seikaikyo/implementing-microsegmentation-with-guardicore
external/anthropic-cybersecurity-skills/skills/implementing-microsegmentation-with-guardicore/SKILL.md
Implementing microsegmentation using Akamai Guardicore Segmentation to map application dependencies, create granular network policies, visualize east-west traffic flows, and enforce least-privilege communication between workloads across data centers and cloud.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills implementing-microsegmentation-with-guardicoreInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 5:06 AM129.9s3 files scanned
SKILL.md
- name:
- implementing-microsegmentation-with-guardicore
- description:
- Implementing microsegmentation using Akamai Guardicore Segmentation
- domain:
- cybersecurity
- subdomain:
- zero-trust-architecture
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing Microsegmentation with Guardicore
When to Use
- When implementing east-west traffic controls to prevent lateral movement within data centers
- When needing application-level visibility into network communication patterns before writing segmentation policies
- When segmenting workloads across heterogeneous environments (VMs, containers, bare metal, cloud)
- When compliance frameworks (PCI DSS, HIPAA) require network segmentation validation
- When deploying zero trust at the network layer with process-level granularity
Do not use for perimeter-only security (use traditional firewalls), for environments with fewer than 50 workloads where VLANs/security groups suffice, or when network team lacks capacity for ongoing policy management.
Prerequisites
- Akamai Guardicore Segmentation license (Enterprise or Premium)
- Guardicore Management Server deployed (on-prem or SaaS)
- Agent deployment access to target workloads (Linux, Windows, Kubernetes)
- Network visibility: SPAN/TAP ports or VPC flow logs for agentless collection
- Application owner engagement for dependency validation
Workflow
Step 1: Deploy Guardicore Agents on Workloads
Install agents to collect process-level network communication data.
# Linux agent installation
curl -sSL https://management.guardicore.com/api/v3.0/agents/download/linux \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-o gc-agent-installer.sh
chmod +x gc-agent-installer.sh
sudo ./gc-agent-installer.sh \
--management-url=https://management.guardicore.com \
--site-id=datacenter-east \
--label="web-tier"
# Windows agent installation (PowerShell)
# Invoke-WebRequest -Uri "https://management.guardicore.com/api/v3.0/agents/download/windows" `
# -Headers @{"Authorization"="Bearer $GC_API_TOKEN"} `
# -OutFile gc-agent-installer.exe
# Start-Process -FilePath .\gc-agent-installer.exe `
# -ArgumentList "--management-url=https://management.guardicore.com","--site-id=datacenter-east" `
# -Wait
# Kubernetes DaemonSet deployment
cat > gc-daemonset.yaml << 'EOF'
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: guardicore-agent
namespace: guardicore
spec:
selector:
matchLabels:
app: gc-agent
template:
metadata:
labels:
app: gc-agent
spec:
hostNetwork: true
hostPID: true
containers:
- name: gc-agent
image: guardicore/agent:latest
securityContext:
privileged: true
env:
- name: GC_MANAGEMENT_URL
value: "https://management.guardicore.com"
- name: GC_API_KEY
valueFrom:
secretKeyRef:
name: gc-credentials
key: api-key
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: /
EOF
kubectl apply -f gc-daemonset.yaml
# Verify agent enrollment
curl -s "https://management.guardicore.com/api/v3.0/agents?status=active" \
-H "Authorization: Bearer ${GC_API_TOKEN}" | python3 -m json.tool
Step 2: Map Application Dependencies with Reveal
Use Guardicore Reveal to discover and visualize application communication patterns.
# Query discovered application flows via API
curl -s "https://management.guardicore.com/api/v3.0/connections" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-d '{
"time_range": {"from": "2026-02-17T00:00:00Z", "to": "2026-02-24T00:00:00Z"},
"filter": {
"source_label": "web-tier",
"destination_label": "app-tier"
},
"aggregation": "process",
"limit": 1000
}' | python3 -m json.tool
# Export application dependency map
curl -s "https://management.guardicore.com/api/v3.0/maps/export" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-d '{
"format": "json",
"labels": ["web-tier", "app-tier", "db-tier"],
"time_range": "7d"
}' -o app-dependency-map.json
# Typical discovery findings:
# web-tier -> app-tier: TCP 8080, 8443 (expected)
# app-tier -> db-tier: TCP 5432, 3306 (expected)
# web-tier -> db-tier: TCP 5432 (UNEXPECTED - should be blocked)
# app-tier -> internet: TCP 443 (verify if needed)
Step 3: Create Segmentation Labels and Policies
Define labels and create ring-fence policies around applications.
# Create labels for application tiers
curl -X POST "https://management.guardicore.com/api/v3.0/labels" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "PCI-CDE",
"description": "Cardholder Data Environment workloads",
"criteria": {"ip_ranges": ["10.10.0.0/16"]},
"color": "#FF0000"
}'
# Create segmentation policy: Allow web-to-app communication
curl -X POST "https://management.guardicore.com/api/v3.0/policies" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "Web-to-App Allowed",
"action": "ALLOW",
"priority": 100,
"source": {"labels": ["web-tier"]},
"destination": {"labels": ["app-tier"]},
"services": [
{"protocol": "TCP", "port": 8080},
{"protocol": "TCP", "port": 8443}
],
"log": true,
"enabled": true,
"section": "application-segmentation"
}'
# Create deny policy: Block web-to-database direct access
curl -X POST "https://management.guardicore.com/api/v3.0/policies" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "Block Web-to-DB Direct",
"action": "DENY",
"priority": 200,
"source": {"labels": ["web-tier"]},
"destination": {"labels": ["db-tier"]},
"services": [{"protocol": "TCP", "port_range": "1-65535"}],
"log": true,
"alert": true,
"enabled": true
}'
# Create ring-fence policy for PCI CDE
curl -X POST "https://management.guardicore.com/api/v3.0/policies" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "PCI CDE Ring Fence",
"action": "DENY",
"priority": 50,
"source": {"labels": ["!PCI-CDE"]},
"destination": {"labels": ["PCI-CDE"]},
"services": [{"protocol": "TCP", "port_range": "1-65535"}],
"log": true,
"alert": true,
"enabled": true
}'
Step 4: Test Policies in Reveal Mode Before Enforcement
Simulate policy enforcement without blocking traffic.
