We spent eighteen months and seven figures buying the architecture. The thing that actually moved our blast radius was three habits nobody sold us.
The pitch deck arrived on a Tuesday. Forty-seven slides. Three vendors in the room. By slide nine I knew we were going to sign something, and by slide twenty I knew the something would not, on its own, make us safer. That was eighteen months ago. The contracts are signed, the agents are deployed, the dashboards are green, and our actual blast radius — the part the auditor never asks about — only started shrinking when we stopped treating Zero Trust as a procurement project.
I want to write down what changed, because I keep having the same conversation with peers who are six months into the same journey, asking the same question: why doesn’t it feel different yet?
The first mistake was buying the architecture before the habit.
Zero Trust, as a phrase, is a marketing accident. The principle underneath it — never trust, always verify, assume breach — is a posture. Postures are not delivered by a vendor. They show up in how engineers behave when they’re tired, on call, and trying to ship.
Our first six months were spent rolling out an identity-aware proxy, a SASE tier, microsegmentation in two of our four clusters, and a privileged-access broker. All of it real, all of it useful, none of it changing what an engineer did at 2 a.m. when production was on fire. They opened a long-lived bastion, sudo’d to root, and fixed the thing. The proxy was just another login screen on the way to the same all-powerful shell.
If your incident playbook still ends in a root shell on a long-lived host, you don’t have Zero Trust. You have an expensive front door.
What actually moved the needle
Three habits, in the order we adopted them. None of them required a new SKU.
1. Default to ephemeral
No persistent SSH keys. No long-lived service accounts. Every human session, every CI worker, every cron job authenticates fresh and dies. The credential cannot outlive the task. This is boring to implement and existentially uncomfortable to operate — for the first month, every on-call engineer hated me personally — but it removes an entire class of breach. There is nothing to steal that is still valid by the time it is stolen.
2. Make the audit trail the source of truth
Logs are not for forensics; they are the system of record. If a change was made and the audit log doesn’t show who, what, when, and why, the change did not happen and must be reverted. We pushed this all the way to read operations on tier-zero data. It is annoying. It has saved us at least one incident I can point to and probably two I cannot.
3. Treat the network as hostile, including the office one
The VPN died on a Friday and was not mourned. Our office wifi has the same trust posture as a hotel lobby. Every connection to every internal service goes through the same identity-aware path whether you are sitting at headquarters or at a kitchen table in Lisbon. This is the only one of the three that required actual product spend — but the spend was a tenth of what we’d already committed, and the operational simplification paid for it in a quarter.
What I’d do differently
I’d sequence the habits before the architecture. Spend the first quarter on credential lifecycle and audit-log discipline. Force every team to feel the friction of doing the right thing manually. Then — and only then — buy the tooling that smooths the friction, because by that point your engineers will know exactly which friction to smooth and which to keep.
The vendors will tell you their platform is Zero Trust. It is not. It is a substrate on which Zero Trust can be practiced by people who already wanted to practice it. The platform without the practice is a CAPEX line item with a dashboard. The practice without the platform is exhausting but real. With both, you have something worth the budget.
The auditor still doesn’t ask about blast radius. But the last time we had a credential exposed in a public repo, the credential was four hours old, scoped to one read, and had been rotated out before the bot that scraped GitHub finished indexing the commit. That’s the posture. The architecture just helped us scale it.