out in as little as a few weeks – comprehensively, systematically, and most of all, with confidence. Starting with an initial low-scoring assessment, the post-deployment high score validates the improvement to the organization’s security posture. 

Optimizing Firewall Rules with Rule Impact Analysis 

With a large number of apps being segmented, this can result in a significant number of security policies that are difficult to manage. Unlike traditional IP-address-centric firewall rules, vDefend simplifies and scales security policies with tag-based groups and policies, rather than IP-based rules. Still, over time, security policies can become suboptimal. That’s where Firewall Rule Analysis comes in. This powerful feature analyzes DFW rules, ensuring security policies are efficient.

vDefend’s Firewall Rule Analysis identifies and flags seven critical rule optimization opportunities: duplicate rules, redundant rules, rule consolidation opportunities, rule contradictions, shadow rules, overly permissive rules, and ineffective rules. This calibrated analysis helps eliminate rule bloating and fix potential security misconfigurations. Forget laborious manual scripts or the need for separate, third-party tools for DFW rule analysis within your VCF private cloud. vDefend offers faster, far more comprehensive detection for both firewall misconfigurations and firewall rule optimization opportunities at no additional cost. 

*DFW 1-2-3-4 and Firewall Rule Analysis are features of Security Intelligence, available through Security Services Platform (SSP) release 5.1. 

Additional Resources:

• SSP capabilities: Read this blog. 
• vDefend DFW 1-2-3-4 overview: Watch this video.   
• Read the vDefend DFW 1-2-3-4 Security Journey Deployment Guide.
• vDefend Firewall Rule Analysis overview: Watch this video. 
• View the on-demand vDefend’s Edge Webinar Series for a deeper understanding of vDefend capabilities.

The post vDefend DFW 1-2-3-4: Deploy Zero Trust Microsegmentation in a Few Weeks to Rapidly Secure VCF Workloads appeared first on VMware Security Blog.

In today’s rapidly evolving threat landscape, effective security operations hinge on two critical pillars: automation and context aggregation. As organizations grapple with increasingly sophisticated attacks, the ability to seamlessly integrate diverse security solutions becomes paramount. This challenge is easily resolved through the successful integration of VMware vDefend Advanced Threat Prevention (ATP) with Security Information and Event Management (SIEM) systems.

ATP and SIEM – Better Together

ATP natively supports exporting security-related event logs via the SIEM’s REST API. While syslog is often chosen as the protocol to transmit events due to its nearly universal support, REST API logging allows far more comprehensive data formats, i.e., JSON, enabling ATP to send complex, structured security events with full context. This allows ATP to send the entire spectrum of security events, including both detection (IDS events, network anomalies, file and process analyses) as well as campaigns, which are higher-level detection objects correlated by vDefend Network Detection and Response.

Since each exported detection event is also paired with a link pointing back to ATP, the following showcases how to effectively respond and remediate using Intelligent Assist for VMware vDefend, an interactive chatbot powered by a Large Language Model (LLM) deeply integrated into vDefend user interface. This co-pilot explains detection events in plain English, helping security teams comprehend the full impact of threats while accelerating the remediation process.

As a result, this integration allows ATP data to be seamlessly incorporated into current Security Operations Center (SOC) operations, providing customers with enhanced visibility into East-West network traffic. 

Next, let’s explore the configuration steps, the types of security events exported by ATP, and ultimately, how this combined approach provides security specialists, CISOs, and CTOs with a unified, comprehensive view for enhanced threat detection and response.

Configuration

As detailed in the technical documentation available here, configuring the SIEM integration is a straightforward process that involves adding a new “SIEM Configuration” (located in the “Server Configuration” administration section), which requires specifying the endpoint URL and type (see Figure 1). In some cases, for example, when integrating with the Splunk HTTP Event Collector, it might also be necessary to specify the authorization token, which can be done by adding an Authorization header in the related field.

Figure 1: Configuration dialog to configure SIEM integration

Note that the integration natively supports ARIA Operations for Log as a SIEM server; in that case, the endpoint type should be left to “Default” and the endpoint URL set to the vRLI IP address suffixed with the pathname “/api/v2/event”. In this case, no additional headers are required. However, it is important to notice that the proxy configuration (available in the same “Server Configurations” section) does not apply to the SIEM configuration, meaning that any usage of cloud-based connectors like Exabeam would require Internet connectivity.

In general, ATP supports custom endpoint configurations, making it easy to connect with other leading SIEM solutions such as Microsoft SIEM, ELK stack, SIEMplicity, Splunk, and Google Chronicle. By leveraging custom endpoints and configurable headers, organizations can tailor the integration to their specific SIEM environment, ensuring compatibility and efficient data flow. This flexibility empowers security specialists, CISOs, and CTOs to consolidate security data into a single pane of glass, streamlining operations and improving overall threat detection and response capabilities.

