Bare Metal Cyber

The image of a gleaming gate standing tall in front of flimsy cardboard walls is more than just a metaphor—it is how many organizations approach Zero Trust today. They pour money into flashy controls at the front door: biometric scanners, MFA prompts, or branded single sign-on portals. To executives, auditors, or employees passing through, it feels like a fortress. But once inside, the reality is starkly different. Internal systems still trust each other by default, legacy applications remain unguarded, and privileged accounts roam free. The house is built to impress visitors, not to withstand pressure. What results is not Zero Trust but Zero Trust theater, where the performance of security overshadows the reality of weak, hollow walls.

This distinction matters deeply because attackers are not fooled by stage props. They push on the walls and quickly discover the weaknesses that executives never see. A persistent identity gap, a forgotten service account, or a legacy protocol still enabled can all serve as doorways past the expensive gate. When that happens, the carefully staged security collapses with alarming speed. The organization believes it has invested in resilience, but what it has really purchased is confidence—confidence that evaporates the moment the illusion is tested. This mismatch between what leaders think exists and what actually protects them is one of the greatest risks in modern enterprise security.

Listeners today are going to hear why the problem of Zero Trust theater is more than a matter of wasted spending. It is a matter of misplaced belief, where illusions become the strategy and optics replace engineering. In this episode, we will explore how the illusion is built, where attackers exploit the cracks, and what true Zero Trust requires to move from stagecraft to steelwork. By the end, you will not only recognize the signs of cardboard walls dressed up as defenses but also learn how to replace them with structures that truly hold. The story begins in the lobby, where the illusion is strongest, and works its way inward to the architectural heart of real security.

The illusion of Zero Trust often begins in the lobby, where security is most visible. Shiny badge readers greet employees, MFA prompts buzz phones, and the single sign-on portal carries the logos of trusted vendors. To the casual observer, this feels like an environment where security has been woven into every corner. Executives walk through the entrance and assume the rest of the house is built just as strong. Auditors see reports that match what they expect and mark their checklists complete. But this is the opening act, carefully staged to inspire confidence. The lobby is polished, the props are expensive, and the sense of safety is palpable. Yet like a theater set, what lies beyond is not nearly as sturdy as the view suggests.

This misalignment between perception and reality is the essence of Zero Trust theater. Organizations spend heavily on the first impression, believing that the most critical risk is at the outer gate. Once a user passes that initial test, however, the internal environment is often flat, with networks that allow free east-west movement and services that trust each other without question. It is a hard shell protecting a soft interior, the very weakness that Zero Trust was meant to eliminate. The lobby looks like a fortress, but every corridor beyond is wide open, waiting for anyone who has already stepped inside. The set design may impress visitors, but attackers see only open paths leading deeper inside.

The reason this illusion persists is that it satisfies powerful psychological and organizational needs. Leaders want visible proof that their investments in security are working, and few things are as visible as an MFA prompt on every login. Compliance officers want evidence they can point to, and the lobby controls provide clean, simple answers. Employees themselves often feel safer when they can see and interact with security, even if that security is skin-deep. The organization convinces itself that the show equals reality, because the show looks good, feels good, and checks the boxes. Yet underneath the surface, the foundation remains fragile. This focus on optics over architecture ensures that the lobby illusion thrives, and that real Zero Trust remains more aspiration than achievement.

Consider the “break-glass” account, a staple in most organizations. It is created for emergencies, a backdoor that administrators can use if systems lock them out. Yet in practice, these accounts are often left enabled indefinitely, their passwords never rotated and their usage never logged. They become ghost keys, waiting for anyone determined enough to find them. Executives create another problem. Frustrated by extra steps at login, they request exemptions from multi-factor authentication. Security teams, unwilling to battle leadership, grant the bypass. Attackers know this dynamic well and deliberately target privileged individuals, confident that convenience has eroded security. These are not theoretical risks—they are recurring realities, demonstrated in countless breach investigations where the attacker’s first foothold was an account created “just in case.”

Legacy systems represent yet another category of exception that weakens Zero Trust. Old ERP platforms, mail servers, and manufacturing controllers often cannot support modern protocols. Rather than replace them, organizations wrap them in carve-outs that allow weaker authentication or even direct trust connections. These systems are usually critical to operations, making them irresistible targets. Attackers exploit them as stepping stones, using the weaker controls to move toward more sensitive areas. What makes this worse is that teams convince themselves these are temporary accommodations, promises that they will migrate “someday.” But “someday” rarely comes. The exception becomes permanent, and over time, dozens of “temporary” carve-outs transform into the silent foundation of the security model.

