The Segmentation Problem
Network segmentation remains one of the most consistently prioritized yet consistently underdelivered controls in enterprise security. Security teams understand the value: contain lateral movement, reduce ransomware blast radius, protect critical assets, and enforce least-privilege access across a distributed environment. Yet despite years of investment and intention, most organizations have not achieved segmentation at any meaningful scale.
The reasons are well understood by anyone who has tried to operationalize it. Segmentation projects stall when teams lack a complete, accurate inventory of what is actually on the network. They fail when device rollout outpaces policy design, leading to misconfigurations that cause outages rather than improving security. They get deprioritized when the fear of disrupting production systems, clinical operations, or industrial processes outweighs the perceived security benefit. And they break down entirely because they are built on a flawed assumption: that the connected asset landscape is stable, documented, and IP-addressable.
That flawed assumption directly expands the attack surface, increasing exposure as assets proliferate. According to Forescout’s Vedere Labs research, IoT asset exploits rose to 19% in 2025, tied with network infrastructure as the second largest exploit category, with average device risk per country rising by 33% year-over-year. The enterprise networks that security teams are trying to segment today are hybrid, distributed, and populated by devices that cannot run agents, cannot be patched on a standard cycle, and were not designed with network security controls in mind. IP-based segmentation models were not built for this environment. They were built for a more manageable, homogeneous network that no longer reflects how most organizations operate.
That gap between what segmentation promises and what it delivers in practice is exactly the problem we set out to solve, and where the evolution of eyeSegment begins.
The Hybrid Enterprise Has Outgrown the Tools Built for It
The enterprise network of today looks nothing like the one most segmentation strategies were designed for … A decade ago, segmentation was largely a data center problem: define zones, build ACLs, create security group tags, control north-south traffic. The device population was manageable, mostly known, and mostly IT. That model produced tools optimized for that reality, and many of them work well within it.
But the network has changed faster than the tooling. Today’s environment is complex and divergent. Managed workloads and unmanaged endpoints. IT infrastructure and operational technology. Cloud-native applications and decades-old industrial systems. They are all running simultaneously across multiple locations and ownership models.
The attack surface is no longer a perimeter. It has become a distributed, heterogeneous fabric that grows more complex every year.
Segmentation approaches built for a slice of that environment cannot govern the whole of it. A visibility-first, agentless architecture that spans IT, OT, and IoT was not a nice-to-have design choice. It was the right architecture that could meet the hybrid enterprise where it actually is … Every device needs to be seen before it can be secured. Every communication path needs to be understood before it can be controlled.
Policy built on incomplete device knowledge is not segmentation. It is the illusion of segmentation.
Forescout’s position has always been grounded in a different architectural premise: you cannot secure what you cannot see, and seeing everything requires more than a network scan. The Forescout platform continuously discovers and classifies every connected asset across IT, OT, and IoT environments using more than 30 agentless discovery methods with rich device context that includes device type, function, operating system, behavior, risk score, and communication patterns. That depth of device intelligence is what makes segmentation decisions meaningful rather than assumed. The evolution of eyeSegment is built on this foundation, bringing that visibility and classification capability into a cloud-native segmentation modeling layer with enhanced
What We Are Announcing: The Next Evolution of eyeSegment
Today we are announcing the cloud-native release of Forescout’s segmentation solution delivered natively within the 4D Platform. This represents a meaningful architectural advancement for eyeSegment, shifting the product from IP-centric segmentation monitoring toward a risk and identity-driven segmentation modeling layer built for the hybrid enterprise.
This release delivers four core advancements.
Identity- and Attribute-Driven Zone Modeling
The most consequential change is the shift from IP-based segmentation to zone modeling built on device identity and attributes. In traditional IP-based approaches, zones are defined by network addresses that change and drift. Frequently, they do not reflect what devices actually are or what they actually do. Now zones are defined by device type, function, operating system, and risk attributes — characteristics that remain accurate even as devices move across the network.
A healthcare organization can visualize a clinical systems zone based on device function rather than subnet, surfacing communication patterns and risk exposure across devices — whether they are on-premises, remote, or newly discovered. For organizations managing VLAN sprawl and flat networks, out-of-box hygiene views, including Function vs Function, VLAN vs Function, and Segment vs Segment matrices, deliver immediate visibility into how the network is actually being used and where communication patterns do not match expectations — without requiring manual configuration to get started.
