Build fluency in the vocabulary of verifying every request regardless of its network origin.
0 / 5 completed
1 / 5
At standup, a dev mentions a network design where every request is authenticated and authorized individually, regardless of whether it originates inside or outside the corporate network perimeter. What is this model called?
Zero-trust networking authenticates and authorizes every request individually, regardless of whether it originates from inside or outside the corporate network perimeter, rather than trusting a request simply because it came from an internal network location. A perimeter-based model assumes anything inside the network boundary is inherently trustworthy, which breaks down once an attacker gains any internal foothold at all. Zero trust removes that implicit trust, requiring continuous verification for every request regardless of its origin.
2 / 5
During a design review, the team wants to verify not just a user's identity but also the requesting device's security posture, like whether it's running an approved, up-to-date configuration, before granting access. Which capability supports this?
Device posture verification checks the requesting device's security state, like whether it's running an approved, up-to-date configuration, as part of the overall access decision rather than granting access based solely on a valid username and password. Relying only on credentials ignores that a compromised or non-compliant device can still present valid credentials while posing a real risk. This device-level check is a key layer that distinguishes zero-trust networking from a simpler identity-only authentication model.
3 / 5
In a code review, a dev notices an internal service-to-service call is now required to present a valid short-lived credential and pass an authorization check, the same as an external request would. What does this represent?
Applying zero-trust verification uniformly to internal service-to-service traffic requires a short-lived credential and an authorization check for that call, the same as an external request would face, rather than exempting internal traffic from verification entirely. Exempting internal traffic assumes it's inherently trustworthy, which is exactly the assumption zero trust rejects. This uniform verification limits how far an attacker can move laterally even after compromising one internal service.
4 / 5
An incident report shows an attacker who compromised one internal service was able to freely call several other internal services with no additional verification, since internal traffic was implicitly trusted. What practice would prevent this?
Requiring authenticated, authorized verification on every internal service-to-service call, not only requests crossing the external perimeter, prevents a compromised internal service from freely calling other services with no additional check. Implicitly trusting internal traffic by default is precisely the gap that let the attacker move laterally after the initial compromise. This uniform internal verification is a core reason zero trust significantly limits the blast radius of a single compromised component.
5 / 5
During a PR review, a teammate asks why the team verifies every request individually under a zero-trust model instead of relying on the corporate network perimeter to keep internal traffic trustworthy. What is the reasoning?
A perimeter-based model implicitly trusts a request once it's inside the network boundary, so a single compromised internal foothold can let an attacker move around with little additional resistance. Zero trust keeps verifying every request's identity, authorization, and often device posture regardless of where it originates, limiting that lateral movement. The tradeoff is the added infrastructure and operational complexity of verifying every single request rather than relying on one perimeter checkpoint.