SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Moody datacenter lateral movement cyberattack red glowing node
#
Firewalls
#
DevOps
#
Network Security

Zero Networks warns lateral movement eclipses zero-days

Wed, 4th Feb 2026
Author image
By Mark Tarre, News Chief

Zero Networks has published research that argues the biggest cyber risks to organisations stem from attackers abusing legitimate internal access, rather than exploiting zero-day vulnerabilities or deploying unusual malware.

The company said the findings point to a shift in security priorities. It said organisations should focus on limiting what an intruder can reach after gaining initial access. It said this approach matters more to business impact than the initial point of entry.

Zero Networks based its assessment on analysis of 3.4 trillion activities across 400 enterprise environments over a year. The company said the data shows lateral movement can compromise more than 60% of an IT environment in under one hour after an attacker gains initial access.

Lateral movement

The company said the most dangerous activity often looks legitimate and blends into routine administration behaviour. It said many threats pass through defences without standing out as suspicious.

Zero Networks said attackers do not need a wide range of techniques to cause harm. It said 71% of observed threat activity uses always-on management protocols such as SMB, RDP, WinRM and RPC. The company described these as standard Microsoft management protocols present in most enterprise environments.

The company also highlighted what it described as low-frequency signals that can indicate high-impact risk. It said some systems appeared less frequently in detections, including Microsoft SQL Server at about 3% of detections, System Centre Configuration Manager at 2%, and Active Directory Web Services at 2%. It said access to these systems can signal potential control over databases, endpoint management, or identity infrastructure.

Blast radius

Zero Networks said the research points to structural weaknesses in internal connectivity. It said a single compromised system can reach a median of 85% of internal systems in one hop. It said the figure effectively reaches 100% in a second hop.

The company said disruption can follow quickly once an attacker enters an environment. It cited an average compromise within 48 minutes. It said this leaves little time for defenders to react with countermeasures.

The research also links the concept of cyber resilience to operational continuity. Zero Networks said organisations should define resilience in terms of whether they can continue operating during an incident. It contrasted that with models that focus on recovery at a later point.

It pointed to recent incidents affecting organisations in the UK as examples of attacks that demonstrate the role of resilience. "What our data analysis confirms in theory - and what recent successful attacks such as those on Jaguar Land Rover, Marks & Spencer and multiple London councils confirm in practice - is that resilience is key," said Albert Estevez Polo, Field CTO, EMEA, Zero Networks. "And AI-enabled attacks are only going to accelerate the scale of the issue.

"Modern cyber resilience depends on limiting lateral movement: containing threats at their point of entry and preventing them from spreading across the environment. By reducing the blast radius of a breach, organizations protect critical assets, maintain operational continuity, and remain resilient even when defenses are bypassed. Simply put, if you don't know your blast radius, you don't have a cyber resilience plan."

Policy scrutiny

A committee of MPs is considering the details of the proposed UK Cyber Security & Resilience Bill. Zero Networks said it submitted key findings from its research to the Public Bill Committee.

"Resilience must be defined as the ability to largely continue operations - not simply to survive and recover at some unknown point in the future. Some may see this as prescriptive, but for critical national infrastructure in particular, this capability must be mandatory," said Estevez Polo.

The company positioned the findings as relevant to organisations facing regulatory pressure on cyber resilience. It referenced regimes such as DORA and NIS2 in the context of organisations assessing how to reduce operational disruption from cyber incidents.

Zero Networks said the data shows business impact depends less on how attackers first gain access, and more on what they can reach once inside. It said this creates a need for measures that restrict internal reach and contain compromise paths across IT environments.

The company said its research covered customer environments and verified penetration testing engagements across the period it studied. It said the analysis mapped activity patterns associated with threats that resemble normal administration traffic, and it said the results underscore the prevalence of common management protocols in attack paths.

Zero Networks said the committee's deliberations on the Cyber Security & Resilience Bill will shape expectations around operational continuity and resilience for organisations, particularly those linked to critical national infrastructure.

Related stories
Ecommpay leader wins Women in Risk & Compliance award
Palo Alto warns on earnings as guidance disappoints
Gr4vy adds Sardine tools to unify fraud & payments
AI deepfakes erode trust and reshape UK dating apps
SatVu raises GBP £30m to build UK thermal sat network

Top stories

IT leaders rethink cloud, AI spend amid lock-in fears
12Port unveils AI session intelligence for PAM security
DryRun Security adds Andrew Peterson to drive AI shift
AI-driven phishing surge dominates 2025 cyberattacks
Tailscale unveils Aperture to govern workplace AI use