As the network security landscape matures, a consensus has emerged among CISOs and security architects that preventing lateral movement attacks through microsegmentation is a critical part of their overall cybersecurity strategy.
Controlling east-west traffic to prevent lateral attacks has become increasingly important, especially as hackers now leverage AI-driven automation to multiply the volume of attacks against your perimeter defenses. Once they gain an initial foothold through the success of one of the many thousands of automated attacks, they use lateral movement to degrade operations, steal sensitive data, or encrypt critical systems for ransom.
If we agree that enforcing microsegmentation controls to stop unauthorized lateral traffic is critical to preventing an initial breach from becoming a business crisis, the question becomes: which microsegmentation enforcement approach will work best in your enterprise?
Constellation Research has recently released its new report, the 2026 Constellation ShortList™: Microsegmentation. This document highlights seven leading microsegmentation solutions that they believe should be on the security team’s shortlist for evaluation: Akamai-Guardicore, Cisco, ColorTokens, Elisity, Illumio, Zero Networks, and Zscaler.
Using the Shortlist is a great way to focus your evaluation efforts on the leaders, but it still leaves you with the work of evaluating which of those seven are the best fit for your organization’s specific technical landscape and use cases.
Read Blog | Choose Your (Microsegmentation) Weapon
Here’s a way to think about that question that you might find useful; it’s based on how NIST frames microsegmentation in Special Publication 800-207 and in the CISA Zero Trust Maturity Model: policy decision points and policy enforcement points.
The microsegmentation solution manufacturers listed in the report use different approaches to delivering policy enforcement points, each with strengths and limitations that may make them more or less applicable to your enterprise.
There are, broadly speaking, three categories of policy enforcement points used by the solutions on the Shortlist: agent-based, agentless, and native controls.
Just Talk to My Agent
The first policy enforcement method is agent-based. In this approach, the policy enforcement point is a lightweight software agent installed on every server and endpoint. The agent communicates with the microsegmentation solution’s management plane, typically deployed as Software-as-a-Service, and either configures rules on the native OS firewall or uses proprietary firewall software to enforce lateral movement controls.
ColorTokens, Illumio, Cisco CSW, and Akamai-Guardicore all use agents for policy enforcement. ColorTokens, Illumio, and Cisco CSW use their agents to configure rules on existing OS firewalls, such as Windows Filtering Platform, Linux nftables, and macOS. (Elisity optionally offers an agent solution but primarily emphasizes its Virtual Edge appliance – see the next section on agentless enforcement.)
Akamai-Guardicore differs in that it installs a heavier, proprietary firewall of its own. Some may find a downside to the proprietary firewall approach because the Zero Trust standard described in NIST SP-800-207 encourages the use of standard architecture components and discourages overly proprietary solutions. Using a proprietary firewall installed on every host also complicates the normal operating system upgrade cycle. The proprietary firewall may need to be patched or reinstalled when upgrading the OS. The API interfaces used by the agent-with-native-firewall approach are typically more stable by design and don’t change with OS upgrades.
The agent-based approach works well because it can enforce very granular microsegmentation, adhering to the principle of enforcing policies closest to the workload. The agent-based method is appropriate for data center servers and user endpoints running Windows, Linux, and macOS.
It cannot be used to enforce microsegmentation for Internet-of-Things devices such as security cameras, automated HVAC controls, and medical devices because they do not run these operating systems. Operational Technology devices, such as Process Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs), likewise cannot use this method. Unfortunately, these IoT and OT devices are increasingly used as attack vectors by hackers. Legacy OS devices, such as out-of-support Windows versions, HP-UX, AIX, and mainframes, cannot be segmented using the agent-based approach either, because agents are typically not available for them.
A downside of the agent-based approach is the effort required to install and maintain the agent in the environment. While some organizations find it easy and manageable to deploy a new agent, others have a standard operating procedure that mandates time-consuming testing, certification, and a lengthy change management cycle before deploying any new agent to their endpoints. This can greatly delay the deployment timeline for achieving zero-trust microsegmentation enforcement across the enterprise.
To address this challenge, ColorTokens offers a unique option among microsegmentation solutions: with Xshield, you can use your existing EDR agents as sensors for asset and traffic data, eliminating the need to install a new agent in your environment. Supported EDR systems include CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoints.
Read Blog | 1+1 = 3: Microsegmentation Plus Endpoint Detection & Response
Agents? We Don’t Need No Stinkin’ Agents!