The next section will showcase what security events are exported, and how SOC analysts can best leverage the provided value.

Security Events

ATP exports two primary types of security events to provide comprehensive visibility into your threat landscape: detection events and campaign events. 

Detection Events

Detection events include alerts generated by several vDefend components: Security Intelligence for network anomalies, Malware Prevention System for file and process detections, and IDS/IPS for IDS signature hits. When aggregated by vDefend Network Detection and Response, all these detection events share the same underlying alert schema, and as such, some properties can easily be leveraged to further sift through the logs, pivot through the data, or just build dashboards as well as custom alerting logic.

Table 1 details all the fields included in the JSON document exported via the REST API each time a detection event is generated by ATP.

Table 1: Fields used by a security event representing a detection event (note: examples of opaque types such as hashes or UUIDs are omitted for the sake of clarity).

Besides the usual time attributes (“start_time” and “end_time”), it is possible to filter detection events by “impact”, for instance, by considering only those detection events with HIGH or CRITICAL impact, i.e., with impact values greater than 70. If the integration aims to populate a custom dashboard, a SOC analyst might be designed to group events by MITRE tactic and technique. The fields “mitre_tactic_id” and “mitre_technique_id” can be used to quickly highlight the detection events related to a specific attack phase of the ATT&CK framework.

The field “is_src_target” is something unique to vDefend Network Detection and Response, and it highlights the workload that was affected by a given detection. Consider for example, the case of an attempted CVE exploit: the workload of interest is the destination of the network connection, meaning that in this instance the field “is_src_target” would be set to false. 

The report describes this scenario: an attacker exploited a critical remote code execution vulnerability in Confluence installed on a Windows server. The workload of interest in this case is the Windows server, and the field “is_src_target” would be set to false. A different case is the detection of a workload compromised by malware, which is attempting to establish a C2 channel to an external and malicious server; in this case, the field “is_src_target” is set to true to reflect that the workload “of concern” is the source of the network connection. This scenario can be seen in the report where a Cobalt Strike beacon was executed on a breached workstation. The beacon then connected to IP addresses managed by CloudFlare, which acted as a proxy server between the victim network and the C2 server. In this case, the field “is_src_target” would be set to true. The fields “threat_name” and “url” provide instead a quick and effective ways to extract details about the actual threat; while the former is self-explanatory, the latter allows the SOC analyst to directly open ATP user interface loaded with the details of the detection event.

The field “detection_type” is used to discriminate between all types of detection events. The possible values are:

• IDS for IDS signature hits as detected by the IDS/IPS.
• NETWORK_ANOMALY for NTA anomalies identified by Security Intelligence.
• FILE and FILE_TRANSFER for analyzed files detected either on a workload or on the wire by the Malware Prevention System.
• PROCESS for (potentially file-less) process executions detected on a workload by the Malware Prevention System. 

Detection events of type “IDS” will store inside “ids_signature_id” the signature identifier responsible for the alert. In case of a signature designed to detect a specific CVE exploitation, the CVE ID will also be stored inside the “cve” field. The field “signature_name” will detail the name of the IDS signature, and in case of a custom IDS signature, the field “original_signature_id” provides the identifier of the IDS signature from which the custom IDS signature is derived.

Network anomalies can be found by looking for detection events of type “NETWORK_ANOMALY”. In this context, the field “threat_name” represents the name of the NTA detector responsible for the alert. Given the behavioral nature of the detection, focusing on a specific MITRE tactic and technique is an effective way to quickly identify alerts of interest; for example, to identify attempted data exfiltrations, it is possible to filter network anomalies where the “mitre_tactic_name” is “Exfiltration”. For example, the threat actor in the report described here, used Restic to exfiltrate data from a file server. “mitre_tactic_name” would be set to “Exfiltration” for this step of the campaign.

File detections (detection event type “FILE” and “FILE_TRANSFER”) can either originate from a given workload (because of a new file being created, see “file_action”) or from a given file transfer as intercepted by the Gateway Firewall. In either case, “file_sha1_hash” and “file_sha256_hash” can be quickly used to search for the file artifacts on other external services such as VirusTotal, while “file_magic” and “file_mime_type” allow for filtering by the type of file (“file_mime_type” being much more fine-grained than “file_magic”). This report describes a lateral movement technique with the help of RDP, where a threat actor dropped on disk and executed malware samples, executable network tools, and scripts to steal credentials. In all the cases, hashes of the dropped files will be stored in “file_sha1_hash” and “file_sha256_hash”.

