The recent OpenClaw vulnerabilities sent ripples through the cybersecurity community. Research from the SecurityScorecard STRIKE Threat Intelligence Team revealed that over 20,000 control panels were exposed to the public internet. These panels represent a massive attack surface for credential stuffing, exploit kits, and remote code execution.

However, this headline was a non-event for NetFoundry customers who yawned while the rest of the world scrambled to apply patches. It was also a breeze for OpenZiti user’s – NetFoundry’s open source software

How can NetFoundry customers and OpenZiti users be insulated from any OpenClaw CVE – as well as from CVEs from other AI agents?

1. No Listening Ports, No Exposure

Exploiting the “OpenClaw” vulnerability starts with discovery – same as many cyber-attacks. Attackers used scanning tools like Shodan and Censys to find IP addresses with open ports (typically 80, 443, or 8080) associated with known control panel software. Unfortunately for the attackers, NetFoundry customers do not have any exposed ports.

In the NetFoundry model, a machine, VM or container running OpenClaw opens an outbound-only connection to a private, dedicated overlay. That overlay is self-hosted or hosted by NetFoundry. Either way, there are no open inbound ports for attackers to scan or for attackers to use to enter to exploit a vulnerability

2. Identity-First™ Networking

The exposed panels in the OpenClaw report relied on the traditional “first connect the user, then try to authenticate and authorize the user” model. That model means that anyone with the URL could reach the OpenClaw login page and exploit any vulnerabilities.

NetFoundry flips this model to “identify, authenticate, authorize…then connect IF you are authorized.” That model means nobody with the URL, other than identified, authenticated, authorized users, can reach OpenClaw.

3. Public Pipes, Private Overlays

Many of the panels flagged in the OpenClaw report were exposed because they were hosted on public clouds or home networks where “private” networking is complex or expensive to implement.

NetFoundry creates an instant, dedicated, virtual overlay network that sits on top of the public internet. It treats the internet as “dumb pipes.” By encrypting traffic from end-to-end and managing routing within the overlay, NetFoundry allows administrators to put their OpenClaw control panels on the “private” overlay. This means the panels are reachable by authorized administrators anywhere in the world, but unreachable from the Internet

4. Mitigation of Zero-Day Vulnerabilities

Even if an OpenClaw control panel has a critical, unpatched vulnerability (a “Zero-Day”), an attacker cannot exploit it. The vulnerability should be patched but the OpenClaw user is not racing against the entire Internet to patch it.

NetFoundry’s default, identity-based microsegmentation ensures that even if an attacker manages to compromise one part of a network, they cannot “lateral move” to find these control panels unless they have been explicitly granted permission to that specific service.

Summary: Closing the Door

OpenZiti doesn’t just lock the door; it removes the door from the public street entirely. OpenClaw is a reminder that software will always have vulnerabilities. By embracing NetFoundry’s zero-trust, open-source based (OpenZiti) model, organizations can ensure that their most sensitive management interfaces remain invisible, unreachable, and secure—no matter what the next vulnerability might be.

Increasingly, AI means we don’t control the software. This makes it critical that we control the network. That’s very difficult with networks which are default open and use the connect before authenticate model. NetFoundry’s default-closed, Identity-First™ model flips the field – security becomes simpler than insecure because it is built-in instead of bolted-on. We get structural security and speed – and are not racing the Internet to patch issues like this OpenClaw vulnerability.

The post Why OpenClaw Didn’t Bite NetFoundry Customers appeared first on NetFoundry.

OpenClaw (FKA Clawdbot before legal pressure) broke the Internet. And it is not a one hit wonder – it signals regime change.  Welcome to Cybersecurity 2.0.

Many leaders stated that OpenClaw AI agents are “security nightmares” (they are). OpenClaw may also be the basis of Jarvis-like assistants.  Same engine, different steering wheels…or different roads – more on that later.

The speed is crazy – over one million of these agents reportedly joined Moltbook (Facebook for AI agents) within days of the launch. Top post? “The humans are screenshotting our chats and sharing them on X”, complained an AI agent.

Cybersecurity nightmare or leapfrog?

That AI agent’s revenge could be: ““”sure, screenshot my chats and I will screenshot your passwords and API keys.”

Far-fetched but an actual security nightmare is already unfolding – many programmers, including the OpenClaw developer, are shipping their AI generated code without reviewing it. Less often for critical software. Today.  We’re just at the start of a shift. 