# Enable reveal mode (log-only) for new policies
curl -X PATCH "https://management.guardicore.com/api/v3.0/policies/POLICY_ID" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-d '{"enforcement_mode": "REVEAL"}'
# Check what would be blocked in reveal mode
curl -s "https://management.guardicore.com/api/v3.0/violations" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-d '{
"time_range": "24h",
"policy_id": "POLICY_ID",
"limit": 100
}' | python3 -c "
import json, sys
data = json.load(sys.stdin)
for v in data.get('violations', []):
print(f\"{v['source_ip']}:{v['source_process']} -> {v['dest_ip']}:{v['dest_port']} [{v['action']}]\")
"
# After validation, switch to enforcement
curl -X PATCH "https://management.guardicore.com/api/v3.0/policies/POLICY_ID" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-d '{"enforcement_mode": "ENFORCE"}'
Step 5: Monitor and Respond to Policy Violations
Set up alerting and continuous monitoring for segmentation violations.
# Configure SIEM integration for policy violations
curl -X POST "https://management.guardicore.com/api/v3.0/integrations/syslog" \
-H "Authorization: Bearer ${GC_API_TOKEN}" \
-d '{
"name": "Splunk SIEM",
"host": "splunk-syslog.company.com",
"port": 514,
"protocol": "TCP",
"format": "CEF",
"events": ["policy_violation", "agent_status", "deception_alert"]
}'
# Splunk query for microsegmentation violations
# index=guardicore sourcetype=guardicore:policy
# | where action="DENY" AND enforcement_mode="ENFORCE"
# | stats count by src_ip, dst_ip, dst_port, policy_name
# | sort -count
Key Concepts
| Term | Definition | |------|------------| | Microsegmentation | Network security technique creating granular security zones around individual workloads or applications to control east-west traffic | | Reveal Mode | Guardicore's simulation mode that logs policy decisions without enforcing them, allowing validation before blocking | | Ring-Fence Policy | Isolation policy that restricts all traffic into or out of a defined group of assets (e.g., PCI CDE) | | Application Dependency Map | Visual representation of discovered network communication patterns between workloads showing processes, ports, and protocols | | East-West Traffic | Network traffic flowing laterally between workloads within a data center, as opposed to north-south traffic crossing the perimeter | | Process-Level Visibility | Guardicore's ability to identify which process on a workload initiated or received a network connection |
Tools & Systems
- Akamai Guardicore Segmentation: Agent-based microsegmentation platform with application visualization and policy enforcement
- Guardicore Reveal: Network visualization engine mapping application dependencies across hybrid environments
- Guardicore Centra: Management console for policy creation, monitoring, and incident investigation
- Guardicore Agents: Lightweight agents deployed on workloads collecting process-level network telemetry
- Guardicore Insight: Analytics engine for compliance reporting and segmentation effectiveness measurement
Common Scenarios
Scenario: PCI DSS Microsegmentation for E-Commerce Platform
Context: An e-commerce company must isolate its Cardholder Data Environment (CDE) from the rest of the corporate network for PCI DSS compliance. The CDE spans 200 servers across on-prem and AWS.
Approach:
- Deploy Guardicore agents on all 200 CDE servers and 300 non-CDE servers
- Run Reveal for 2 weeks to map all communication patterns into and out of the CDE
- Identify and remediate unexpected flows (e.g., dev servers connecting to production CDE)
- Create ring-fence policy blocking all non-CDE to CDE traffic by default
- Create explicit allow policies for validated CDE communication paths
- Test in Reveal mode for 1 week, validate no legitimate traffic blocked
- Switch to enforcement mode and monitor for violations
- Generate PCI DSS segmentation validation report showing enforced controls
Pitfalls: Agent deployment on legacy systems (Windows Server 2012) may require manual installation. Ring-fence policies must account for management traffic (monitoring, patching, backup). Start with broad allow rules and progressively tighten. Application owners must validate dependency maps before enforcement.
Output Format
Microsegmentation Deployment Report
==================================================
Organization: E-Commerce Corp
Report Date: 2026-02-23
AGENT DEPLOYMENT:
Total workloads: 500
Agents installed: 487 (97.4%)
Agents active: 482 (98.9%)
Agentless (flow logs): 13
POLICY COVERAGE:
Total policies: 45
Allow rules: 38
Deny rules: 7
Reveal mode: 3
Enforced: 42
TRAFFIC ANALYSIS (7 days):
Total flows observed: 2,456,789
Flows matching allow: 2,441,234 (99.4%)
Flows matching deny: 15,555 (0.6%)
Unclassified flows: 0
PCI CDE ISOLATION:
CDE workloads: 200
Ring-fence violations: 0 (last 30 days)
Authorized CDE entry points: 4
Lateral movement paths blocked: 95%
Related Skills
seikaikyo/performing-soc2-type2-audit-preparation
development
VerifiedTrustedCommunity
Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC 2 Type II certification.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soc-tabletop-exercise
testing
VerifiedTrustedCommunity
Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soap-web-service-security-testing
development
VerifiedTrustedCommunity
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-service-account-credential-rotation
devops
VerifiedTrustedCommunity
Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk.
1SKILL.mdUpdated Jun 13, 2026