The last type of detection events is the “PROCESS” type. In this context, the aggregated information comprises the execution path of the process (“process_executable_path”) and the command line (“​​process_command_line”); this is essential to focus on specific executables only when used for non standard purposes; for example an analyst might want to filter on those events where the process is PowerShell, i.e., the executable path is “C:\Windows\System32\WindowsPowerShell\v1. 0\powershell.exe” but only when it is used to execute obfuscated commands (the string ‘-EncodedCommand’ is part of the “process_command_line” field). In the attack described here, where Brute Ratel was used for remote access, the threat actor used Brute Ratel to retrieve credentials to access Veeam Backup & Replication (a backup application) via a PowerShell command “powershell -nop -exec bypass -EncodedCommand <base64>” where the Base64-encoded string contained code to download and execute Veeam-Get-Creds.ps1.

In conclusion, regardless of the task at hand, a SOC analyst can effectively surface the desired security events by leveraging the right attributes.

Campaign Events

Campaigns are higher-level detection objects that correlate different detection events together to represent the different steps undertaken by a potential attacker. Each time a new campaign is created (by correlating existing detection events) or updated (by adding new detection events to an existing campaign), ATP emits a new security event of type “CAMPAIGN”. Table 2 lists all the fields that are part of the security event. 

Since campaigns may evolve over time as new detection events are correlated, each security event has a ‘detections_added’ field containing the UUIDs of the detection events newly correlated to the campaign, as identified by the ‘uuid’ field. There is also a possibility that two groups of detection events belonging to two different campaigns might eventually be merged. Consider for example a set of detection events detailing a workload reaching out to an external C2 server, and another set of data exfiltration anomaly events referencing apparently unrelated workloads: these two different activities might be merged by vDefend Network Detection and Response component after Security Intelligence identifies an intermediate lateral propagation event between the two workloads; the field ‘campaigns_merged’ will contain the UUIDs of the campaigns being merged.

Table 2 contains all the fields used by a “CAMPAIGN” security event.

Table 2: Fields used by a security event representing a campaign event (note: examples of opaque types such as hashes or UUIDs are omitted for the sake of clarity).

Response and Remediation

Both campaign and detection events enable SOC analysts to gather more contextual details by opening the link contained in the ‘url’ field, which points back to the ATP user interface. This allows leveraging the whole extent of functionalities provided by ATP, especially for remediating a security incident using bespoke network policies. In particular, Intelligent Assist for VMware vDefend is an interactive chatbot powered by a Large Language Model (LLM) that enables the automatic generation of security policies.

Figure 2 shows a possible conversation between a SOC analyst and Intelligent Assist. Based on the details of the security event (threat type, affected workloads, etc), Intelligent Assist first explains the security event, and then assembles a potential remediation plan. Since any remediation can potentially impact legitimate traffic, Intelligent Assist further asks the risk tolerance for the response, and presents a choice between a targeted or a more comprehensive response. Once a selection is made, based on the type of detection event, Intelligent Assist will propose a selection of Intrusion Detection and Prevention System (IDS) or Distributed Firewall (DFW) policies; the affected workloads will only comprise those detailed in the security event; one last click creates (in disabled state) the proposed policies.

Figure 2: Intelligent Assist for vDefend proposing a security policy to drop (prevent) further detection events matching a specific IDS signature.

Conclusion

The integration of ATP with SIEM solutions provides a unified and comprehensive view of the threat landscape, significantly enhancing an organization’s ability to detect and respond to sophisticated attacks. By leveraging ATP’s rich, contextualized security events, including IDS, network anomalies, file and process analyses, and correlated campaigns, security specialists, CISOs, and CTOs gain unparalleled visibility into both North-South and East-West network traffic.

This is possible through the unique traffic interception capabilities offered by ATP, which can collect traffic from the edge, virtualized workloads, and bare metal endpoints via the NDR sensor. This detailed insight, combined with the power of SIEM for centralized logging and analysis, streamlines security operations and empowers proactive threat hunting.

Ultimately, the seamless integration of ATP with existing SIEM platforms is not merely a technical advantage but a strategic imperative. It addresses the critical need for automation and context aggregation in modern security operations, enabling organizations to move beyond reactive incident response to a more resilient and anticipatory security posture. This combined approach ensures that security teams are equipped with the necessary tools and information to effectively combat the evolving threat landscape, thereby protecting critical assets and maintaining operational continuity.

For more information about ATP and SIEM integration, go here.

The post Stacking Your Defenses: Integrating Advanced Threat Prevention and SIEM appeared first on VMware Security Blog.

Announcing Microsegmentation Quick Start Wizard, NDR Sensor for datacenter-wide threat visibility, Fileless Malware Defense, and a tech preview of Lateral Security for Agentic AI

In a world where cyber threats evolve by the nanosecond and AI/GenAI is reshaping every industry, security can feel like a game of endless catch-up. But what if you could not only keep pace but truly get ahead? At VMware Explore 2025, we’re unveiling innovations in VMware vDefend – an advanced service for VMware Cloud Foundation (VCF) – that don’t just react to threats but fundamentally change how you build, operate, and secure your enterprise private cloud, including your most critical AI workloads.

