Competitive Landscape: Network Security Microsegmentation

How Akamai Competes

• Artificial intelligence: The Guardicore Segmentation platform includes an AI chatbot that lets users query their environment for vulnerability remediation and streamlines security policy workflows. The GenAI-driven engine, introduced in 2026, automatically generates microsegmentation policies with enforcement readiness scoring and policy suggestions. AI capabilities identify and name applications and assets for clearer visibility and easier policy creation.
• Cloud: Akamai offers agentless microsegmentation in the cloud, deploying a lightweight application within customer environments to orchestrate native security groups and unify policy management across different cloud providers. Akamai also supports microsegmentation for containerized environments by integrating with major Kubernetes platforms like Calico, EKS (Amazon), and AKS (Azure). It uses the native Kubernetes container network interface (CNI) for policy enforcement to minimize latency and streamline workflows.
• Campus/branch: Akamai leverages its ZTNA offering to provide identity-based application access and endpoint segmentation, featuring automated application discovery, privileged access restriction, and unified policy management for distributed workforces.
• CPS: Akamai enforces agentless microsegmentation for cyber-physical systems, by integrating with third-party network switches and using PacketFence and its proprietary Fingerbank technology. Ingesting third-party metadata enriches asset visualization and enables policy enforcement using logical labels, such as identity or risk score, instead of IP addresses.
• Other capabilities: Akamai’s integration of application-layer visibility from its API security offering into Guardicore Segmentation enables organizations to see which assets are communicating over APIs and what types of sensitive data are being transmitted, such as PII or SSNs. Akamai Hunt is a managed service designed to support organizations with limited resources, providing services such as threat hunting and exposure management. A recent addition is shadow AI detection, which alerts to the use of unauthorized AI applications. Akamai’s partnerships with AMD and NVIDIA integrate microsegmentation into network switches using programmable DPUs — Pensando’s and NVIDIA BlueField — enabling agentless policy enforcement at the network edge, ideal for high-throughput data centers and low-latency environments.

How Broadcom Competes

• Artificial intelligence: Intelligent Assist works alongside the DFW, providing plain-language explanations of detected threats, recommending optimized DFW policies, and guiding remediation actions — helping security teams respond to attacks and strengthen microsegmentation defenses. Nevertheless, existing documentation does not cover scenarios involving LLM deployment at customer sites.
• Cloud: Broadcom integrates microsegmentation directly with VMware Cloud Foundation, its overarching software virtualization platform, streamlining consistent deployment of granular security controls across data center and cloud environments. DFW provides differentiation through advanced threat detection and prevention capabilities that are delivered inside the hypervisor, especially for VMs or containers that are deployed on the vSphere hypervisor. DFW offers agentless and agent-based options with the VMware software stack, whether deployed in the cloud or in private data centers. However, for environments that do not run on VMware infrastructure, serverless microsegmentation is not supported.
• Campus/branch: While DFW can apply policies to VMs by corporate location, the product does not support microsegmentation for employee devices.
• CPS: DFW does not provide microsegmentation for CPS assets. It can offer network-based segmentation for traffic to and from these devices, but microsegmentation at the endpoint level is not supported.
• Other capabilities: DFW provides strong performance and scalability, including support of up to 200,000 firewall rules, up to 20 Gbps per host in DFW throughput, and up to 9 Gbps per host in IDPS throughput. Additionally, it includes NDR capabilities, and malware prevention has been extended to cover file-less attacks.

How Cisco Competes

• Artificial intelligence: Cisco’s products offer a range of AI-driven capabilities. Both CSW and Hypershield utilize AI for policy automation, providing recommendations that simplify security management and ensure consistent policy enforcement across diverse environments. Hypershield further harnesses AI to analyze public CVE data, automatically generating extended Berkeley Packet Filter (eBPF) programs that are deployed at the kernel level to mitigate vulnerabilities and prevent exploitation.
• Cloud: Both CSW and Hypershield support security enforcement through agent-based and agentless approaches, enabling protection in private clouds as well as in VMs and Kubernetes clusters in public clouds. With Hypershield, enforcers connect to Cisco’s SaaS cloud management system, which simplifies deployment and firewall setup. For agent-based enforcement, Hypershield uses the Tesseract Security Agent, a kernel-level security enforcer that provides deep visibility inside workloads, leveraging eBPF technology.
• Campus/branch: Cisco delivers microsegmentation for employee devices with ISE and SDA. ISE centrally manages policies by grouping endpoints based on user identity, device type, and location. SDA extends these capabilities in campus environments, utilizing VXLAN-GPO encapsulation and leveraging fabric control planes (LISP or BGP-EVPN) for scalable, unified policy enforcement and endpoint mobility. With advanced analytics and integration with broader Cisco security products (such as SD-WAN, SASE, and firewalls), SDA provides proactive monitoring and policy extension.
• CPS: Through integration with CSW, ISE enables precise control over workload communications with CPS assets. ISE also integrates with Cyber Vision, Cisco’s CPS cybersecurity platform, providing real-time asset visibility and automated identity-based microsegmentation.
• Other capabilities: Hypershield supports a “shadow” data plane, where any policy change or segmentation enhancement can be automatically tested. The ability to simulate what a policy would look like if activated enables organizations to test the impact of policies before enforcing them live, making segmentation more adaptive and resilient.

