Agilicus AnyX Frequently Asked Questions

Outbound-only reverse tunnels improve security by ensuring that no ports are open to the public internet. Instead of a remote user connecting directly into the network, a secure connector inside the environment initiates an outbound connection to a trusted proxy. This setup effectively hides the network from search engines and scanners, eliminates the vulnerabilities associated with inbound port forwarding, and works seamlessly across network address translation and non-public internet protocol environments. Learn more about the advantages of an outbound-only network.

For more information, see Industrial Cyber Security Best Practices.

Layer-7 analysis involves inspecting network traffic at the application layer to understand the specific actions being performed, such as which files are being accessed or which commands are being sent to a programmable logic controller. This provides much deeper visibility than traditional firewall logging, which only sees the source and destination at the network layer. By monitoring these granular details in real time, security teams can detect subtle anomalies that may indicate a sophisticated attack in progress. Our evolution guide explains this shift in visibility.

For more information, see Industrial Cyber Security Best Practices.

Administrative tool restriction limits the availability of powerful system utilities, such as PowerShell and command-line interfaces, to only specifically authorised service accounts. Attackers often “live off the land” by using these native tools to perform discovery, escalate privileges, and execute malware. By restricting these tools and using application whitelisting to block unauthorised executables, organisations can significantly reduce the internal tools available to an adversary. Discover system hardening techniques in our evolution guide.

For more information, see Industrial Cyber Security Best Practices.

Application-layer brokering prevents lateral movement by connecting a user only to a specific application or service, rather than dropping them directly onto a network subnet. In traditional architectures, once a user is authenticated, they can often see and attempt to connect to any device on the same local area network. By brokering at the application layer, the user remains isolated from the underlying infrastructure, ensuring that an adversary cannot use a single compromised session to scan the network for other vulnerable targets. Learn about brokering vs. port forwarding.

For more information, see Industrial Cyber Security Best Practices.

Machine-to-machine security focuses on securing the communication between devices, such as programmable logic controllers and engineering workstations, without human intervention. Instead of relying on static application programming interface (API) keys that can be stolen, modern security frameworks use short-lived tokens and cryptographically bind identities to specific hardware. This ensures that only authorised machines can talk to one another, preventing rogue devices from injecting malicious commands. Our blueprint for industrial security details these hardware-bound protections.

For more information, see Industrial Cyber Security Best Practices.

Vendor federation allows third-party technicians to use their own corporate identities to access specific resources on your network. This eliminates the burden of creating and managing hundreds of guest accounts and ensures that you do not have to store passwords for external users. By trusting the authentication performed by the vendor, you can focus on granular authorisation—deciding exactly what they can do—while maintaining a high degree of security and auditability. See our case study on vendor access for a real-world example.

For more information, see Industrial Cyber Security Best Practices.

CIS Benchmarks are a set of globally recognised best practices for securing individual software applications and operating systems. In an industrial security context, applying these benchmarks involves hardening workstations, servers, and network equipment to a verified, secure standard. This includes disabling unnecessary services, closing unused ports, and enforcing strong password policies. By following these vendor-neutral guidelines, organisations can establish a robust security baseline for their entire operational technology estate. Learn about hardening as part of boundary defence.

For more information, see Industrial Cyber Security Best Practices.

Process zones are logical groupings of assets that perform a similar function or belong to the same industrial process. Defining these zones allows security teams to apply specific communication policies, ensuring that devices within a zone can interact while traffic between zones is strictly monitored and controlled. This architecture is a core component of the ISA/IEC 62443 standard for protecting industrial automation and control systems. Read more in our pragmatic blueprint for industrial security.

For more information, see Industrial Cyber Security Best Practices.

Shadow perimeters refer to undocumented or unauthorised connections that bypass established security boundaries, such as rogue cellular modems or vendor-installed wireless access points. These connections create invisible entry points into the operational technology network, circumventing firewalls and monitoring tools. To maintain a secure posture, organisations must perform physical and logical audits to identify and secure these hidden entry points. Learn more about securing boundaries in our strategic blueprint.

For more information, see Industrial Cyber Security Best Practices.

Identity-aware logging captures every user action and ties it directly to a verified identity, providing a complete audit trail of who did what and when. In traditional industrial environments, logs are often device-centric, showing that a connection was made from an internet protocol address but not which specific person was responsible. By integrating identity into the logging process, organisations can quickly identify and respond to suspicious activity and meet stringent regulatory requirements for auditing and compliance. Read about auditing in our configuration guide.

For more information, see Industrial Cyber Security Best Practices.

Unified identity centralises user credentials and access permissions into a single corporate directory, such as Microsoft Entra or Google Workspace. This eliminates the need for fragmented, local, or shared accounts across different industrial systems, which are difficult to manage and secure. By using a single sign-on approach, organisations can enforce global security policies and ensure that access is immediately revoked when an employee or contractor leaves the company. Discover the efficiency of unified access in our comparison.

For more information, see Industrial Cyber Security Best Practices.

An identity-aware proxy provides a secure gateway that terminates remote sessions at the application layer rather than the network layer. Unlike a traditional virtual private network that often grants broad network access, an identity-aware proxy verifies the user identity and specific permissions before allowing access to a single application or resource. This prevents an infected remote device from moving laterally across the network and ensures that access is strictly controlled and fully audited. See how this evolves industrial remote access.

For more information, see Industrial Cyber Security Best Practices.