Key highlights from VMware Explore 2025 showcase our latest vDefend Innovations for protecting workloads on the VCF private cloud.

• Accelerate Zero Trust: New built-in automation-driven workflows for multi-stage segmentation and firewall rule analysis features streamline lateral security, making your journey to Zero Trust private cloud faster and more efficient than ever.
• Extended Threat Detection: Introducing a standalone NDR sensor to provide comprehensive datacenter-wide threat visibility across all types of network traffic  – workloads (virtual, container, and bare-metal) and network devices.
• Fileless Malware Defense: vDefend introduces advanced capabilities for fileless malware detection, directly targeting stealthy in-memory attacks, including PowerShell, VBScript, and JScript-based attacks.
• vDefend and AI: 
  • GenAI Assistant for Firewall Operations – Introducing the tech preview of the Gen AI assistant for vDefend Firewall operations to simplify operations and speed up issue resolution by providing insights into dynamic security events like real-time policy violations or blocked applications
  • Lateral Security for AI Workloads: Introducing tech preview of zero-trust lateral security for Agentic AI workloads running on VMware Cloud Foundation (VCF) Private AI Foundation (PAIF) 

Accelerate the Zero Trust Journey with VMware vDefend

In this section, we are describing vDefend enhancements that streamline and speed up the zero-trust journey for VCF private cloud workloads.

Fast-track Segmentation of Private Cloud Workloads

Customers face two key challenges during zero trust roll-out in brownfield environments: (1) assess current segmentation posture and identify gaps, and (2) quickly address security gaps to improve segmentation posture.

We addressed the first challenge earlier this year with Security Segmentation Score and Assessment Report, which provided a real-time assessment of private cloud segmentation posture and lists recommendations to significantly improve the posture. With today’s announcement, we are addressing the 2nd challenge through a prescriptive, multi-stage segmentation workflow designed to progressively secure private cloud (east-west) traffic. This includes: shared services (infrastructure) protection in Stage-1, and granular, application-level protection in Stage-2. This structured and automation-driven approach removes the guesswork and speeds up microsegmentation across all VMware Cloud Foundation (VCF) private cloud workloads (critical and non-critical).

The workflows guide you through securing workloads in progressive layers. 

Stage-1 Protection: It begins with fortifying foundational services and shared infrastructure, such as DNS, DHCP, Active Directory, etc., which form the backbone of your private cloud. 

Stage-2 Protection: Then, it guides you through reducing your attack surface layer by layer, establishing robust zone-level protection and intelligent segmentation between zones. 

Stage-3 Protection: Finally, it helps you automate sophisticated application-level protection, securing traffic within and between your applications. 

The cornerstone of this approach is a tag-based declarative policy model and an AI/ML-driven rule recommendation engine. Alongside this, continuous monitoring detects changes and recommends updated rules to maintain a strong security posture over time. To simplify implementation, the platform also supports importing your data center hierarchy, tagging, and automatically creating and assigning groups for policy enforcement. 

Net-net, customers can significantly improve their segmentation posture in a few weeks.*

Simplify and Optimize with Firewall Rule Analysis

With a large number of apps being segmented, this can result in a significant number of security policies that are difficult to manage. Unlike traditional IP-address-centric firewall rules, vDefend already simplifies and scales security policies with: 

• Tag-based declarative policy model
• Recently enhanced policy scale (firewall rules: 120K → 200K, Tag groups: 10K → 115K)

Still, over time, security policies can become suboptimal and bloated. That’s where Firewall Rule Analysis comes in. This powerful feature analyzes Distributed Firewall (DFW) rules, ensuring security policies are lean and efficient.

vDefend’s Firewall Rule Analysis identifies and flags seven critical rule optimization opportunities: duplicate rules, redundant rules, rule consolidation opportunities, rule contradictions, shadow rules, overly permissive rules, and ineffective rules. This calibrated analysis helps eliminate rule bloating and fix potential security misconfigurations. Forget laborious manual scripts or the need for separate, third-party tools for DFW rule analysis within your VCF private cloud; vDefend offers faster and far more comprehensive detections for both firewall misconfigurations and firewall rule optimization opportunities at no additional cost. Unlike general-purpose third-party tools that may require complex integrations and lack the deep context of your VCF environment (e.g., identify rules based on VM tags), vDefend’s firewall rule optimization is purpose-built to analyze published DFW rules directly, ensuring unparalleled accuracy and efficiency. Plus, with the ability to schedule automated reporting or perform on-demand analysis via UI, API, and downloadable CSV reports, firewall admins have full visibility and control over their rule sets.

