A zero-trust segmentation advisor: it takes a network inventory (a live Nmap scan or replayed YAML), classifies every host by role and sensitivity, and produces a least-privilege segmentation plan — security zones, an inter-zone firewall ruleset where every rule cites the NIST SP 800-207 / PCI DSS principle it implements, and a before/after attack-path simulation that shows how much lateral movement the plan removes.
Scanning a network is table stakes — Nmap already does that. The point here is the advisory engine on top: explainable, framework-grounded recommendations plus enforceable config (iptables / pfSense), not prose advice.
ws-01 compromised (phished workstation)
before (flat): owns 11 of 13 other hosts — including both databases and the domain controller
after (segmented): owns 3 (its own VLAN) — 0 critical assets reachable on a pivot port
Discovery (Nmap) is the only module that touches the network. Everything downstream — classifier, recommender, attack-path simulator, reporter — runs against a YAML inventory, so the entire advisory engine works offline against a mock network. That is also how it is tested: 30 tests, CI on Python 3.11 and 3.12.
| Output | Principle |
|---|---|
| Default-deny inter-zone baseline | NIST SP 800-207 §3.1.2; PCI DSS v4.0 Req 1.2/1.3 |
| Per-rule justifications | NIST SP 800-207 §2.1 Tenet 3 (least-privilege, per-session access) |
| Quarantine zone for unknown assets | NIST SP 800-207 §2.1 Tenet 4 (no implicit trust from location) |
| Data-tier isolation from user VLAN | PCI DSS v4.0 scoping / segmentation guidance |
| Cleartext-protocol flags | PCI DSS v4.0 Req 2.2.5 (insecure services) |
MIT licensed. Built by MetaMaaz.