The second policy enforcement approach used by microsegmentation solutions is agentless. It differs from the agent-based approach in that lateral movement controls are enforced not on the host endpoints but on another device along the network communication path. ColorTokens, Elisity, Zero Networks, and Zscaler offer agentless solutions.
ColorTokens offers the agentless Xshield Gatekeeper Appliance, which can be deployed as a virtual machine in the data center or as a standalone hardware device on the shop floor for OT networks. It serves as the default gateway for all device communications, thereby protecting IoT, OT, and legacy devices. The Xshield Gatekeeper can also configure traffic controls in the form of ACLs for Cisco switches and Palo Alto Firewall rules.
Elisity offers its Virtual Edge appliance, which configures access control lists on switches and wireless LAN controllers. The Zero Networks Segment Server configures rules on Windows, Mac, and Linux host firewalls (not on OT or IoT devices). Zscaler, primarily a ZTNA solution, uses its SaaS Zero Trust Exchange as a broker to control traffic between branches or campuses.
The agentless approach eliminates the need to install agents on every endpoint, though it does require installing a smaller number of virtual appliances or gateway servers, which must be sized for scalability.
When in Rome, Do as the Natives Do
The third method of lateral movement policy enforcement is leveraging native environment controls. This approach enables enforcement in the most flexible and powerful way for cloud and container environments.
For cloud workloads and serverless compute, ColorTokens leverages native cloud controls such as Azure Network Security Groups (NSG), AWS Security Groups (SG), and Google Virtual Private Cloud firewall rules. For serverless compute functions such as Amazon Lambda and Fargate, ColorTokens enforces policies using native controls such as Azure Managed Identities and MS Entra ID, AWS IAM, and GCP IAM. Akamai-Guardicore, Illumio, and Cisco, also leverage NSGs and SGs.
Elisity, Zscaler and Zero Networks don’t support the native cloud controls of the hyperscalers; they use a version of their agentless appliances to assert lateral movement traffic controls for cloud deployments. Zscaler uses their Zero Trust Exchange server. Zero Networks puts a virtual version of their ZN Segment Server in the cloud, and Elisity uses their Virtual Edge appliance.
For microsegmentation of Kubernetes containers, ColorTokens enforces zero trust controls natively by leveraging the Open Policy Agent (OPA) in the service mesh architectures, such as Istio Envoy, Ambient Mesh and OpenShift, which are already oriented to help you implement a zero trust strategy. They provide encryption, mutual authentication between services, and least privilege access. To these capabilities, ColorTokens seamlessly adds fine-grained zero-trust controls at the API layer (L7).
Akamai-Guardicore, Illumio and Zero Networks use the Container Network Interface (CNI), which can be effective, but which does not offer the other zero-trust benefits that service meshes provide.
Elisity and Zscaler do not support container microsegmentation natively using the service mesh approach or CNI; Elisity suggests using their Virtual Edge device in a container, and Zscaler uses their Zero Trust Exchange server to segment Kubernetes, Docker, and AWS Elastic Container Service (ECS).
To Thine Own Self Be True
You may have noticed that the ColorTokens Xshield solution uniquely supports all three policy enforcement categories: agent-based, agentless, and native controls. ColorTokens does not advocate for either an agentless or an agent-based approach. We say: “You do you.” Use the method that best fits your use cases, technical landscape, and organizational cultural considerations.
Crucially, all the policy enforcement methods offered by ColorTokens, for IT, OT, IoT, and Cloud, are visualized and controlled in the Xshield Console, in a single policy decision point with a unified user interface. Others have separate tools for native cloud segmentation, the IT environment, and for OT/IoT. That leads to technical complexity, expanded training needs, and the possibility of policy errors.
The reality is that modern enterprises operate across hybrid environments that include managed endpoints, legacy systems, cloud workloads, and operational technology. No single enforcement model can effectively protect all of them.
Organizations that succeed in implementing microsegmentation focus not on choosing between agent-based or agentless approaches, but on selecting solutions that provide flexible enforcement aligned to their operational realities.
This flexibility ensures consistent protection, faster deployment, and most importantly — the ability to contain attackers before they can disrupt business operations.
ColorTokens Xshield was designed with this flexibility in mind.
For more information on how ColorTokens can help you implement powerful microsegmentation protection that best fits your organization’s technical landscape and use cases, you can schedule a discussion with one of our solution experts.
Note: This blog was compiled from publicly available information on a best-efforts basis.
