CryptoniteNXT is a next generation, zero trust-based technology that prevents and contains a cyber-attack from within your enterprise network.

Zero Trust

A smarter way to defend your network

What is CryptoniteNXT?

CryptoniteNXT is a next-generation, zero trust-based technology that prevents and contains cyber-attacks from within an enterprise network.

The CryptoniteNXT network appliance works in concert with your corporate firewall to inoculate your network against cyber attacks that may have penetrated the firewall (e.g. malware, zero day attacks, and insider threats). Above all, CryptoniteNXT is built on the principles of zero trust – never trust, always verify, and only provide need-to-know access. When installed, Cryptonite removes an adversary’s ability to execute entire categories of in-network attacks that are used to target high vulnerability environments.

Why CryptoniteNXT?

Firewalls and intrusion detection systems are only one half of the cyber-security solution. Networks will eventually get penetrated, and when that happens, containment is critical.

In today’s porous networks, many attacks reach the network and are not contained or even detected for months. Installing CryptoniteNXT provides peace of mind that the network will remain inoculated against threats that may have slipped past the firewall. Likewise, a CryptoniteNXT-protected network reduces an organization’s risk against vulnerabilities in legacy software, overdue software updates and patches, and new threats posed by the proliferation of IoT and mobile devices. In addition to network protection, CryptoniteNXT’s state-of-the-art analytics, derived from packet level data, also give an IT admin new actionable insights into network vulnerabilities and threats.

How It Works

CryptoniteNXT prevents reconnaissance, stops lateral movement, and contains cyberattacks and threats.

A CryptoniteNXT-protected network uses the tactics of Deceive, Deny, and Defeat to implement a zero trust environment. CryptoniteNXT uses intelligent, packet-level, credentials-based algorithms to dynamically morph the network mapping and eliminates an adversary’s visibility into a network. Furthermore, this prevents reconnaissance needed for lateral movement. In addition, CryptoniteNXT uses software-defined segmentation to determine if a packet’s permission through the mapping, further containing movement within the network. In conclusion, all of this happens at the network layer, at line speeds, with no performance impact to a trusted and verified user or the application.

Explore the Videos to Learn More about CryptoniteNXT


Prevent Reconnaissance


Stop Lateral Movement


Contain Cyberattackers & Insider Threats

Partnerships and Interoperability

CryptoniteNXT allows out-of-the-box integration with leading industry products and vendors.

CryptoniteNXT in the Media

Why CryptoniteNXT?

No more chewy centers.

CryptoniteNXT’s software-defined segmentation significantly reduces the attack surface available to malicious actors, eliminating network visibility as a viable attack vector. Delivering Moving Target Cyber Defense (MTD) software as an appliance, CryptoniteNXT dynamically secures any network infrastructure by actively shielding itself. In addition, MTD transforms a network into one that is undetectable to hackers—protecting entry points through published and undiscovered vulnerabilities.

CryptoniteNXT proactively shields a network from an attack.

Scanning and other forms of network discovery is ineffective.

Frustrate attacks and render the tools they developed or purchased useless, keeping the enterprise secure.

Network resources are protected from illegitimate access.

Attempts to misuse credentials, escalate privileges, and bypass network controls are ineffective against CryptoniteNXT.

Network topology is unusable in the planning of an attack.

Discovered network topology before or after the installation of CryptoniteNXT is not actionable information for purposes of planning an attack.

CryptoniteNXT masks the visibility of vulnerabilities.

CryptoniteNXT reduces the need to frantically identify and patch system vulnerabilities.

Attackers can’t use spoofing to collect network information and credentials.

CryptoniteNXT defends the network from attackers impersonating the identity of legitimate endpoints.

Software-defined segmentation prevents an attack from laterally moving through networks.

Malicious activity cannot leave endpoints. Shields the network from the spread of an attack and allows detection systems to remove malware.

CryptoniteNXT stops attacks automatically and in real-time.

Stop attacks without human intervention. Likewise, CryptoniteNXT captures detailed information regarding the failed attempts and forwards that information to the security team for further investigation.

CryptoniteNXT dramatically reduces the time to contain malware on a network.

Deny unauthorized actions immediately.

Deny unauthorized actions automatically and immediately. In particular, logging them as potential threats and pointing to a specific user and device efficiently identifies the source of the attack.

Software-defined segmentation limits the lateral movement of an attack.

Software-defined segmentation limits the lateral movement of an attack through specific policies set up for each user, device, or process in the system. Moreover, threats are contained immediately and automatically at the point of attack.

