How far can an attacker get in your network? Calculate your blast radius and see how microsegmentation changes the equation.
Same environment. Same attacker. Same initial compromise. Watch the difference.
The score estimates what percentage of your environment an attacker could compromise from a single initial foothold. It combines six risk factors:
The single biggest factor. Network architecture determines how freely an attacker can move laterally after initial compromise.
| Architecture | Multiplier | Rationale |
|---|---|---|
| Flat Network | 1.0 (full risk) | No barriers. One compromised workload can reach all others directly. This is the default state of most networks. |
| Basic Zones (DMZ + internal) | 0.7 | Perimeter exists, but internal network is flat. Attacker who bypasses the DMZ has free lateral movement internally. |
| VLANs per Department | 0.5 | Some internal segmentation, but VLANs are typically coarse-grained. Inter-VLAN routing often permits more traffic than intended. |
| Microsegmented | 0.15 | Workload-level enforcement. Each workload can only communicate with explicitly allowed peers on specific ports. Lateral movement requires chaining multiple exploits across segment boundaries. |
Endpoints (laptops, desktops) are essentially throwaway devices. They're replaceable, they don't hold persistent data, and a compromised endpoint is a nuisance, not a catastrophe. Reimage and move on.
Servers are where the blast radius actually matters. A database server, domain controller, file server, or cloud workload holds data, maintains persistent connections to other services, and often has elevated privileges. A compromised server connects to 8-15 other services. A compromised laptop connects to maybe 3-4. The attacker wants your servers, not your endpoints.
This is why data center and cloud-native environments have inherently higher blast radius - almost every workload is a well-connected server with lateral movement paths to other critical systems. An environment that's 80% endpoints and 20% servers has a structurally lower blast radius because most compromised nodes are dead ends.
How remote users connect to the network dramatically affects blast radius from compromised remote devices or stolen credentials.
| Model | Factor | Rationale |
|---|---|---|
| Traditional VPN | 1.25× | VPN typically grants the remote device full network-level access to the internal network. A compromised laptop with VPN credentials becomes an internal foothold with broad lateral movement capability. This is how many ransomware attacks start. |
| ZTNA | 0.9× | Zero Trust Network Access grants per-application access only. A compromised device can reach the specific apps it's authorized for, not the entire network. Lateral movement from the remote entry point is structurally limited. |
| No remote access | 1.0× | Baseline. No additional attack surface from remote connectivity, but also no modern work flexibility. |
Every open port on a server is a potential lateral movement path. An attacker who compromises a workload scans for reachable services - each open port is a doorway. "Any-any" firewall rules between servers make your network flat regardless of what the architecture diagram says.
Real-world example: most "segmented" environments still allow SSH (22), RDP (3389), WinRM (5985), and SMB (445) between servers. Those four ports alone enable Pass-the-Hash, remote code execution, and file-based lateral movement. Microsegmentation enforces process-level allow-lists, reducing open paths from dozens to exactly what each workload needs.
Credential-based lateral movement (Pass-the-Hash, Kerberoasting, Golden Ticket, DCSync) is faster than exploiting services. AD topology determines how far stolen credentials can travel.
| Topology | Factor | Attack Implication |
|---|---|---|
| Single domain, tiered admin model | 0.6× | Tier 0/1/2 separation means a compromised Tier-2 helpdesk account can't touch domain controllers. Kerberoasting yields service accounts but they're scoped to their tier. |
| Single domain, shared admin accounts | 0.8× | "Domain Admin" used for everything. One compromised admin credential = game over. Pass-the-Hash from any server to DC is one hop. |
| Multi-domain with forest trusts | 1.0× | Forest trusts enable cross-domain Kerberos authentication. SID History attacks, trust ticket forging. A compromise in Domain A can pivot to Domain B. |
| Forest trusts + legacy NTLM | 1.2× | Worst case. NTLM relay attacks work across trust boundaries. Pass-the-Hash is trivial. No Kerberos delegation protection. This is how NotPetya spread. |
Detection speed directly affects blast radius. If you can't see lateral movement happening, the attacker has unlimited time to spread.