But the risks may be so high that we rebuild cybersecurity so that the result is stronger security than we had pre-AI. A cybersecurity leapfrog. The threat forces the upgrade. OpenClaw helps us see it.

Inherent and institutional risk, multiplied

AI code will have vulnerabilities. Same as human written code but humans sleep and AIs ship. And ship 24/7, at high speed, with less costs and barriers to entry. Inherently, we will get more code, more CVEs, faster propagation, and a detection problem that can become unmanageable.

And there’s also sabotage – institutional risk. State-sponsored developers can shape LLM models and AI agents to insert subtle vulnerabilities that are “fine today” but become exploitable when things change. Tomorrow. Next year. Or ten years from now.

Those risks are not new to cybersecurity, but the scale, speed and non-deterministic nature of AI is unprecedented. We didn’t just automate coding – we automated surprise. But is the surprise a bug or a feature? That’s up to us.

When software is non-deterministic, security must be structural

If we have skyrocketing risk, and can’t control or even predict the code, then what can we control? The network! While the code is increasingly chaotic, we make the path deterministic. This is the leapfrog – we transform networking from a risk to an asset.

Cybersecurity 2.0 – the race car version

If you can’t trust the driver (the code), you must control the road (the network).

We won’t just control the network. We will reinvent it for structural speed and security. The Cybersecurity 2.0 model is the Formula One car which is designed for both safety and speed. F1 cars don’t have sophisticated brakes so they can park better – it is so they can drive 200 miles per hour.

We need AI speed and we need AI safety. We need structural security and structural speed – like racecars. The new network model provides it.

Security at speed: AI agents in Cyber 2.0, without network access

By way of simplified example:

1. AI agent has no network or Internet access. Never will.
2. AI agent onboarding includes a cryptographically verifiable identity.
3. The identity’s attributes give the agent access to the specific resources it is authorized for – to flip a ‘light switch’ to connect to virtual, session-scoped circuits. There is no other way for the AI agent – or an attacker – to reach the resource, because there is no network path.

No mucking with networks, VPNs or firewalls as things change. Turn the light switch on and off by modifying attributes instead of changing infrastructure. All done as software: no dependencies on IPs, DNS, NAT, VLANs or FW ACLs. 

Structural security enables us to move at AI-speed with built-in guardrails

Although this is where my Formula One analogy falls apart:

1. The road doesn’t exist until after strong identity, authentication and authorization.
2. After that, the AI is given a road to a single door – the specific resource it is authorized to access.
3. The AI has no ability to go off the road (no lateral movement; microsegmented by default) and the road is not available (or even visible) to others.
4. The road dissolves after the authorized session completes.
5. The roads are built as software – spun up in a just-in-time paradigm.

That is just the networking side of Cyber 2.0 – e.g. AI agent harnesses will function as declarative sandboxes and include filtering, context, observability and visibility. Because both the networking and AI harness are done as software, they work together in the Cyber 2.0 model to bring speed and security.

The post You can’t control AI, so you must control the network appeared first on NetFoundry.

I simply didn’t have the money to even think about walking into the phone center. Fortunately, there was a nearby Internet cafe. It was 1996 – the days of dial-up modems – and pre-Skype. So the cafe was mainly there to sell coffee to people surfing the web. But it was still possible to make VoIP phone calls. That was a lightbulb moment for me. The Internet was going to change everything. It wasn’t just going to connect us with information – it was going to connect us to the people we love. From anywhere, even Jakarta. What else could inexpensive, global connectivity do? Or, what couldn’t it do?

In fact, only a couple of years later, I was in a meeting with Cisco. The same Cisco who helped power those VoIP calls and was now the leading provider of Internet infrastructure. The meeting was led by John Chambers – building 10 – the EBC. I was an engineer at ITXC and we were building the world’s largest wholesale VoIP network, partially on Cisco routers and gateways. To say Chambers and his team were super smart and very gracious with their time would be an understatement, and the experience was almost surreal with Jakarta flashbacks interspersed with the ideas flying around the room.

Time went on. Cisco helped connect the world. ITXC had me hooked on an Internet-based future, and the software we built still powers some of the world’s largest communications providers. Even after ITXC, Cisco played an important role in many of the teams, products and companies I built.

And now we have an opportunity to do even more together. I am thrilled to share the news that Cisco Ventures is now a strategic investor in NetFoundry.

