The microsegment.io ATT&CK Navigator layer for Network Segmentation is now refreshed to MITRE ATT&CK v19.1.
This is not a dramatic update in the sense of new colors, new scoring, or a long list of new techniques. The useful part is more boring, and probably more important: the mapping stayed stable. MITRE’s current Enterprise ATT&CK data still maps M1030 Network Segmentation to 44 technique and tactic entries across 37 unique technique IDs.
That stability is worth paying attention to. It means the original point from the 2019 ATT&CK segmentation article still holds in 2026: segmentation keeps appearing across the attack lifecycle because attackers need reachability. They need paths to remote services, identity infrastructure, management systems, deployment tooling, configuration stores, command-and-control channels, and exfiltration routes. If those paths are broad, implicit, or poorly governed, the attacker gets options. If those paths are narrow, explicit, and enforced close to the systems that matter, the attacker has fewer moves available.
You can load the refreshed layer directly in ATT&CK Navigator here:
Open the v19.1 segmentation layer
What Changed
The layer had still been labeled against ATT&CK 18. MITRE lists ATT&CK v19.1 as the current version, effective April 28, 2026, so I rebuilt the layer from the current Enterprise ATT&CK data and the M1030 relationships.
The technique set did not change. The layer still contains 44 technique/tactic entries and 37 unique technique IDs. What changed is the surrounding context: the JSON now identifies ATT&CK v19.1 as the source, records the update date, includes the current count metadata, links to MITRE’s version history, and uses clearer comments for the mapped techniques.
That last piece matters because a Navigator layer can become a flat picture very quickly. A colored cell says “this control is relevant here,” but it does not explain why. The updated comments now make the reachability angle explicit. For example, remote administration techniques, software deployment tooling, service discovery, domain trust discovery, configuration repository access, container API access, command-and-control protocols, and exfiltration methods are different techniques, but they all become more useful when the environment offers unnecessary paths.
What The Matrix Is Really Saying
The wrong way to read the layer is: segmentation prevents 37 techniques.
That is not how ATT&CK mitigations should be interpreted, and it is not how real environments behave. A network policy does not decide whether a valid HTTPS request is malicious. It does not fix overprivileged identities. It does not patch vulnerable services. It does not replace endpoint telemetry, application controls, secrets hygiene, or incident response.
The better reading is narrower and more useful: MITRE maps M1030 to these techniques because they often involve service exposure, traffic flow, reachable infrastructure, or access to sensitive systems. Network segmentation is relevant because it changes what a compromised system can see, reach, and use next.
That is also the right way to talk about modern microsegmentation. The value is not “more firewall rules.” The value is taking actual workload communication and turning it into enforceable policy: which application tier should talk to which database, which systems should reach domain controllers, which endpoints should reach administrative ports, which workloads need outbound access, which management services should be isolated, and which systems should be contained quickly during an incident.
In other words, microsegmentation is the operational version of the segmentation idea. It moves the control closer to the workload and makes policy follow application reality rather than just network topology. The enforcement may still be L3/L4 for many flows, and that is fine. The important question is whether the allowed communication is actually required, reviewed, and narrow enough to reduce blast radius.
Why The Stable Count Is Useful
It would have been easy to treat the v19.1 refresh as a simple maintenance chore. Update the version, rebuild the JSON, move on. But the stable count is a useful signal by itself.
ATT&CK has evolved a lot since the original 2019 post. Cloud techniques are more visible. Containers are better represented. Identity and SaaS are more central to many attack paths. Yet M1030 still lands on a familiar set of practical problems: remote services, management paths, discovery, trusted relationships, exfiltration, command-and-control, and impact.
That tells us something about the durability of the control. Security architecture changes. Infrastructure moves. Attackers adapt. But unnecessary reachability remains one of the most reliable ways to turn a foothold into a broader compromise.
This is also why the recent reassessment, What Good L3/L4 Policy Can Actually Do, still feels relevant. Good L3/L4 policy is not outdated just because it is not application-aware in every possible sense. It is outdated when it is broad, static, topology-driven, and disconnected from workload reality. When it is based on actual dependencies and enforced close to the asset, it still changes real attack paths.
The practical test is simple: if a compromised workload can reach systems it has no business talking to, the environment is giving the attacker free choices. If those choices are removed before the incident, the defender has already shaped the fight.
The Bottom Line
The v19.1 refresh did not make the segmentation layer bigger. It made it current, better documented, and easier to interpret.
The important takeaway is not the number 37. The important takeaway is that ATT&CK continues to map Network Segmentation to techniques where reachability, exposure, and movement matter. That is where segmentation earns its keep: not by promising prevention everywhere, but by reducing unnecessary paths and making compromise harder to expand.
That is still a very current security architecture conversation.