The most dangerous aspect of exception debt is that it remains largely invisible to those who matter most. Dashboards rarely count exceptions, and executives rarely ask for them to be measured. Security teams, focused on keeping the business running, rationalize the carve-outs as necessary tradeoffs. Meanwhile, attackers only need one of them. A single unmanaged service account, a single legacy protocol, or a single VIP bypass can unravel the entire illusion. Exceptions compound silently until they are the dominant truth, replacing the carefully staged vision of Zero Trust with a brittle framework held together by workarounds. At that point, the walls may look sturdy from the lobby, but the structure is hollow, fragile, and waiting to collapse.

This reliance on polished reporting reflects an uncomfortable truth about organizational psychology. Leaders are rewarded for good optics, not necessarily for deep resilience. Security teams feel pressure to demonstrate measurable progress, so they highlight what is easiest to measure: adoption percentages, compliance checklists, and coverage reports. These metrics are tidy, comparable across time, and comforting in their upward trajectory. What they fail to measure are the subtleties that truly define Zero Trust: how quickly a revoked credential is enforced, how many lateral pathways exist between critical systems, or how long privileged sessions remain active. These questions are harder to quantify and less flattering to present. As a result, dashboards become tools of reassurance rather than tools of discovery, reinforcing the theater rather than exposing the flaws.

Auditors play a role in sustaining this illusion as well. Audits often focus on whether controls exist, not on whether they are effective under stress. An MFA policy is marked as compliant if it applies to the majority of accounts, even if key exceptions remain. A segmentation plan is considered acceptable if rules exist on paper, regardless of whether enforcement actually prevents lateral movement. These surface-level reviews reinforce the green dashboards and give leadership additional confidence. The system is compliant, the metrics are strong, and the illusion of Zero Trust thrives. But attackers do not care about compliance—they care about opportunity. A single overlooked exception, a single trust link between systems, is all they need. No green light will stop them once they find it.

The real cracks in the cardboard set emerge when you look closely at how identity and credentials are managed. Organizations often invest heavily in front-door controls but neglect the endless number of transactions happening behind the scenes. Services talk to other services without mutual authentication, assuming trust simply because they exist inside the same environment. This is a relic of the old perimeter mindset—once you’re inside, you’re trusted. But in the world of Zero Trust, this is poison. Attackers know that if they compromise one node, the lack of mutual checks means they can impersonate services and move laterally with ease. It’s like watching actors walk confidently through doors on stage, unaware the walls are paper. To the audience it looks seamless; to attackers it looks like an invitation. Each unauthenticated service call is an open doorway painted to look like a barrier, providing no resistance when pushed.

The problem deepens with the way organizations handle automation. Long-lived tokens and over-privileged service accounts lurk everywhere—inside CI/CD pipelines, robotic process automation bots, backup agents, and orchestration systems. These accounts are often granted sweeping entitlements to “make things work” and then left unmonitored for years. They rarely rotate keys, rarely face audits, and frequently outnumber the human users in the system. Attackers love this because one compromised build server or script can yield golden credentials with near-limitless reach. Unlike human accounts, these non-human identities exist in the shadows, rarely scrutinized by identity governance programs. They are the stagehands of the enterprise, moving quietly behind the curtain, but when attackers step into their shoes, they gain access to every part of the set. What looked like control from the audience’s perspective is actually uncontrolled sprawl when viewed from backstage.

Even the device layer, often touted as a cornerstone of Zero Trust, can be illusory. Companies claim complete coverage through mobile device management, reporting that every laptop and phone is compliant. In practice, posture checks are often shallow—verifying only that antivirus is installed or that a system enrolled once upon a time. Shared devices, personal laptops used by contractors, and dual-use machines slip through unnoticed. Employees sometimes disable controls to improve performance, leaving their machines effectively unmanaged while still appearing compliant in reports. Attackers exploit these illusions by compromising devices that seem healthy but are under their control. When the posture system cannot tell the difference, Zero Trust becomes nothing more than a box ticked on a dashboard. The organization thinks the wall is reinforced steel; the reality is that it is cardboard painted gray. The illusion persists because it looks convincing, but attackers know exactly where to lean to make it collapse.