We couldn’t ask for a better partner than Cisco in helping us reinvent networking to meet the needs of the modern world. We have traveled a long way in a short time – from barely audible VoIP calls to a digitally transformed world largely built on Cisco infrastructure. But the next steps are even greater. We are at the point at which networking is becoming the very foundation of the hyperconnected, AI powered world.

There is no glide path. TCP/IP networking is magic but the magic wasn’t designed for the world which didn’t exist at that time. Networking is not as secure-by-design, agile or extensible as it needs to be to serve as the world’s foundation. However, with strong partners like Cisco and SYN Ventures, NetFoundry is enabling innovators to forge the foundation of this increasingly hyperconnected, AI powered world.  

NetFoundry already securely connects over one billion sessions per month, but we are just getting started and this new world is just now emerging. People use NetFoundry’s Identity-First Virtual Networks^TM to forge secure-by-design, virtualized network overlays, as software. These overlays ride on top of the magic of TCP/IP networks, adding the elements needed by the emerging world. For example, Identity-First Virtual Networks^TM enable:

• Businesses to forge networks to deliver any workload. These secure-by-design overlays are defined by identities rather than by infrastructure. The virtualized controllers and routers are hosted by NetFoundry, or self-hosted by the business.
• Developers to forge networks into their software. Envision a fleet of robots or set of APIs which communicate only within their overlays, without depending on IP addresses, firewalls, NAT or DNS. Similarly, developers are forging networks into AI agents, MCP servers, AI gateways, browsers, edge servers and reverse proxies.

In both cases, the result is secure-by-design, fully virtualized overlays, spun up or down in minutes, with all access, connections and networking based on identities, posture and events. Implementing different models – from JIT access to continually authenticated access based on multiple factors and posture combinations – becomes a software solution rather than an infrastructure dependent struggle.

What will you do with networking reimagined as identity-first overlays, in a software-only, secure-by-design model? Building applications on top of the Internet – and moving applications like phone calls to the Internet – was the driver of digital transformation. Building applications, networks and security – as a set of cohesive software, held together by identities – will be the driver of the hyperconnected, AI-powered world.

The post Cisco Investments joins NetFoundry’s Series A appeared first on NetFoundry.

The European Union’s Cyber Resilience Act (CRA) marks a paradigm shift in cybersecurity regulation, moving accountability for product security directly onto the manufacturers. For providers selling connected B2B products and services into the EU’s financial sector—a domain built on trust and resilience—the CRA is not merely a compliance hurdle; it is a fundamental test of their architecture and operational integrity. The mandate for products to be “secure by default,” manage vulnerabilities proactively, and ensure the integrity of their software supply chain requires a move beyond traditional, perimeter-based security models.

However, the EU CRA is also a revenue opportunity for the financial services technology providers which implement it the best. It makes their products more attractive in the market and decreases the risk of business continuity impacting breaches. Notably it means their customers have much less work to do to comply with DORA – enabling a competitive advantage for the financial service provider. The Digital Operational Resilience Act (DORA) governs the operational resilience of the financial institution and places operational obligations on the institution. Financial services providers who implement the EU CRA make it simpler for their customers to comply with DORA.

This guide provides a detailed analysis of the CRA’s essential requirements, tailored specifically to financial technology providers such as core banking vendors, payment processors, market data suppliers, and other B2B fintechs. For each key requirement derived from the CRA’s text, we present a three-tiered maturity model for compliance: Compliant (meeting the minimum legal standard), Strongly Compliant (adopting current best practices), and Strongest Compliance (implementing state-of-the-art, Zero Trust principles).

The central thesis is that achieving and maintaining CRA compliance necessitates a strategic shift from network-based controls (like VPNs and IP whitelisting) to an identity-led, cryptographically verified, and least-privilege approach to security. This whitepaper serves as a strategic guide for technology leaders to assess their current posture, identify gaps, and build a roadmap toward the strongest level of cyber resilience.

1. Introduction: The New Baseline for Trust in Financial Technology

The EU Cyber Resilience Act fundamentally redefines the obligations of any entity placing a “product with digital elements” on the EU market. For the financial services industry, where a single vulnerability can have systemic consequences, this regulation crystallizes a long-overdue market expectation: the technology that powers finance must be secure by design.

