2025-10-24 –, Talk 1
Zero Trust is everywhere: on vendor datasheets, compliance frameworks, and executive roadmaps. But how do you separate real enforcement from marketing noise?
In this talk, I present a practical, adversary-informed evaluation of several leading ZTNA solutions tested across the five core pillars of Zero Trust: Identity, Device, Network, Application, and Data. Using a controlled lab environment, I simulated trusted and untrusted scenarios, configured granular access policies, and executed known attack patterns to test each vendor’s actual enforcement capabilities.
Some solutions successfully blocked unauthorized access, enforced policy based on device posture, and prevented common web exploits and data loss. Others fell short: failing to detect endpoint misconfigurations, bypassing service cloaking, or letting malware and sensitive data flow freely. In multiple cases, achieving basic Zero Trust behavior required purchasing additional modules outside the core ZTNA platform.
This session delivers clear results, testing methodology, and takeaways any security team can apply when evaluating ZTNA vendors. If you're tired of buzzwords and want to see how “Zero Trust” actually performs under pressure, this talk is for you.
This presentation is designed for security architects, blue teamers, and red teamers alike—anyone involved in selecting, testing, or bypassing Zero Trust Network Access (ZTNA) solutions. It provides value to defenders who want to validate vendor claims under real-world conditions, and to offensive security professionals interested in understanding how ZTNA solutions can be fingerprinted, evaded, or misconfigured in ways that expose internal assets.
A foundational understanding of Zero Trust architecture is helpful, as is familiarity with common security controls like MFA, endpoint posture checks, and DLP. Attendees with experience in adversary simulation, web exploitation (e.g., OWASP Top 10), and network enumeration (e.g., Nmap) will find deeper value in the testing methodology presented. However, the session is structured to benefit both technically savvy practitioners and strategic stakeholders looking to cut through the noise and assess ZTNA solutions based on evidence—not just promises.
Derron Carstensen is a cybersecurity architect with over 20 years of hands-on experience across network security, cloud security, offensive security, and Zero Trust architecture. His career spans roles in security engineering, penetration testing, and most recently, leading secure access and Zero Trust initiatives for complex enterprise environments. Derron specializes in Secure Access Service Edge (SASE) deployments, ZTNA validation, and building adversary-informed testing frameworks that bridge the gap between marketing promises and real-world security enforcement. He’s passionate about helping both defenders and assessors make evidence-based decisions in the face of growing vendor noise.