Application-layer brokering prevents lateral movement by connecting a user only to a specific application or service, rather than dropping them directly onto a network subnet. In traditional architectures, once a user is authenticated, they can often see and attempt to connect to any device on the same local area network. By brokering at the application layer, the user remains isolated from the underlying infrastructure, ensuring that an adversary cannot use a single compromised session to scan the network for other vulnerable targets. Learn about brokering vs. port forwarding.

For more information, see Industrial Cyber Security Best Practices.