| Visibility Level | Factor | What You Can See |
|---|---|---|
| None | 1.0× | Complete blind spot. You see north-south (internet traffic) but nothing between workloads. Most attacks are east-west. You're flying blind. |
| NetFlow / IPFIX (L3-L4) | 0.85× | You see IP-to-IP connections and port numbers. You know server A talked to server B on port 445. You don't know if that was legitimate file sharing or PsExec lateral movement. |
| Full L7 visibility | 0.7× | Process-level visibility. You know that svchost.exe on server A initiated an SMB connection to server B, which spawned cmd.exe. Now you can distinguish normal from malicious. Application dependency maps show what should communicate. |
| Model | Factor | Rationale |
|---|---|---|
| On-premises only | 0.9× | Single control plane. Consistent policy enforcement possible. Security team has full visibility. |
| Hybrid (on-prem + cloud) | 1.0× | Two environments with different security models. VPC security groups don't sync with on-prem firewalls. Policy gaps at the boundary. |
| Multi-cloud (2+ providers) | 1.1× | AWS security groups, Azure NSGs, GCP firewall rules - three different policy languages, three different enforcement models. Inconsistencies are inevitable. |
| Multi-cloud + OT/IoT | 1.2× | IT/OT convergence adds networks that can't run agents, can't be patched regularly, and often have flat internal architectures. Purdue model boundaries are frequently violated. |
Larger environments have more potential lateral movement paths. We use a logarithmic scale because blast radius doesn't grow linearly - a 10,000-workload network isn't 100x worse than a 100-workload one, but it is significantly worse.
This produces: Small (50) = +10.2, Medium (500) = +16.2, Large (5000) = +22.2, Enterprise (25000) = +26.4
More critical applications means more high-value targets reachable via lateral movement. Each critical app (databases, domain controllers, financial systems, patient records) represents an attacker objective.
Time between vulnerability disclosure and patch deployment. During this window, known exploits exist but your systems remain unpatched. Based on real-world data:
| Patch Time | Factor | Context |
|---|---|---|
| Under 24 hours | 0.1 | Exceptional. Only achievable for the most critical systems with automated deployment. |
| About 1 week | 0.3 | Fast. Realistic for cloud-native environments with good CI/CD. |
| About 2 weeks | 0.5 | Typical for well-resourced enterprises with testing requirements. |
| About 1 month | 0.8 | Common in regulated industries with change control boards. |
| 3+ months | 1.0 | Legacy environments, OT systems, or organizations without dedicated patch management. |
Context: Rapid7's 2026 Global Threat Landscape Report shows median time from disclosure to CISA KEV inclusion dropped to 5 days. Oracle EBS and React2Shell were weaponized within hours.
Regulated industries face higher breach costs due to compliance penalties, data sensitivity, and operational impact.
| Industry | Multiplier | Rationale |
|---|---|---|
| Healthcare | 1.3× | HIPAA penalties, patient safety risk, highest per-record breach cost ($10.93M avg per IBM 2024) |
| Financial Services | 1.2× | PCI DSS, financial fraud exposure, regulatory scrutiny |
| Government | 1.2× | National security implications, FISMA/FedRAMP requirements, public trust |
| Manufacturing / OT | 1.15× | OT/IT convergence risk, production downtime, safety-critical systems |
| Retail | 1.1× | PCI DSS, customer PII, brand reputation |
| Technology / Other | 1.0× | Baseline risk level |
Based on IBM's Cost of a Data Breach Report 2025 (global average: $4.88M per breach).
The logarithmic workload scaling accounts for the non-linear relationship between environment size and breach cost. A breach affecting 50% of a 10,000-workload environment costs significantly more than 50% of a 100-workload one, but not 100x more.
Source: IBM Security, "Cost of a Data Breach Report 2025"
Models lateral movement speed based on the CrowdStrike 2026 Global Threat Report finding of 27-second average breakout time (time from initial access to lateral movement to adjacent systems).
We use square root of workload count because network topology means not every node is one hop from every other - the attacker must traverse a path. Architecture multiplier reduces available hops (microsegmentation eliminates most paths).
Source: CrowdStrike, "2026 Global Threat Report" - presented at RSAC 2026
The comparison applies the microsegmentation multiplier (0.15) to your current score, simulating the effect of workload-level segmentation on your environment.
The 85% risk reduction is consistent with research showing microsegmentation reduces lateral movement paths by 80-95%, depending on policy granularity and enforcement coverage.
The attack spread visualization generates a random network topology based on your inputs and simulates lateral movement using a breadth-first infection model:
This is an estimation tool, not a penetration test. Real-world blast radius depends on specific network topology, firewall rules, application dependencies, credential hygiene, detection capabilities, and attacker sophistication. The model simplifies these into architecture categories to provide directional guidance. For precise blast radius analysis, use application dependency mapping tools like Illumio's real-time application dependency map.