Configuration drift is the gradual deviation of a system’s settings from its established, secure baseline due to manual changes, software updates, or unauthorised modifications. Monitoring for drift is essential because even small changes—such as an accidentally opened port or a disabled security service—can create new vulnerabilities. By using automated tools to detect and alert on these changes, security teams can ensure that systems remain in a known, secure state. Our documentation on maintaining secure configurations provides further context.

For more information, see Industrial Cyber Security Best Practices.

Immutable infrastructure is a design principle where systems are replaced rather than updated or repaired. In an industrial setting, this involves using read-only file systems for controllers and workstations, ensuring that no permanent changes can be made to the software once it is deployed. If a system is suspected of being compromised or requires an update, it is simply rebuilt from a trusted, gold image. This approach eliminates configuration drift and ensures that the environment always returns to a known, secure state. See our pragmatic blueprint for modern infrastructure.

For more information, see Industrial Cyber Security Best Practices.

Least-privilege authorisation is a security principle where users and devices are granted only the minimum level of access necessary to perform their specific functions. In an operational technology environment, this means a technician might have read-only access to telemetry data but no permission to change engineering configurations. By strictly limiting access rights, organisations can prevent accidental changes and ensure that if a set of credentials is compromised, the potential damage is contained. See our comparison of granular access vs. legacy methods.

For more information, see Industrial Cyber Security Best Practices.

Phishing-resistant multi-factor authentication uses hardware security keys and cryptographic protocols to ensure that authentication cannot be intercepted or spoofed by an attacker. Unlike traditional methods like short message service (SMS) codes or email-based notifications, which can be vulnerable to social engineering and interception, hardware-based keys require physical possession of a token. This is a critical requirement for protecting administrative access to critical infrastructure. You can read about implementing strong authentication in our evolution guide.

For more information, see Industrial Cyber Security Best Practices.

The Swiss Cheese Model is a defensive strategy where multiple, distinct layers of security are stacked to ensure that no single point of failure leads to a systemic breach. Each layer, whether it is a network boundary, an identity control, or system hardening, has inherent flaws, much like the holes in Swiss cheese. By ensuring these layers are orthogonal and diverse, an adversary who bypasses one layer is still blocked by the next, significantly reducing the overall risk to operational technology environments. You can learn more about how this applies to modern infrastructure in our pragmatic blueprint for industrial cyber security.

For more information, see Industrial Cyber Security Best Practices.

Credential protection involves implementing technical controls to prevent attackers from stealing or using authentication data, such as passwords and tokens. In Windows environments, this includes using features like Credential Guard and disabling outdated protocols like NTLM to prevent “pass-the-hash” attacks. Protecting credentials is vital because once an attacker has administrative access, they can often bypass other security layers to take full control of critical infrastructure. Our best practices guide explains these protection mechanisms.

For more information, see Industrial Cyber Security Best Practices.

Firmware integrity ensures that the software running on industrial controllers and devices has not been tampered with or modified by an unauthorised party. Attackers may attempt to inject malicious code into firmware during a supply chain attack or after gaining access to the network. By verifying cryptographic signatures before installation and centrally managing updates, organisations can ensure that their hardware only runs trusted, authorised code. Our blueprint for industrial security covers these supply chain protections.

For more information, see Industrial Cyber Security Best Practices.

In a zero trust architecture, identity replaces the traditional, physical air gap as the primary line of defence. As industrial networks become more interconnected, relying on physical isolation is no longer a viable strategy. Instead, robust authentication and authorisation ensure that only verified users and devices can access specific assets, regardless of their location. This shift allows for secure remote access while maintaining the rigorous control once provided by isolation. Our post on modern identity strategies explores this transition.

For more information, see Industrial Cyber Security Best Practices.

Internal encryption ensures that all communication within a network, often referred to as east-west traffic, is cryptographically protected from sniffing and interception. In many industrial environments, data is sent in plain text once it passes the perimeter, allowing an attacker who has gained internal access to capture sensitive administrative credentials or process data. By using a managed internal certificate authority to encrypt all traffic between internal assets, you ensure that every session remains private and secure. See our blueprint for encrypting internal traffic.

For more information, see Industrial Cyber Security Best Practices.

Network micro-segmentation involves dividing an industrial network into small, isolated zones based on functional requirements. This prevents a breach in one area, such as a building management system, from spreading to more critical assets like a water treatment process. By enforcing security policies at the individual asset level, organisations can create granular boundaries that block lateral movement by attackers. Learn about the technical implementation of logical zones.

For more information, see Industrial Cyber Security Best Practices.

Eliminating inbound ports is a critical step in reducing the attack surface of an operational technology network. Traditional remote access often relies on open listeners or legacy virtual private networks, which make internal systems visible to automated scanners and malicious actors on the public internet. By replacing these with outbound-only reverse tunnels, you render the internal environment invisible to external threats while still allowing secure, authenticated access for authorized users. You can find more details on our comparison of identity-aware access and port-forwarding.

For more information, see Industrial Cyber Security Best Practices.

Legacy protocols such as remote desktop protocol (RDP), server message block (SMB), and Telnet were not designed with modern security threats in mind and are frequently exploited by ransomware to spread across networks. These protocols often lack robust encryption and multi-factor authentication, making them prime targets for lateral movement. Eradicating these from internal subnets and replacing them with secure, identity-aware proxies significantly hardens the environment. See how we evolve past legacy protocols.

For more information, see Industrial Cyber Security Best Practices.