How ColorTokens Competes

• Artificial intelligence: Xshield’s AI leverages real-time telemetry, asset data, and daily updated MITRE and CISA threat intelligence to enhance policy updates. Administrators can query a private-instance LLM for insights, with options for SaaS-based or private/on-premises LLMs. AI-driven recommendations streamline policy configuration, while the platform suggests templates to mitigate specific attack techniques and procedures, and maps threat intelligence to assets. AI assistance is integrated into a single console for all asset types, including servers, workstations, cloud, containers, IoT, and CPS.
• Cloud: ColorTokens’ Xshield works alongside Azure NSGs and AWS SGs to deliver agent-based microsegmentation with adaptive security policies that respond to changes in workloads, roles, and networks. The platform provides near-real-time visibility using notifications, flow logs, and advanced tracing. Unified coverage for cloud, containers, and Kubernetes lets administrators visualize all assets in a single console, and test policy changes with simulations.

• Campus/branch: ColorTokens secures employee devices by tagging and segmenting them based on location and environment, enabling policy enforcement and mapping of interactions. High-risk ports are prioritized, and policies can be simulated. However, the platform currently lacks integration with third-party NAC products, which limits its ability to leverage NAC features such as device onboarding, real-time posture checks, and automated network access restrictions.

• CPS: ColorTokens provides microsegmentation through two methods: (1) its Gatekeeper appliance, which acts as a controller for CPS and legacy devices that cannot support an agent, and (2) integration with network firewalls and switch access control lists (ACLs) to enforce segmentation policies, for environments where deploying agents or additional devices is operationally impractical. ColorTokens also integrates with Nozomi Networks, leveraging Nozomi’s CPS threat monitoring. Integrations with Armis and Claroty are also supported.
• Other capabilities: Organizations with CrowdStrike, SentinelOne and Microsoft Defender agents for server and user workstations can deploy ColorTokens without the need to install Xshield agents, providing investment protection and reducing operational overhead.

How Elisity Competes

• Artificial intelligence: Elisity’s platform analyzes a data lake of customer assets, using AI to enhance device identification and categorization while leveraging private LLMs to enable unified policy enforcement across switches, firewalls, and cloud or SASE environments. The AI-driven insights are integrated with Elisity’s IdentityGraph, a scalable graph database that aggregates metadata from networks, devices, workloads, users, and behavioral data. Guided workflows assist administrators in navigating complex environments. AI recommendations are staged for human review and, once approved, activated into enforcement. Elisity allows administrators to simulate policy changes, enabling them to review the impact of recommended policies on existing network traffic before enforcement.
• Cloud: Elisity enables north-south segmentation to resources in the public cloud, but does not provide east-west microsegmentation, including within Kubernetes containers.
• Campus/branch: Elisity provides visibility and least-privilege policy for managed and unmanaged devices, users, and workloads. The IdentityGraph discovers, consolidates, and enriches identity data from multiple sources, such as Active Directory, CrowdStrike, ServiceNow, and Armis, to create a unified and accurate profile for each device. For remote workers, Elisity leverages pilot/POC-level third-party ZTNA integrations, as its agentless approach does not natively extend microsegmentation to remote endpoints.
• CPS: Elisity excels in environments with a high density of CPS assets. The platform enables granular segmentation and control based on device type, user role, or function. Onboarding is simplified by eliminating the need for network reconfiguration, such as VLAN changes or IP address management. Elisity Virtual Edge, a lightweight and containerized application, can be deployed as a virtual machine or within compatible switching infrastructure. Onboarding is further streamlined through zero-touch provisioning, requiring only basic network information and a one-time token, after which the application auto-configures. The platform also supports mapping devices into zones and conduits in alignment with CPS segmentation standards like IEC 62443, enabling granular and context-aware policy enforcement for critical industrial assets.
• Other capabilities: For sites that might be compromised by ransomware and that need to be isolated, Elisity supports the activation of a set of policies, defined in the event of that scenario, to stop lateral movements.