In summary, vDefend’s built-in tools to fast-track segmentation and to optimize firewall rules are designed to empower firewall teams to confidently accelerate the Zero Trust journey, making robust lateral security a reality in a short period of time rather than a multi-year aspirational goal.

Enhancements in vDefend’s Advanced Threat Prevention (ATP)

This section highlights vDefend ATP enhancements for threat detection and prevention.

Introducing NDR Sensor for Extended Threat Visibility and Detection

vDefend’s Network Detection and Response (NDR) has enabled the detection of sophisticated threat campaigns for VCF workloads. Because of vDefend’s integration with VCF, the NDR operates on multiple sources of alerts (from IDS/IPS, Malware prevention, and Network Traffic Analysis), delivering very high-fidelity threat detection. The vDefend NDR also curates events and only sends high-severity threats and correlated campaigns to the corporate SIEM, hence reducing SIEM cost and alert fatigue.

Many customers would like to extend this advanced NDR’s scope to datacenter-wide traffic. Hence,  we are introducing the NDR Sensor for VMware vDefend. It can be deployed into existing monitoring (Tap/SPAN) fabrics to collect traffic from other network & client devices, for analyzing datacenter-wide threat campaigns.

Detect Stealthy In-memory Attacks with Fileless Malware Detection

One of the most insidious and challenging threats today is fileless malware, which operates entirely in memory, leaving no traditional footprint on the disk. It often exploits legitimate tools like PowerShell, VBScript, and JScript to evade traditional security controls. Real-world attacks have seen PowerShell abused for credential dumping, VBScript leveraged for malicious downloaders, and JScript used in sophisticated phishing campaigns—all without dropping a single file to disk. 

By integrating directly with the Antimalware Scan Interface (AMSI) for Windows workloads, vDefend ATP now inspects and intercepts these malicious scripts before execution, stopping Living-off-the-Land (LotL) tactics in their tracks. This in-memory detection capability not only detects attacks that bypass conventional file-based defenses but also delivers rich telemetry, execution context, and forensic artifacts to security operations teams, enabling faster investigation and response. With this enhancement, vDefend helps customers close a major blind spot exploited by today’s cyber adversaries and protect critical workloads. 

AI/GenAI and VMware vDefend

AI is critical in security, and hence it has always been an integral component of vDefend. 

• AI/ML has been extensively leveraged in vDefend. This includes application visibility, segmentation scoring, and rule recommendations.
• GenAI-based Intelligent Assist (IA) for Threat Defense was recently introduced to help security analysts simplify and speed up threat investigation. It can explain threats and threat campaigns as well as suggest mitigation options.

vDefend’s AI/ML and IA get the complete data, rich context, and the broadest scope for private cloud due to (1) vDefend’s integration with VCF and (2) vDefend’s multi-function code base (involving visibility, comprehensive segmentation with distributed firewall, IDS/IPS, NDR/NTA, and Malware Prevention). This enables IA chatbot to deliver highly calibrated insights.

We are furthering vDefend’s AI journey with the following tech previews:

• GenAI assistant for firewall to simplify vDefend Firewall operations and speed up issue resolution. Customers will be able to derive valuable insights from the security infrastructure’s dynamic operational state.
• Zero-trust lateral security for AI and Agentic AI workloads. AI workloads are creating a new attack surface, and hence protecting them day-1 is becoming a necessity. vDefend Firewall’s 20 Tbps performance and built-in integration with VKS & Kubernetes are critical capabilities for security AI and agentic AI workloads.

Attackers are heavily utilizing AI/GenAI technologies to infiltrate IT environments. VMware vDefend’s focus is to leverage AI/GenAI to deliver better security and empower security professionals to effectively combat the evolving cyber landscape.

For a deeper dive on the above tech previews, please check out our dedicated blog Security and Load Balancing Innovations in the Age of GenAI and Agentic AI. 

vDefend at VMware Explore 2025

We invite you to experience vDefend’s latest advancements firsthand by joining our breakout sessions at VMware Explore and discover how vDefend is redefining what’s possible in enterprise private cloud security. Your journey to a more secure, resilient, and AI-ready future starts now.

Editorial Note: The information included in this blog is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.

The post Unleash Zero Trust: Secure Private Cloud and Agentic AI Workloads with VMware vDefend Innovations appeared first on VMware Security Blog.

VMware Explore 2025 is right around the corner! The agenda is bursting at the seams, and the catalog’s session scheduler is now available.

