u/ballkali

The Zscaler ThreatLabz VPN Risk Report made me pause this week. The part that stuck with me wasn't the VPN stats themselves, it was the note that AI is collapsing the response window, for security teams to hours, not days anymore, and that it's accelerating VPN exploitation in ways that are hard to keep up with.

Our environment is hybrid, about 4,000 users, mix of on-prem AD and Entra ID. We've patched the obvious VPN CVEs and we do periodic AD health checks using built-in tools plus some PowerShell scripts we've accumulated over the years. The problem is those checks are point-in-time. Something drifts, a service account gets over-permissioned, a GPO gets modified, and we don't know until the next scheduled review or until something breaks.

I've been looking at tooling that can give continuous visibility into AD posture specifically, not just event log aggregation. Tried Netwrix's AD security posture tools for a few weeks and they do surface misconfiguration severity in a, way that's easier to prioritize than raw audit logs, though I'm still evaluating whether it fits our workflow long-term.

My actual question: for teams that have mapped out the VPN-to-AD lateral movement path in, their own environments, what specific AD misconfigurations are you treating as highest priority to close first? Kerberoastable accounts, unconstrained delegation, something else? And are you validating that posture continuously or still doing it on a schedule?

The Zscaler ThreatLabz VPN Risk Report made me pause this week. The part that stuck with me wasn't the VPN stats themselves, it was the note that AI is collapsing the response window, for security teams to hours, not days anymore, and that it's accelerating VPN exploitation in ways that are hard to keep up with.

Our environment is hybrid, about 4,000 users, mix of on-prem AD and Entra ID. We've patched the obvious VPN CVEs and we do periodic AD health checks using built-in tools plus some PowerShell scripts we've accumulated over the years. The problem is those checks are point-in-time. Something drifts, a service account gets over-permissioned, a GPO gets modified, and we don't know until the next scheduled review or until something breaks.

I've been looking at tooling that can give continuous visibility into AD posture specifically, not just event log aggregation. Tried Netwrix's AD security posture tools for a few weeks and they do surface misconfiguration severity in a, way that's easier to prioritize than raw audit logs, though I'm still evaluating whether it fits our workflow long-term.

My actual question: for teams that have mapped out the VPN-to-AD lateral movement path in, their own environments, what specific AD misconfigurations are you treating as highest priority to close first? Kerberoastable accounts, unconstrained delegation, something else? And are you validating that posture continuously or still doing it on a schedule?

Been thinking about this a lot lately, mostly because my team's been pushing to tighten, up our CI/CD posture beyond just the identity and AD stuff I usually focus on. We've got Dependabot running and SBOMs generating in CycloneDX format, and version pinning with hash validation has honestly saved us a few times. The dependency confusion angle is what keeps me up at night though - we had a close call with a scoped, package name collision a while back and it made me way more paranoid about trusted feed configuration than I used to be. One thing I'm still not fully sold on is how people are balancing auto-updates against reproducibility. Auto-PRs from Dependabot are great until one drops on a Friday and breaks something in prod because nobody reviewed it properly. SLSA Level 3 looks interesting for tamper-proof builds but I haven't seen many teams actually get there in practice. Curious what others are doing around policy-as-code for package allowlisting - is anyone using something like a package, firewall in their pipelines, and has the false positive rate from SCA tools been manageable or a constant headache?