All posts
Zero Trust Network Access (ZTNA) has lit up the cyber security market in 2025. As the name suggests, it’s a security model that grants access to applications only after verifying user identity, device health and context. But never by default. The question is, can it stop a determined hacker?
Attackers don’t always need exploits, but they do always need access. Identity attacks are now one of the most common ways into cloud environments such as Microsoft 365. They may face obstacles like Entra ID, Okta and other Identity and Access Management (IAM) products, but there are techniques to bypass these.
In developing what we believe is the first public test on a ZTNA solution, we decided to assess its capabilities against three primary attack scenarios: Stolen Credentials, Multi-Factor Authentication (MFA) Bypass, and Session Hijacking. Our methodology, published earlier this year, allows us to thoroughly evaluates how well a product can defend against the different types of sophisticated identity attacks prevalent in today’s threat landscape.
Testing Against Stolen Credentials
Our stolen credentials testing scenario utilises compromised privileged and non-privileged accounts to access Microsoft 365 from diverse geographic locations and devices during non-standard hours, with attempts at privilege escalation and modification of permissions and security policies.
In this way, we can see how good the system is at including contextual information into its decision process. Such as why is someone logging in from London and Indonesia at the same time?
The Infallible MFA?
Multi-Factor Authentication (MFA) is often seen as a security silver bullet. It isn’t. Attackers know how to work around it, whether by overwhelming users with push requests (MFA fatigue), automating attacks with credential stuffing, or exploiting gaps in a service’s configuration. MFA flooding is a known favourite of Scattered Spider, the group believed to be behind the recent Marks and Spencers’ breach.
We use all of these techniques in our testing scenarios to see if we can bypass or breach the MFA to establish unauthorised privileged access within the system.
Red-teaming Session Hijacking with a Twist
Furthermore, our methodology incorporates advanced session hijacking scenarios that extract authentication tokens and cookies to establish compromised sessions, create privileged accounts, implement security policy modifications for persistent access, and alter email forwarding rules to intercept confidential communications.
The session hijacking is closely aligned with what we and others have done before, and represents a variation of real red-teaming techniques. But as always, the bad guys are advancing, so you can be sure we’ll be adding further angles of attack to our test as they become apparent.
First Ever ZTNA Test, Review and Analysis
In the first independent assessment of this kind of service, SE Labs tested the product in its customary like hackers’ way, using 30 different attack scenarios. 12 used stolen credentials, 8 attempted to bypass Multi-factor Authentication (MFA) and 10 were session hijacks. Cisco Universal ZTNA achieved 100% detection and 100% protection. Every attack was identified and blocked. No successful compromises were achieved.
Download the factsheet for the Advance Security Test Report Cisco Universal ZTNA or access the full report from Cisco.