Taking place in Las Vegas again this year from August 25 to 28, 2025, Explore 2025 will provide attendees with insights into cutting-edge technology purpose-built for private cloud environments. This year throws a spotlight on new VMware Cloud Foundation (VCF) 9.0 innovations, including integrated advanced security capabilities from VMware vDefend.  vDefend is a leading software-defined, hypervisor-integrated, lateral security solution purpose-built to comprehensively protect every VCF workload.

Join the excitement and learn new techniques for building robust digital defenses against advanced threats, such as ransomware. Discover how vDefend accelerates security deployment, delivers multi-layered lateral security to support an organization’s zero-trust strategy, boosts operational efficiency through AI-assisted technology, and more.

Check out these vDefend sessions below, and mark your calendars!

Featured Executive Session

Ransomware Protection and App Delivery for the Cloud and AI Era [NSLB1756LV]

Organizations are increasingly demanding a cloud operating model enhanced with AI/GenAI for the rapid operationalization of lateral security and application delivery. VMware vDefend and VMware Avi Load Balancer offer plug-and-play integrations with VCF, providing comprehensive application and threat visibility, zero-trust security, and web application security to combat ransomware. These solutions leverage AI/GenAI to boost operational efficiency and productivity. Join us to hear about our latest innovations and strategic direction in multi-terabit performance and scale, extending “as code” and “as self-service” to VCF virtual private cloud (VPC), as well as use cases for Private AI and agentic workloads.

Speaker:

Umesh Mahajan, VP & GM, Application Networking and Security, Broadcom

Breakout Sessions

Accelerating Firewall and Load Balancer Operations and Troubleshooting with GenAI innovations [INVB1864LV]

In this session, we will provide a tech preview of how new innovations in GenAI can help accelerate the day-to-day operations and troubleshooting of firewalls and load balancers in the data center. By utilizing a chat-style interface with natural language queries, security and load balancing administrators can get immediate answers to AI-generated explanations of firewall and load balancer alerts, AI-generated operational insights based on current firewall and load balancer configurations, and AI-generated code samples for automating firewall and load balancer configurations.

Speaker:

Ranga Rajagopalan, CTO – ANS Division, Broadcom

Catherine Fan, Technology Product Manager, Broadcom

Building Secure Private AI Deep Dive [INVB1432LV]

Discover how to securely build and scale private AI infrastructure using vDefend and VMware® Private AI with NVIDIA. This session will guide you through designing a robust private AI architecture with built-in data protection, workload isolation, and automated policy enforcement. Learn how vDefend enhances AI model security with segmentation and real-time threat detection, while Private AI with NVIDIA provides the platform to deploy and manage AI workloads with full control. Ideal for architects and security teams, this session delivers practical insights to operationalize AI securely in a private cloud environment.

Speaker:

Chris McCain, Director, Broadcom

Alex Fanous, Staff Cloud Architect, Broadcom

Demystifying VMware vDefend Distributed Security Within VMware Cloud Foundation [NSLB1076LV] People’s Choice Award Winner

Join this award-winning session to learn how vDefend Distributed Firewall, Distributed Intrusion Detection System, and Distributed Intrusion Protection System provide security services in the kernel through the processing of rules and signatures intrinsically within the virtual networking infrastructure. We will show the inner workings of the distributed services from an architectural standpoint, the best implementation techniques, and troubleshooting tools for examining the effectiveness of the strategy deployed. We will also cover the use of AI to simplify the configuration of the centrally managed protection mechanisms and greatly reduce the time and effort needed to put a tight security policy in place.

Speakers:

Chris McCain, Director, Broadcom

Tim Burkard, Staff Technical Learning Engineer, Broadcom

Elevate Threat Investigation Workflows with the GenAI Intelligent Assist [NSLB1596LV]

Security operators are tasked with investigating and responding to security incidents. With limited information and assistance, key tasks such as triaging, contextualizing, and responding to incidents in a timely manner can place a burden on resources and result in suboptimal outcomes. The Intelligent Assist for vDefend is designed to address these challenges by leveraging GenAI. This demo-based session will cover how Intelligent Assist for vDefend enables explainability and remediation of threat detection events.

Speaker:

Bopaiah Puliyanda, Senior Manager, Product Management, Broadcom

From Zero to Hero: VMware vDefend Advanced Threat Prevention Deployment Best Practices [NSLB1869LV]

Recovering from ransomware or just getting started to build your defenses? In this session, we will share battle-tested best practices on how to successfully deploy VMware® vDefend Advanced Threat Prevention to buydown risk and defend your applications and data against attacks.

Speaker:

Stijn Vanveerdeghem, Senior Manager, Technology Product Management, Broadcom

Ready to See What Happens When Zero Trust Just Clicks? [NSLB1193LV]

Supercharge your Zero Trust VCF strategy by combining vDefend with Symantec® Zero Trust Network Access protection—designed to deliver seamless, powerful network security with the most user-friendly experience possible, even on personal and unmanaged devices. With more than 80% of organizations embracing bring-your-own-device policies and 68% reporting productivity gains, security cannot afford to slow anyone down. Don’t miss this high-energy walkthrough, real-world examples, and a live demo showing how vDefend and Symantec software solutions are transforming secure access for today’s hybrid enterprise, making it ideal for VCF private cloud environments.