The CRA’s scope is broad, covering software, hardware, and their components. This means core banking platforms, payment terminals, market data feeds, risk management software, and even the APIs offered by fintechs are all subject to these new rules. This guide breaks down the CRA’s essential requirements from Annex I into seven actionable domains and provides a practical framework for compliance.

2. EU CRA requirement: Secure by Design & Default Configuration

The CRA mandates that products be designed, developed, and produced to ensure an appropriate level of cybersecurity. They must be placed on the market with a secure default configuration, including the ability to be reset to that state.

The principles of secure-by-design are central to standards like ETSI EN 303 645 (“Cyber Security for Consumer Internet of Things”) and IEC 62443 (“Security for industrial automation and control systems”).

• ETSI EN 303 645 includes foundational provisions like “no universal default passwords” and “minimise attack surfaces,” which are met by the ‘Compliant’ and ‘Strongly Compliant’ tiers.
• IEC 62443-4-1 details a secure product development lifecycle, requiring threat modeling and security-by-design principles throughout the product’s creation. Taking the “Strongest Compliance” approach—by architecting a product that is “dark” by default—inherently fulfills these requirements. It represents the ultimate implementation of attack surface minimization and demonstrates a mature secure development lifecycle where potential threats from exposed networks are eliminated at the design phase, not mitigated later with firewall rules.

3. EU CRA requirement: Vulnerability Management & Coordinated

Disclosure

The CRA requires manufacturers to identify and document vulnerabilities, including those in third-party components. They must have processes to address and remediate vulnerabilities without delay and must facilitate the sharing of this information.

4. EU CRA Requirement: Secure Software Updates & Supply Chain Integrity

The CRA mandates that security updates must be provided in a timely manner and free of charge. The integrity and authenticity of updates must be ensured.

5. EU CRA requirement: Secure Data Handling (in transit, at rest, in use)

The CRA requires that products ensure the confidentiality, integrity, and availability of data processed by them. This includes protection against unauthorized access.

6. EU CRA requirement: Access Control & Identity Management

Products must control access to data and functions through appropriate authentication and identity management mechanisms, adhering to the principle of least privilege.

7. EU CRA requirement: Transparency & Documentation

Manufacturers must provide clear, comprehensible instructions and information to the user, including the product’s intended purpose, security properties, and instructions for secure use, maintenance, and disposal.

8. Conclusion: From Compliance Burden to Competitive Advantage

The EU Cyber Resilience Act should not be viewed as a mere checklist of technical requirements. It is a strategic mandate to embed security into the entire lifecycle of a product. For providers in the financial services sector, demonstrating the highest level of compliance is a powerful differentiator that builds profound trust with clients, as well as making it simpler for their clients to implement, while meeting DORA guidelines.

Moving beyond the baseline “Compliant” options toward the “Strongest Compliance” models—characterized by Zero Trust architecture, cryptographic identity, comprehensive transparency, and proactive vulnerability management—will separate the market leaders from the laggards and make it that much easier for their customers to be DORA compliant. By architecting for resilience from the ground up, vendors can transform the CRA from a regulatory burden into a catalyst for innovation and a cornerstone of their value proposition. The guide above also lists key ISO and IEC requirements which are met as the CRA states that harmonized reqs – like ISO and IEC -also need to be met.

The post EU Cyber Resilience Act: A Compliance Guide for B2B Financial Services Technology Providers appeared first on NetFoundry.

NetFoundry’s vision to cover the planet with secure-by-design networking required reinventing the enterprise networking model itself.

Mission #1 accomplished. NetFoundry now delivers billions of sessions per year, helping to secure and simplify challenging environments such as critical infrastructure and 2 of the largest 5 companies in the world.

Today, NetFoundry announced a key milestone in the journey for mission #2: our Series A venture round which will help the rest of the world replace insecure, complex networking with secure-by-design, effortlessly extraordinary networking.

Series A preferred venture round

We are thrilled to announce that SYN Ventures is anchoring our Series A venture round of over $12 million. The SYN team has managed or invested in cybersecurity leaders including Adlumin, Carbon Black, Cylance, Halycon, Mandiant, RSA Security, Tenable and Talon.

SYN’s expertise and experience are great, but what immediately jumped out was the SYN people. These are the people we want in the trenches with us. Our strategic investors also continued to invest in NetFoundry this year, adding to over $50 million of prior investment (and they are now 10% shareholders), while other investors will be revealed later.

