Apply microsegmentation
Isolate workloads and control host-to-host traffic with quantum-safe microsegmentation
Apply microsegmentation
Threatmatic's quantum-safe microsegmentation lets you divide your network into isolated segments — controlling which hosts can talk to which, and blocking lateral movement from malware or compromised endpoints.
Unlike traditional VLANs or firewall rules, Threatmatic microsegmentation is identity-aware, policy-driven, and enforced at the endpoint level — meaning it works regardless of where hosts are located.
When to use microsegmentation
- Isolate a compromised or suspected endpoint immediately
- Separate sensitive workloads (e.g. finance, HR) from general traffic
- Enforce host-to-host allow-lists in high-security environments
- Comply with regulations that require network segmentation (PCI-DSS, HIPAA, NIS2)
Steps
Define your segments
Segments are defined by device tags. Plan your segmentation before configuring policies:
| Segment | Tag | Allowed to communicate with |
|---|---|---|
| Production servers | env=prod | env=prod, role=devops |
| Finance workstations | dept=finance | dept=finance, env=prod |
| Contractor devices | role=contractor | Internet only |
| IoT devices | type=iot | env=prod (specific ports only) |
Tag your devices
Apply the relevant tags to all enrolled devices. See Use tags and annotations for how to apply tags in bulk.
Create a default-deny policy
Start with a base policy that blocks all host-to-host traffic:
- Go to Policies → New Policy
- Name it
Default Deny - East-West - Scope: All devices
- Add rule:
- Match: All traffic
- Action:
Block - Priority:
1000(lowest priority — evaluated last)
- Set mode to Observe initially
- Click Save and Apply
Add allow rules for each segment
For each permitted communication path, add a higher-priority Allow rule:
Example — production servers can communicate with each other:
- Add a new rule to the policy (or a new policy with higher priority)
- Scope:
tag: env=prod - Match destination:
tag: env=prod - Action:
Allow - Priority:
100
Repeat for each permitted path in your segment plan.
Isolate a compromised endpoint
To immediately isolate a device:
- Go to Devices and click the device
- Click Isolate
- The device will be moved to a quarantine segment with no east-west or outbound access (except to the Threatmatic control plane)
Isolation is immediate and takes effect in under 50ms. Confirm you have selected the correct device before proceeding.
Verify segmentation
- Go to Policies → Simulation
- Enter a source device and destination device
- Click Simulate — Threatmatic will show which rules would apply and whether traffic would be allowed or blocked
Quantum-safe encryption
All microsegmented traffic between Threatmatic endpoints is encrypted using quantum-safe algorithms, ensuring that segments remain secure against future cryptographic threats.
No additional configuration is required — quantum-safe encryption is on by default.
Next steps
How is this guide?
Last updated on