Create your first policy
Define and enforce a Zero Trust policy in the Threatmatic Console
Create your first policy
Threatmatic policies define what traffic is allowed, blocked, or audited — across users, groups, devices, and applications. Every network flow is verified against policy on both the user and application axes before it is permitted.
Policy anatomy
A policy consists of one or more rules. Each rule defines:
| Component | Description |
|---|---|
| Scope | Who or what the rule applies to (user, group, device tag) |
| Match | What traffic to match (destination, application, port, protocol) |
| Action | Allow, Block, or Audit |
| Priority | Order in which rules are evaluated (lower number = higher priority) |
Steps
Navigate to Policies
- Sign in to the Console
- Go to Policies → New Policy
Name and describe the policy
Give your policy a clear, descriptive name — e.g. Block outbound P2P - contractors.
Add a description so other admins understand its intent.
Set the scope
Choose who this policy applies to:
- A specific user
- A group (e.g.
contractors,us-remote-team) - A device tag (e.g.
unmanaged,iot) - All devices (use with care)
Add rules
Click Add Rule and configure each rule:
Example — block social media for contractor group:
| Field | Value |
|---|---|
| Scope | Group: contractors |
| Match | Domain category: Social Media |
| Action | Block |
| Priority | 10 |
Example — allow Slack for all users:
| Field | Value |
|---|---|
| Scope | All users |
| Match | Application label: slack |
| Action | Allow |
| Priority | 5 |
Set enforcement mode
| Mode | Behavior |
|---|---|
| Enforce | Rules are applied immediately |
| Observe | Traffic is logged but not blocked — use for baselining |
Start in Observe mode for new policies. Review the activity logs after 24–48 hours, then switch to Enforce when confident.
Save and apply
Click Save and Apply. Policy changes are pushed to all affected endpoints in under 50ms.
Next steps
How is this guide?
Last updated on