Attackers approach Zero Trust theater the way a stage critic approaches a play—they look past the lighting and props to see what the structure is really made of. Consent phishing is one of their favorite tricks. Instead of stealing passwords, attackers present users with legitimate-looking prompts asking for OAuth consent. A single careless click gives the attacker a token that looks valid, behaves normally, and bypasses MFA completely. Once acquired, those tokens can be replayed again and again, granting persistent access with little chance of detection. From the audience’s perspective, MFA worked—the prompt appeared, the box was checked—but from backstage, the attacker is already inside, wearing a costume the system trusts implicitly. The cardboard wall held up for appearances, but it provided no resistance when leaned on.

Conditional access policies are supposed to close these gaps, but in practice, they leave exploitable cracks. Legacy protocols like POP, IMAP, and NTLM often remain enabled because disabling them would break old applications or inconvenience users. Attackers deliberately target these weak points, slipping through the unguarded back doors. MFA fatigue attacks exploit human behavior directly, bombarding users with approval requests until one is accepted out of frustration or confusion. Each of these tactics works because Zero Trust enforcement is partial, incomplete, or inconsistently applied. On the stage, the policies look robust. In reality, the walls are stitched together with holes that adversaries can see clearly. Attackers don’t need to defeat the entire system; they only need to find one seam where the set wasn’t reinforced.

The path from stagecraft to steelwork begins by rethinking how identity is enforced. In a true Zero Trust model, every transaction requires proof, not just the first login. Services, workloads, and machines must authenticate each other continuously, using protocols such as mTLS or OIDC, with identities issued and verified by systems like SPIFFE and SPIRE. This ensures that even if one node is compromised, it cannot impersonate another without being challenged. Each hop becomes its own checkpoint, replacing default trust with continuous verification. Instead of one grand gate at the entrance, you build smaller gates throughout the entire environment. For an attacker, this turns effortless lateral movement into a gauntlet of locked doors, each demanding valid credentials. What was once cardboard painted to look like steel becomes actual metal framing, capable of holding up under pressure rather than merely performing for an audience.

But identity alone is not enough. Privileges must be constrained so that when an account is compromised, the damage is limited. Traditional models of least privilege are often aspirational—diagrams in policy documents rather than lived practice. In reality, administrators retain standing access to production, engineers carry broad entitlements, and service accounts are rarely scrutinized. Moving from props to steel means operationalizing least privilege with automation. Just-in-time and just-enough-access models replace permanent admin rights with short-lived, task-specific elevation. Credentials expire quickly, secrets are brokered through managed vaults, and access is tightly scoped. This approach minimizes the blast radius of any breach, ensuring attackers cannot move freely even if they succeed in stealing credentials. It is not glamorous work, but it is what transforms flimsy scenery into structural reinforcement.

Data, too, must be treated as a first-class citizen in Zero Trust. Ultimately, attackers pursue data—intellectual property, customer records, financial information. Protecting it requires more than encryption. Classification must drive access controls, ensuring sensitive information is governed by stricter rules than ordinary files. Attribute-based access controls, informed by classification, can adapt policies in real time, denying downloads to unmanaged devices or blocking risky transfers outside the organization. Choke points where data crosses boundaries—between tenants, regions, or platforms—must be inspected and logged. By focusing on the real target, Zero Trust becomes more than just a set of identity rules; it becomes a data shield. Attackers may find ways to compromise accounts or devices, but when the data itself is guarded by policies that adapt and enforce consistently, their path to actual theft narrows dramatically. That is how theater gives way to engineering—by protecting the crown jewels directly, not just the doorway into the castle.

Zero Trust theater is persuasive because it feels safe. The MFA prompts, the glossy dashboards, the vendor partnerships—they all give the impression of progress. Yet illusions do not stop adversaries, and optics do not prevent breaches. What holds an organization together under pressure is not what can be shown to auditors or executives in a slide deck, but what resists attackers when they lean on it. Real Zero Trust is built on steel: identity enforced at every hop, privileges minimized to the bare minimum, networks segmented into compartments, and data governed by adaptive controls. It is verified through drills and tests, not assumed because the lights are green. When organizations commit to these principles, they trade stage props for real architecture, transforming hollow facades into structures that withstand force. Theatrics may buy confidence, but only engineering buys resilience.

The legacy of Zero Trust will be defined not by who performed the best show but by who built the strongest walls. The organizations that succeed will be those that stopped performing for the audience and started engineering for the adversary. They will remember that a gleaming gate means nothing if the walls behind it are cardboard. Building the wall first, then the gate, ensures that even when attackers slip past the opening act, they face real barriers at every step. The story of Zero Trust is not about optics, but about survival—and survival demands steel, not scenery.