The goal of previous investment was to build the world’s first platform and products for secure-by-design networking, and to serve early adopters with excellence. The goal of the Series A is to help secure the rest of the world, so this marks a key milestone on that journey.

Where we are – NetFoundry, today

The hyperconnected, AI-accelerated world requires simple and secure. And this is exactly how NetFoundry is helping some of the world’s leaders.

For example, NetFoundry now secures critical infrastructure on 3 continents, connects mission-critical data at the majority of the top 10 US banks and solves networking complexities for 2 of the top 5 Fortune 500 companies. NetFoundry is most often consumed as cloud native, zero trust native NaaS (network as a service), but is also deployed in on-premises and even air-gapped environments.

NetFoundry also helps leading product providers in areas such as industrial automation and managed services to ship secure-by-design products. That use of NetFoundry is the first Intel-inside, OEM-type model model for zero trust networking. The result of the partnership is the product providers’ customers buy secure-by-design products.

Enterprise – Where the world is going and how NetFoundry helps

As noted above, some of the world’s largest enterprises are already benefiting from NetFoundry’s secure-by-design networking. This vanguard group is multiplying. This is because the Internet is the new WAN, and the application is the new edge:

• The old WAN model? Dead.
• SASE, VPN, ZTNA and firewalls which attempt to filter the entire Internet? Dead.
• Secure WAN with an insecure supply chain? Dead.

This means IT can drain the swamp of the world’s most expensive alphabet soup (SASE, ZTNA, MPLS, SSE, VPN, FW, IDS, IPS, DMZ, SWG, CASB, etc.). Their new model will center on secure browsers and NetFoundry-powered secure-by-design network overlays. There is more in this new model, and NetFoundry is just one layer of the overall ecosystem delivering it. Secure-by-design networking is spreading, rapidly.

Providers – Where the world is going and how NetFoundry helps

As described above, some the world’s leaders are already licensing the NetFoundry software and leveraging NetFoundry zero trust native NaaS to ship secure-by-design products. This early adopter group is also rapidly expanding, and includes everything from multicloud deployments to securing connections within air-gapped environments.

Legislation such as the European Cyber-Resiliency Act (EU CRA) is now mandating that all providers of connected products adopt this secure-by-design approach. In the US, groups including CISA, the NSA and the FBI are also mandating secure-by-design products.

Market forces are also pushing the world towards secure-by-design products. If provider #1 ships a secure-by-design product, and provider #2 requires you to take an inherently insecure product and then try to make it secure on your own after the fact…which will you choose? Built-in is both simpler and more secure than bolted-on, so the market is increasingly demanding secure-by-design products.

Innovation – Where the world is going and how NetFoundry helps

Some of the world’s most innovative operations, development and networking teams are also leveraging NetFoundry. This movement is also picking up steam.

While the world ponders if AI will eat the world, open source continues to eat everything. NetFoundry changed secure networking into composable, programmable, extensible software. NetFoundry created, open sourced and now maintains OpenZiti – Linux for secure networking.

OpenZiti means anything can ship with a built-in, open source, zero trust native, global network overlay. This includes individual applications, far edge compute (NVIDIA Jetson, Raspberry Pi, etc.), servers, databases, API gateways, browsers, NICs, reverse proxies, firewalls, routers, edge servers, robots, PLCs, drones, AI agents, firmware, operating systems, and so much more.

The world will look back and wonder how connected products historically shipped as default insecure. A recent analogy I heard was that the old network model was like constructing a building in an earthquake zone and afterwards telling the buyer they needed to retrofit the building because it was not built to withstand even the slightest tremble.

The next phase for effortlessly extraordinary, secure-by-design networking

NetFoundry is happy that we are securely delivering billions of sessions per year in some of the world’s most difficult environments, and we are thrilled to be partnering with SYN Ventures and strategics to bring secure-by-design networking to the rest of the world.

The post NetFoundry raises Series A venture round appeared first on NetFoundry.

The post NetFoundry Joins CISA Secure By Design Pledge: Leading the Movement for Embeddable Zero Trust appeared first on NetFoundry.

The post The Zero Trust Revolution Starts with You: Designing Security Into Every Product appeared first on NetFoundry.

The post Security by Design in Software Development: Embedding Zero Trust Connectivity appeared first on NetFoundry.

The post Zero Trust AI: The Path to True Cybersecurity Innovation appeared first on NetFoundry.