Risk-Aware Hygiene Views
Knowing what devices are communicating is necessary but not sufficient. Understanding which of those communication paths carry meaningful risk is what allows security teams to prioritize segmentation investment where it matters most.
This release introduces risk-aware heat maps that apply risk overlays directly to the segmentation matrix, color-coding cells based on observed threats, device vulnerabilities, and risk scores. Rather than treating all communication paths as equally important, security teams can:
- Immediately identify which zone-to-zone flows involve high-risk devices.
- Surface critical vulnerabilities within the matrix view itself.
- Prioritize remediation based on actual exposure rather than assumption.
For a manufacturer managing mixed OT and IT environments, this means a remote device communicating with OT controllers will be visually flagged in the matrix the moment that path is detected. This allows the team to investigate and act without waiting for a separate alerting workflow to surface it.
Enhanced Matrix-Driven Visualization and UX
Understanding segmentation posture across a complex hybrid environment requires more than data. It requires a visualization model that makes risk visible at a glance and enables teams to focus on what matters without losing context.
The redesigned eyeSegment matrix interface delivers directional zone-to-zone traffic flows with risk overlays that surface high-risk communication paths across the full device estate. Security architects can scope matrices globally or by site and navigate between views through a unified cloud console. The interface is designed to serve both the security architect mapping segmentation strategy and the SOC analyst investigating a specific communication anomaly, providing the depth each role needs within a single experience.
Native Forescout Cloud Integration
eyeSegment is now native within Forescout Cloud using an API key-based onboarding model that reduces deployment from weeks to hours. This integration makes eyeSegment a core competency within the broader Forescout 4D Platform™, bringing segmentation visibility into the same cloud console as device discovery, risk management, and compliance workflows. For existing eyeSegment customers, current deployments remain fully supported with no required migration.
Segmentation as a Platform Capability, Not a Point Solution
Forescout’s position has always been that segmentation cannot be treated as a standalone network control. It is a foundational enforcement layer within a broader Zero Trust architecture, and its value is directly proportional to the quality of the device intelligence feeding it.
Universal Zero Trust Network Access requires three things to work in practice:
- Comprehensive asset identification across every device type.
- Least-privilege access enforcement based on continuous risk assessment.
- Dynamic access evaluation that adjusts as device posture and threat context change.
Segmentation is where enforcement becomes real on the network. Without accurate, continuously updated asset intelligence that reflects what devices are and what risk they carry, UZTNA remains a framework on paper rather than an operational reality.
The same dependency applies to Continuous Threat Exposure Management. Understanding exposure across the enterprise requires knowing not just where vulnerabilities exist; it requires understanding how devices can reach each other and which communication paths create the highest-risk lateral movement opportunities for attackers. Segmentation provides the structural control plane through which exposure can be systematically reduced and contained.
This is precisely why eyeSegment is built as a native module within the Forescout 4D Platform™ rather than as a separate tool. The platform’s continuous asset discovery, risk assessment, and device classification capabilities feed directly into segmentation, ensuring that zones, policies, and risk views reflect the live state of the environment rather than a snapshot taken at deployment. For organizations in regulated industries managing Critical Infrastructure Protection requirements, this integration between visibility, risk, and segmentation control is not a convenience. It is the difference between compliance on paper and compliance in practice.
Segmentation delivered from a platform that already knows every device on the network is fundamentally more effective than segmentation delivered as a point product trying to build that picture from scratch.
See the Network Segmentation Evolution in Action
Here is what Forescout can now give you: A cloud-native segmentation solution built on agentless device intelligence, designed for the hybrid enterprise, and delivered as an integrated component of the Forescout 4D Platform. Not a point product solving segmentation in isolation, but a capability that amplifies everything Forescout knows about all devices on the network putting intelligence to work in service of UZTNA enforcement.
If your organization is evaluating how to close the gap between your segmentation strategy and your operational reality, I encourage you to explore what this release delivers: identity- and attribute-based zone modeling, risk-aware matrix visualization, and a cloud-native experience. Available now. The Forescout team is ready to show you what it looks like in your environment.