White Paper: Mitigating Lateral Movement and Securing the Blast Radius with XypherSecurity and Zero Networks – The CISO’s Best Friend

Author: John Fay MBE, March 2025

Introduction

The cybersecurity landscape in 2025 is more volatile than ever, with lateral movement emerging as a key tactic in sophisticated cyberattacks. Once inside a network—often through phishing, malware, or stolen credentials—attackers navigate laterally, escalate privileges, and access high-value assets. This, combined with the reality that absolute security is unattainable, presents serious challenges for organisations across sectors, from healthcare and banking to defence and national infrastructure.

For CISOs, the stakes are immense, both professionally and emotionally. A single breach can disrupt operations, compromise sensitive data, or even endanger lives. XypherSecurity, based in Manchester, provides the expertise and tools to help CISOs manage this risk. We are a reseller of  Zero Networks SaaS platform, which uses Microsegmentation to restrict lateral movement and contain the blast radius to a single entity during an attack. This paper examines the growing threat of lateral movement, the importance of blast radius containment, and how XypherSecurity and Zero Networks provide an industry-leading solution.

The escalating threat of lateral movement in 2025

Lateral movement is a defining characteristic of advanced persistent threats (APTs), distinguishing them from less sophisticated attacks. Once an attacker gains access, they impersonate legitimate users, moving through systems undetected. According to CrowdStrike’s 2024 Global Threat Report, the average breakout time—the window before lateral movement begins—is just 1 hour and 58 minutes, leaving organisations with little time to respond.

The threat is intensifying. The Identity Theft Resource Centre reported a 72% rise in data compromises in 2023, a trend that has only accelerated. Meanwhile, a 2024 IBM Security study found that 60% of data breaches involved lateral movement, with an average cost of £3.5 million.

Cloud environments add to the risk. Research from Orca Security in 2024 found that 58% of cloud environments contain at least one publicly exposed workload with a cleartext long-term key—prime targets for lateral movement. In healthcare, attackers pivot from administrative systems to patient data, potentially disrupting critical care. In manufacturing, they may move from IT networks to operational technology (OT), risking production shutdowns or safety failures. The rise of hybrid work has further compounded these vulnerabilities, with a 2024 Cisco report revealing that 45% of organisations experienced increased lateral movement attempts due to remote access misconfigurations.

For CISOs, this is not just a technical challenge but a constant source of anxiety. The prospect of a breach, operational paralysis, or regulatory fallout weighs heavily. At XypherSecurity, our core values of courage, compassion, earn the righ & Ask Why Notdrive us to provide real solutions that alleviate these concerns.

Securing the blast radius to a single entity

The blast radius of an attack refers to the potential spread of damage once a system is compromised. In large-scale breaches, unchecked lateral movement allows attackers to infiltrate interconnected systems, amplifying the impact. A 2023 ransomware attack on a UK hospital demonstrated this vividly—lateral movement enabled the encryption of patient records across multiple systems, delaying life-saving treatments.

Containing the blast radius is essential. The most effective method is Microsegmentation dividing a network into isolated segments with strict access controls. This approach:

• Prevents an attacker from moving laterally if one system is breached, others remain secure

• Aligns with zero trust principles ensuring “never trust, always verify” access policies

• Safeguards critical infrastructure whether isolating patient data in healthcare, segmenting OT in energy grids, or restricting access between IT and financial transactions in banking

A well-implemented Microsegmentation strategy effectively limits the blast radius to a single entity, dramatically reducing the potential impact of an attack.

XypherSecurity and Zero Networks: A superior solution

XypherSecurity, led by John Fay MBE (CEO) and Harry Afzal (Chief Revenue Officer), is built on decades of cybersecurity expertise. Our purpose is clear: to help our world become less vulnerable.

Zero Networks is a market-leading Microsegmentation solution that delivers:

• Automated network security every connection is authenticated and authorised, preventing unauthorised lateral movement

• Rapid, scalable deployment unlike traditional, manual-intensive Microsegmentation solutions, Zero Networks can be fully implemented in 2 to 3 weeks, making it ideal for complex environments

• Least-privilege access control restricting user access to only the resources they need, reducing breach potential

• Intelligent traffic visibility providing real-time insights into network flows and automatically enforcing security policies

• Seamless integration working alongside existing security infrastructure without the need for complex reconfiguration

By securing the blast radius to a single entity, XypherSecurity and Zero Networks offer CISOs both technical resilience and peace of mind.

Predictions: The role of Microsegmentation in 2025

1. Widespread adoption in critical sectors

Microsegmentation will become standard across industries, particularly in defence, healthcare, and financial services. As attacks on critical infrastructure intensify, Zero Networks will play a central role in limiting lateral movement.

2. AI-enhanced Microsegmentation

AI-driven threat detection will become integral to Microsegmentation. Zero Networks will leverage AI to dynamically adjust policies, isolating anomalies in real time while ensuring robust protection against AI-driven attacks.

3. Regulatory drivers

Regulations such as the Digital Operational Resilience Act (DORA) will require enhanced segmentation for third-party risk management. Zero Networks enables compliance by isolating vendor access and securing sensitive systems.

4. Supply chain protection

With supply chain attacks on the rise, Microsegmentation will be key to reducing risk. Zero Networks will restrict third-party access, ensuring that vulnerabilities in one supplier do not compromise an entire network.

5. Proactive deterrence

Cybersecurity strategies will shift from reactive defence to proactive deterrence. By making networks too complex for attackers to navigate, XypherSecurity and Zero Networks will help organisations stay ahead of emerging threats.

Recommendations: Mitigating lateral movement with XypherSecurity and Zero Networks

1. Prioritise essential systems

Identify the most critical assets—such as patient data in healthcare or grid controls in utilities—and use Zero Networks to isolate them with least-privilege policies.

2. Integrate AI securely

Leverage Zero Networks’ AI capabilities to monitor traffic and adjust policies dynamically, reducing breakout times while ensuring AI systems themselves are protected against exploitation.

3. Foster a security-first culture

Train teams on Zero Networks’ role in network security. Reducing human error often the entry point for lateral movement is just as crucial as technical controls. We have a unique partnership here bringing in a culture change specialist firm, who we share ownership with.

4. Ensure regulatory compliance

Use Zero Networks to document vendor access restrictions, aligning with regulations such as DORA and ensuring that compliance efforts address modern threats.

5. Continuously test and refine

Simulate and or run Red team attacks to evaluate Zero Networks’ policies, ensuring they contain lateral movement within the critical two-hour window. Regular testing keeps defences effective and up to date.

Conclusion

XypherSecurity and Zero Networks provide the tools and expertise CISOs need to mitigate lateral movement and secure the blast radius to a single entity. With lateral movement implicated in 60% of data breaches and breakout times averaging under two hours, Microsegmentation is no longer optional it is essential. Our solutions offer not only technical protection but also reassurance in an increasingly complex threat landscape.

As cyber threats evolve, XypherSecurity remains committed to supporting organisations in the UK’s most critical sectors, ensuring their essential systems are safeguarded against the inevitable.

References

1. CrowdStrike (2024). 2024 Global Threat Report.

2. Identity Theft Resource Centre (2023). 2023 Data Breach Report.

3. Orca Security (2024). State of Public Cloud Security Report.

4. IBM Security (2024). Cost of a Data Breach Report 2024.

5. Cisco (2024). 2024 Cybersecurity Threat Trends Report.

6. Zero Networks (2025). Product Documentation and User Reviews.

7. European Union (2025). Digital Operational Resilience Act (DORA). Official Journal of the European Union.