CryptoniteNXT stops a hacker’s primary tactics at the point of attack and integrates into the existing security framework—reducing data flows and focusing resources on high priority alerts.

Works with standard network protocols

Our appliance resides between a core switch and an access switch

Supports IP-enabled devices and protects traditionally unprotected devices including printers and legacy devices

Aides in IPv6 migration by simultaneously supporting both IPv4 and IPv6 address spaces

Transparent to the user

Has low performance degradation similar to a hop through a switch

Integrates with other network and security-monitoring products such as Palo Alto Networks Next Generation Firewall products

Provides logs (in common event format) that can be forwarded to security information and event management systems such as Splunk

CryptoniteNXT is NIST- and NCCIC-compliance

CryptoniteNXT aligns with the NIST Cyber Security Framework in three key areas.

  • Moving Target Cyber Defense provides a new type of protection which stops lateral movement and reconnaissance.
  • If a compromised endpoint exists, CryptoniteNXT will detect attempts to bypass configured policy via segmentation and unauthorized IP access attempts. These blocked attempts are high quality alerts. Furthermore, CryptoniteNXT processes these alerts by a SIEM or orchestration tool.
  • During a response operation, CryptoniteNXT’s user-tagged activity logs enable rapid analysis of what an attacker’s actions were without relying on endpoint logs, netflow, or packet captures which often do not have visibility of data about east-west network traffic.

National Institute of Standards and Technology

The National Cybersecurity and Communications Integration Center

Palo Alto Networks® is a registered trademark of Palo Alto Networks, Inc. Splunk is a trademark or registered trademark of Splunk, Inc. in the United States and other jurisdictions.

A Zero Trust Approach

Using a Moving Target Cyber Defense (MTD) and network micro-segmentation, CryptoniteNXT builds a true Zero Trust environment by stopping network reconnaissance and restricting lateral movement within networks. A Zero Trust environment adds important layers of cyber defense technologies which address and defeat the activities of malicious actors already within a network. In conclusion, this automatically stops attackers, ransomware and insider threats within an internal network.

CryptoniteNXT uses two technologies which work together to amplify network defense:

Moving Target Defense (MTD)

Rather than allowing a protected endpoint or a malicious device to see the real network, CryptoniteNXT transforms the endpoint’s view of the network into a dynamic, abstract structure. In effect, making the once-static network a dynamic moving target. Normal legitimate traffic is unaffected by MTD. However, MTD severely restricts an attacker’s ability to collect actionable information about the network or masquerade as another legitimate endpoint.

MTD substantially increases the time, effort, and risk necessary to establish or maintain a presence in a network. Additionally, MTD restricts the validity of any information garnered to a limited period of time. This forces the attacker to repeatedly and aggressively perform reconnaissance. Furthermore, the attacker is unable to act decisively on network information and cannot spoof legitimate information. In conclusion, the attacker becomes prone to mistakes and thus more easily detectable by monitoring tools.

Software-defined Segmentation

MTD maps the obfuscated network to the real network, known only to CryptoniteNXT. This enables the flow of traffic across the traditional network infrastructure. Furthermore, software-defined segmentation creates a decision point regarding whether a packet should be permitted through that mapping. This decision minimizes exposure and contains attacks while allowing legitimate communications to take place.

At a per-user and per-service level, CryptoniteNXT decides at line speed the permission level of a packet through the network. Unless absolutely necessary, CryptoniteNXT halts the delivery of the packet to the endpoint. Moreover, preventing malicious packets from ever reaching a protected endpoint. As with MTD, this protection is always on at every endpoint, protecting all traffic.

Features & Benefits

CryptoniteNXT is a network appliance that supplements existing network infrastructure to improve security. Moreover, a unique combination of technologies effectively alters network behavior in real time with no human intervention. In addition, CryptoniteNXT blocks malicious activities while at the same time preserving performance and usability for legitimate purposes.


CryptoniteNXT provides control and insight into a network. For example, onboarding devices, controlling network access, viewing network activity, observing network performance, and checking for unusual activity all work together to simplify network management and improve security posture.


Define policies for activities within the network and perimeter via role-based access controls that follow users and devices throughout the protected network. In particular, low impact deployment is possible via controls that allow the level of policy enforcement and the prevention of potentially malicious activities. Furthermore, gradually increase policy enforcement without disruptions to legitimate activity.


CryptoniteNXT provides an endpoint-centric view of network status and configuration. In addition, administrators can easily view detailed information about each endpoint, define group membership, and change configuration to handle a variety of use cases.