How Illumio Competes

• Artificial intelligence: The Insights dashboard provides differentiation by its granular visibility and control. Leveraging AI, the system identifies unexpected communication paths and connectivity among workloads, while also assessing confidence levels and highlighting areas of uncertainty. It offers detailed dashboards breaking down risky protocols, destination roles, cross-regional and country-level traffic flows, communications with unsanctioned LLM services, and compliance metrics. Additionally, workflows can be automated through SIEM and SOAR integrations.
• Cloud: Illumio enables microsegmentation policies for workloads running across multiple public clouds using a centralized policy model. AWS, Azure, OCI, and GCP environments are supported, with Terraform integration to streamline large-scale deployments. For containers and Kubernetes, Illumio offers an agentless solution that provides visibility and topology mapping for containerized workloads. The integration of Azure Firewall as an enforcement point further strengthens security in Azure by providing unified rule management and enhanced visibility. This allows organizations to manage Illumio and Azure native firewall rules together, simplifying ongoing operations.
• Campus/branch: Illumio delivers endpoint visibility and enforces security policies directly on devices, whether users are at home or in the office. Policies can leverage Active Directory groups and device identities to control access, and integration with third-party ZTNA products enables consistent policy enforcement across network access and microsegmentation.
• CPS: Illumio integrates with Armis to leverage device identification, bringing CPS asset visibility into Illumio’s platform and enhancing threat containment and device intelligence.
• Other capabilities: Illumio’s integration with NVIDIA BlueField DPUs delivers breach containment and policy enforcement at the hardware level, offloading segmentation to the DPU for efficient, high-performance security. Integrations with Qualys, Rapid7, and FireMon provide vulnerability insights, risk prioritization, and unified policy compliance reporting.

How Zero Networks Competes

• Artificial intelligence: Zero Networks’ deterministic enforcement engine forms the foundation of the platform, while AI is strategically used in supporting roles to enhance usability and knowledge sharing. This approach seeks to enhance customer experience and operational efficiency, while critical security functions stay rooted in factual data. AI enables natural language queries, helping internal support teams improve customer service and streamline onboarding and support processes. The breach readiness report, assisted by AI, provides customers with actionable insights into security gaps before deployment, serving as both a sales enabler and a practical tool for risk assessment.
• Cloud: Zero Networks employs a segmentation server that integrates with asset repositories like Azure AD and various SaaS/cloud platforms, automatically discovering and profiling assets via lightweight API calls. For Kubernetes, its access matrix provides granular visibility with visual indicators for connection status, enabling policy enforcement even for teams without deep Kubernetes expertise. These capabilities are natively integrated with Kubernetes constructs such as CNI, allowing for automated policy management without the need for external tools.
• Campus/branch: Zero Networks’ automation engine observes user and device behavior during a learning phase, and maps legitimate access patterns. Based on this information, it automatically generates granular firewall rules that restrict assets to only designated resources, accelerating and simplifying microsegmentation. Access to critical ports can be controlled with MFA, triggered when privileged access is requested, through integration with identity providers.
• CPS: Zero Networks captures network-level information of CPS assets through integration with network switches, also leveraging its automation engine for policy creation and applying MFA.
• Other capabilities: Zero Networks promotes its “low-touch” platform as an alternative to managed microsegmentation services, emphasizing decreased maintenance and staffing needs.

How Zscaler Competes

• Artificial intelligence: While Zscaler’s microsegmentation solution is primarily centered on analytics and fingerprinting techniques, it now includes an AI engine, which provides policy recommendations.
• Cloud: Zero Trust Cloud supports microsegmentation in AWS, Azure, and GCP environments, enforcing least-privileged access policies based on application identity, context, and user posture. Host-based agents are deployed on workloads, including Kubernetes containers (Amazon EKS). The platform uses ML to automate resource grouping and policy recommendations.
• Campus/branch: While Zscaler provides the ability to group and segregate user devices, its Zero Trust Device Segmentation offering predominantly targets CPS assets. For employee devices, Zscaler positions its Zscaler Private Access (ZPA) offering for microsegmentation, which provides fine-grained access to individual assets and applications, and workload isolation. However, ZPA is a ZTNA product, requiring an agent and subscription per user.
• CPS: Zscaler supports granular device fingerprinting and policy enforcement, leveraging both proprietary and commercial databases to accurately identify and manage CPS assets, though it does not cover all levels of the Purdue model. Zscaler facilitates the management of static IP address schemes common in CPS environments by providing customers with automation scripts (e.g., Active Directory Group Policy Objects [AD GPOs], Python, and PowerShell). The change in netmask of /32 does not require reboot, nor does it drop active sessions. Zscaler’s /32 subnet approach places each device on its own isolated network, reducing attack surfaces, supporting thousands of endpoints per cluster, and enabling high-availability redundancy.
• Other capabilities: By combining network-based microsegmentation and existing ZTNA capabilities, Zscaler can replace the need for some security appliances, such as firewalls and NAC, with its zero-trust SD-WAN, primarily in branch locations. Another value proposition is the ability to remove costly switches, because Zero Trust Device Segmentation eliminates the need for inter-VLAN routing.