Derron Carstensen
Derron Carstensen is a cybersecurity architect with over 20 years of hands-on experience across network security, cloud security, offensive security, and Zero Trust architecture. His career spans roles in security engineering, penetration testing, and most recently, leading secure access and Zero Trust initiatives for complex enterprise environments. Derron specializes in Secure Access Service Edge (SASE) deployments, ZTNA validation, and building adversary-informed testing frameworks that bridge the gap between marketing promises and real-world security enforcement. He’s passionate about helping both defenders and assessors make evidence-based decisions in the face of growing vendor noise.
Session
Zero Trust is everywhere: on vendor datasheets, compliance frameworks, and executive roadmaps. But how do you separate real enforcement from marketing noise?
In this talk, I present a practical, adversary-informed evaluation of several leading ZTNA solutions tested across the five core pillars of Zero Trust: Identity, Device, Network, Application, and Data. Using a controlled lab environment, I simulated trusted and untrusted scenarios, configured granular access policies, and executed known attack patterns to test each vendor’s actual enforcement capabilities.
Some solutions successfully blocked unauthorized access, enforced policy based on device posture, and prevented common web exploits and data loss. Others fell short: failing to detect endpoint misconfigurations, bypassing service cloaking, or letting malware and sensitive data flow freely. In multiple cases, achieving basic Zero Trust behavior required purchasing additional modules outside the core ZTNA platform.
This session delivers clear results, testing methodology, and takeaways any security team can apply when evaluating ZTNA vendors. If you're tired of buzzwords and want to see how “Zero Trust” actually performs under pressure, this talk is for you.