Speakers:

Stanislav Elenkrich, Lead Product Manager SSE, Broadcom

Srini Nimmagadda, Director, Technology Product Manager, Broadcom

Safeguard Your Containers and VMs with VMware vDefend in VMware Cloud Foundation [NSLB1552LV]

VCF is the ultimate platform for containers and virtual machines, incorporating an upstream-conformant Kubernetes runtime: VMware vSphere Kubernetes Service (VKS). Organizations can operate modern applications alongside traditional virtual machines on the same infrastructure. Seamlessly securing such non-homogeneous workloads should not become a challenge that requires different solutions and expertise. This session will showcase how vDefend and Antrea work together to streamline the security delivery and protect containers and VMs.

Speaker:

Madhukar Krishnarao, Sr. Product Manager, Broadcom

Security Reference Design for VMware Cloud Foundation [NSLB1836LV]

Join this session to learn how to design security for VMware Cloud Foundation® (VCF) management and workload domains. This session will include best practices for securing VCF management domain, as well as the workloads running in the VCF workload domain. We will cover Infrastructure segmentation, app-level ring-fencing/micro-segmentation, and ransomware prevention and threat visibility design.

Speaker:

Pooja Patel, Director, Broadcom

Unified Security Policy Orchestrator for Self-Service with Governance [INVB1440LV]

Application operations teams know what network connectivity they need for their application services, and prefer a self-service model. However, the information risk assessment and network security teams need compliance and governance. How can this policy be updated with compliance checks? Introducing SPaC (Security Posture and Compliance) —a unified security orchestrator—that addresses all these requirements and turns an application service owner’s policy into a security-compliant policy model that can be programmed in not just vDefend firewalls, but also can be extended to other firewall vendors and network security devices.

Speakers:

Kausum Kumar, Senior Manager, Technical Product Management, Broadcom

Ranga Rajagopalan, CTO – ANS Division, Broadcom

VMware vDefend Distributed Firewall Operational Overview [NSLB1623LV]

This session is intended for all practitioners who want to delve into the details of vDefend Distributed Firewall from Day 0 to Day 365. Learn how operators can rapidly adopt and secure their networks and applications via macro- and microsegmentation. We will cover how to quickly tag and group workloads, add new rules, or continuously update existing rule sets, and how vDefend functionalities provide continuous assessment of segmentation posture along with blast radius analysis.

Speakers:

Kausum Kumar, Senior Manager, Technical Product Management, Broadcom

Catherine Fan, Technology Product Manager, Broadcom

Explore 2025 – A Can’t Miss Event

Whether you’re pursuing certifications, digging into VCF and Private AI, or participating in hackathons or Hands on Labs, you’ll find resources to drive meaningful progress within your organization. And if you still need to register, start here!

All the sessions above, plus Meet the Expert Roundtables and Tutorials, can be found in the vDefend curated agenda here. You will find all the Application Networking and Security sessions here. The catalog scheduler is now open for registered attendees, so mark your schedules today!

See you in Las Vegas!

The post VMware vDefend Sessions at Explore 2025 appeared first on VMware Security Blog.

Dubai Airports, responsible for managing both Dubai International (DXB) and Dubai World Central – Al Maktoum International (DWC), stands as a testament to the United Arab Emirates’ remarkable progress in establishing itself as a major international travel destination. DXB, a global aviation hub, retained its position as the world’s busiest international airport for the 11^th consecutive year, serving 92.3 million passengers annually in 2024.

With such immense passenger volumes, as well as 2.2 million tons of cargo annually, a plane landing or taking off every 71 seconds and a 100,000-strong workforce, the operational demands at DXB necessitate a robust and resilient digital infrastructure.

To maintain uptime, reliability, operational efficiency and most importantly guest safety, Dubai Airports relies on VMware Cloud Foundation as the bedrock of its private cloud, with VMware vDefend providing integrated advanced security.

“It’s a huge responsibility to make sure everything is running securely. It’s not just about ensuring the comfort and well-being of guests and employees, we need to make sure our systems are protected from cyber threats too,” said Biju Hameed Kayal, head of infrastructure operations, Dubai Airports.

Changing cybersecurity landscape requires a Zero Trust approach

Given the ever-increasing volume of cyberattacks – 764 were recorded in the aviation sector in 2023 – coupled with the constant evolution of threats, ensuring the security of Dubai Airports requires a proactive and vigilant approach. Dubai Airports has adopted a Zero Trust model, which assumes that nothing inside or outside the organization’s network is inherently trustworthy.

