I had the opportunity to join my colleague Mac Grant on theCUBE during Fal.Con 2025 in Las Vegas, where ColorTokens was a Gold Sponsor. We spoke with Rebecca Knight and Dave Vellante about a challenge nearly every CISO faces today: lateral movement, and how our integration with CrowdStrike is helping organizations contain breaches, fast and friction-free.
Let me start with what we see in the field. Adversaries are not waiting around. CrowdStrike has been tracking breakout time (the time it takes for an attacker to move beyond the first compromised device), and it has nosedived. We’re talking minutes. That means the attacker gets out of the initial laptop or entry point almost immediately. This puts tremendous pressure on SOC teams to detect and contain the threat with equal speed.
That’s where microsegmentation makes a difference. By design, it limits the attacker’s ability to move across the environment. It creates friction for the adversary. That friction buys your SOC team time to respond before the threat spreads.
But CISOs often ask us, does this really work in practice, or is this another theoretical solution?
We hear that concern. What makes all the difference is when CISOs hear it directly from other customers. One CISO told us, in their words: “We would’ve been toast if not for you guys.” That’s what drives us. These are organizations who saw real attacks play out. Because they had microsegmentation in place, the blast radius was contained. Whether it’s a sugar producer or a nuclear energy company, we’ve seen this happen live.
What customers care about most during an attack is not just what was hit but what wasn’t. They talk about the “minimal viable business.” They want to know the rest of the organization can keep operating. Microsegmentation helps protect those parts. It keeps critical systems untouched while response teams go to work.
Access Report | ColorTokens Named a Leader in the Forrester Wave™ Microsegmentation Report
Now, some might say this all sounds good, but isn’t microsegmentation too complicated to implement?
Historically, yes. Because in many organizations, efforts to adopt microsegmentation are often slowed by conventional microsegmentation solutions. Too often, these tools offer limited enforcement methods, leave parts of the network unsecured, or simply take too long to deliver value.
Take solutions that offer only agent-based microsegmentation as an example. In large enterprises, deploying new agents across thousands of endpoints, servers, and assets can take weeks or even months. Every rollout comes with approval cycles, qualification reviews, and endless coordination across teams. It delays time-to-value just when speed matters most. And many walk away before adoption even begins.
That’s why we built Xshield Enterprise Microsegmentation PlatformTM to put flexibility at the center, giving you the freedom to choose the approach that works best for you. If deploying new agents slows you down, Xshield gives you another option: microsegmentation without installing any new agents.
Rather than adding complexity, Xshield integrates seamlessly with leading EDR platforms—bypassing deployment delays.
What once took months can now be achieved in a fraction of the time. Within minutes, you can visualize assets and traffic. Within hours, begin segmenting. And within days, enforce policies that block lateral movement and reduce the attack surface. All while maximizing the value of your EDR investment.
And because every organization is different, resilience often requires more than one approach. That’s why Xshield also lets you combine multiple deployment methods—and manage them all seamlessly from a single console.
With our integration with CrowdStrike Falcon® platform, we don’t need to deploy a new agent. We talk directly to the CrowdStrike platform, gather telemetry from what’s already there, use that insight in our Xshield policy engine, and push segmentation policies right back.
This is how we make time-to-value fast, practical, and achievable in 90 days or less.
Let’s take a step back to what this looks like for Security Operations Center (SOC) analysts.
SOC teams today are dealing with a relentless flood of alerts. And buried somewhere in that flood are the ones that really matter: the high-risk, high-impact signals that require urgent investigation. But when everything’s noisy, it’s hard to focus.
The CrowdStrike Falcon® platform is a powerful engine. It’s a Ferrari. But you can’t drive a Ferrari at full speed if the road is full of potholes and roadblocks. We help clear that road.
We reduce the noise by removing unnecessary alerts—low-level ones that shouldn’t exist in the first place if communication paths were restricted appropriately.
Microsegmentation does this by proactively shutting down communication paths that don’t need to exist. If a workload never needs to talk to another system, we cut off that path. If a port is known to be abused by attackers for lateral movement and isn’t needed by applications, we restrict it early.
We know that attackers operate on standards. They rely on common protocols and open ports to move laterally. The first thing we do is identify the riskiest, most abused ports and lock them down immediately. That action alone blocks the most common lateral pathways—even before any fine-grained segmentation begins. Because the majority of legitimate applications don’t use these risky ports, there’s no disruption—allowing organizations to realize early value quickly and safely.
So when something suspicious does happen, it’s not just another blip in a sea of noise. It stands out. We boost the signal. Now Falcon® can operate at full speed. The SOC team isn’t distracted by low-value alerts, and the real adversaries are easier to detect and respond to.
This is how proactive microsegmentation, combined with a responsive EDR, drives exponential gains. We’re talking 10x improvement in focus and clarity.
Access On-demand Webinar | How CrowdStrike and ColorTokens Integrate Together to Make Organizations Breach Ready Swiftly and at Scale
And if you’re a CrowdStrike customer, there’s an even faster path. You can get a Zero Trust Assessment done in just five days. We’ll give you a clear, visual report that shows your vulnerabilities, our recommendations, and what to do next. And because of our integration with Falcon®, it requires no effort from your side, everything is pulled directly from your existing deployment.
That’s how we work. Fast, focused, and built to protect what matters.
If you want to see what frictionless containment looks like in your environment, start your Zero Trust Assessment today, or connect with one of our top advisors.