“The cybersecurity landscape has changed recently, driven by geopolitical situations and the evolution of threats. Critical infrastructure is now a prime target. Given our scale of operations, staying ahead of these threats is crucial. Increased technology adoption within the airports also introduces new security risks that we must proactively address,” he said.

Private cloud secured with VMware vDefend

Dubai Airports embarked on its virtualization journey in 2009, progressively virtualizing compute, storage and then network functions. This culminated in an advanced software-defined data center. However, Dubai Airports’ stringent security demands needed a further layer of security enhancements.

“We quickly recognized we needed to enhance our microsegmentation strategy: it primarily focused on north-south traffic and needed additional visibility into east-west traffic. VMware vDefend proved to be the right solution. It not only enhances our east-west visibility but also offers the capabilities to regulate and enforce security policies governing the interactions between our internal assets and services,” he said.

More recently, the team at Dubai Airports have taken advantage of VMware vDefend Firewall with Advanced Threat Prevention, using features such as the Distributed Intrusion Detection/Prevention System (IDS/IPS), which detects malicious traffic patterns in the distributed east-west traffic.

“With IDS/IPS, we’ve got a high level of intelligence for both threat detection and control. We want to ensure robust prevention and protection while maintaining comprehensive visibility into our network traffic,” he added.

Accelerated time to value

Given their prior experience with VMware Cloud Foundation, the team at Dubai Airports was already familiar with the capabilities of the VMware solution stack, which meant the training requirements to use VMware vDefend were minimal and hence time-to-value accelerated.

“We were already comfortable with the VMware Cloud Foundation toolsets and architecture when we adopted VMware vDefend, so it’s simply been a matter of layering existing skills and adding new ones. Our organic approach to integrating virtualization and security has fostered a deeper understanding of how the entire stack contributes to achieving our security goals. It also eliminates the challenges associated with managing disparate point solutions and ensuring their interoperability,” Biju said

Dubai Airports is committed to increasing the maturity of their security strategy as they strive to maintain uptime, reliability, operational efficiency, and passenger safety across the airports.

“We are eager to explore the broader capabilities of vDefend to further enhance our security posture and cement our position as the busiest and safest airports in the world,” Biju said.

Learn more about Dubai Airports’ story here.

The post Dubai Airports Secures Critical Infrastructure with VMware vDefend appeared first on VMware Security Blog.

A home lab is an engineer’s paradise – offering a safe space to experiment, troubleshoot, and master new technologies at their own pace. VMware by Broadcom supports this method of hands-on learning, and now, with VMUG Advantage, membership benefits now include access to the VMware vDefend license.

This new benefit allows Advantage members who pass the Broadcom Education – VCP-VCF Administrator certification exam to receive free personal-use vDefend licenses for up to three years*—no prior vDefend experience required. Whether you’re just starting out or looking to expand your skills, this is a great opportunity to explore application security right in your own home lab.

*Upon completing the certification exam, VMUG Advantage members receive a one-year license. For the second and third years, they must complete a brief refresher VCF-VCP exam each year to earn additional one-year licenses, totaling three one-year licenses. 

Once you’re armed with the VMUG Advantage license, you can get hands-on with vDefend capabilities in your home lab.  The license is good for 128 Core Units, in addition to VCF licenses.  This is more than enough to build out your home lab scenario.

Step 1:  To learn more about becoming a VMUG Advantage member, get started at:

• VMUG Advantage Membership

Step 2:  Sign up for and pass the VCF-VCP exam.

• VMware Certification

Step 3:  Armed with your VCF and vDefend licenses, you can get your lab up and running. Check out these resources:

• vDefend Tech Docs
• Secure VCF Management Workload Domain with VMware vDefend – White Paper
• VMware Validated Solution – Lateral Security for VMware Cloud Foundation with VMware vDefend
• Beginner’s Guide to Automation with vDefend Firewall
• SE Labs – Breach Response Detection Test of VMware vDefend ATP

Step 4:  Watch these webinars for some additional insights.

• vDefend Webinar Series

Step 5: Now that you’re an expert, consider obtaining your VMware Certified Professional: VMware Private Cloud Security certification to complement your VCF certification.

• VMware Certified Professional:  Private Cloud Security Administrator

Now, deploy vDefend to protect your VCF workloads! Check out more cool stuff.

• vDefend How-to Videos

Join us at VMware Explore 2025 in Las Vegas

VMUG Advantage membership offers many perks, including discounts to events such as VMware Explore 2025! With your VMUG Advantage membership, you’ll receive $100 discount off VMware Explore registration.

The post vDefend is now a part of VMUG Advantage appeared first on VMware Security Blog.