Zero Trust Architecture
Workflows

ZERO TRUST DOMAIN SCORING ENGINE ════════════════════════════════════════════════════════ MODEL: Never Trust, Always Verify — Domain Intelligence Edition DOMAINS SCORED: 14.2M unique daily TRUST SCORE COMPUTATION: Factor Weight Signal Domain Age 20% Older = more trusted OpenPageRank 15% Higher PR = more authoritative /security page 15% Present + certifications = trust /compliance page 10% Present = regulatory awareness Web Filtering category 15% Legitimate categories = trust Page completeness 10% More pages (of 20) = established Country risk 10% Low-risk jurisdiction = trust IAB category match 5% Expected category for claimed purpose LIVE SCORING EXAMPLES: okta.com → Trust: 97/100 Age: 6,205d | PR: 8.4 | /security: SOC2+ISO | 19/20 pages | US POLICY: Full access, no additional inspection new-vpn-client-download.com → Trust: 3/100 Age: 4d | PR: 0.0 | /security: None | 2/20 pages | Moldova POLICY: Block entirely, alert SOC startup-hr-tool.io → Trust: 41/100 Age: 189d | PR: 1.9 | /security: Basic | 8/20 pages | US POLICY: Allow with SSL inspection + DLP + session recording

IDENTITY-AWARE ACCESS MATRIX ════════════════════════════════════════════════════════ ROLE: Executive (C-suite) Min domain trust for access: 60/100 Additional: All traffic SSL-decrypted, DLP on financial data Blocked categories: Gambling, Adult, Malware, Hacking Tools Domain investor-relations-portal.com (Trust: 72): ALLOW Domain quick-file-share.xyz (Trust: 12): BLOCK ROLE: SOC Analyst Min domain trust for access: None (research exemption) Additional: All access logged, sandbox for downloads Allowed categories: Including Hacking Tools, Malware (for research) Domain malware-bazaar.abuse.ch (Trust: 34): ALLOW (research) ROLE: Finance Team Min domain trust for access: 70/100 Additional: DLP for financial data, PCI domains only for payments Blocked: All uncategorized domains, all domains <30 days old Domain quickbooks.intuit.com (Trust: 95): ALLOW Domain invoice-payment-portal.net (Trust: 18): BLOCK + ALERT ROLE: Developer Min domain trust for access: 20/100 Additional: Allow package registries, documentation, API endpoints Domain npmjs.org (Trust: 93): ALLOW Domain github.com (Trust: 98): ALLOW

MICROSEGMENTATION DOMAIN POLICIES ════════════════════════════════════════════════════════ SEGMENT: Production Database Tier Allowed external domains: 7 (explicitly verified) - Backup service: backups.aws.amazon.com (Trust: 99) - Monitoring: api.datadog.com (Trust: 96) - Patching: packages.microsoft.com (Trust: 99) All other external: DENY Verification: All 7 domains have /security, /compliance, PageRank >7 SEGMENT: CI/CD Pipeline Allowed external domains: 34 (verified registries + tools) - registry.npmjs.org / pypi.org / hub.docker.com Domain trust minimum: 50/100 New dependency domains: Auto-held for 24hr review All other external: DENY + alert DevSecOps SEGMENT: Guest WiFi Allowed: All domains with Trust >30 and Web Filtering != Malware Blocked: All domains <14 days old | All with PageRank <0.5 No access to any internal domain segments

TRUST SCORE DECAY MONITORING — 847 PARTNER DOMAINS ════════════════════════════════════════════════════════ DOMAINS WITH SIGNIFICANT TRUST DECAY: partner-logistics-api.com Trust Q3 2025: 84/100 → Q4 2025: 71/100 → Q1 2026: 42/100 Changes: /security removed, /leadership -3 executives, PageRank -2.1 ACTION: Downgraded to Tier 3 access (SSL inspect + DLP) Re-verification required: Vendor must provide updated SOC2 cert cloud-integration-hub.io Trust Q3 2025: 78/100 → Q4 2025: 76/100 → Q1 2026: 31/100 Changes: Domain transferred to new owner, /about completely changed ACTION: BLOCKED — Possible domain takeover, ownership changed All API keys for this domain revoked immediately vendor-erp-connect.com Trust Q3 2025: 91/100 → Q4 2025: 89/100 → Q1 2026: 88/100 Changes: Minor — /blog update frequency decreased ACTION: No change — Trust stable, normal decay within tolerance

APPLICATION ACCESS GOVERNANCE — NEW REQUESTS (THIS WEEK) ════════════════════════════════════════════════════════════ REQUEST: Marketing team wants access to canva.com canva.com Trust: 92/100 | Domain Age: 4,380d | PageRank: 8.1 /security: SOC2 Type II, data encryption details /compliance: GDPR, CCPA compliant /pricing: Enterprise tier with SSO/SAML /login: Supports SAML SSO (can integrate with Okta) Web Filtering: Graphic Design / SaaS DECISION: APPROVED — Condition: Must use SAML SSO integration REQUEST: Engineering wants access to pastebin.com pastebin.com Trust: 45/100 | Domain Age: 7,300d | PageRank: 6.4 /security: Not present | /compliance: Not present Web Filtering: Paste Sites / Potential Data Leak Personas: Developers — but also used by threat actors DECISION: CONDITIONAL — Read-only access, block all paste/upload REQUEST: Sales wants access to competitive-intel-tool.io competitive-intel-tool.io Trust: 23/100 | Domain Age: 67d | PageRank: 0.8 /security: Not present | /compliance: Not present /pricing: Free + paid tiers, no enterprise /login: Email/password only, no SSO DECISION: DENIED — No security posture, no SSO, too new

VENDOR TRUST ASSESSMENT — NEW VENDOR ONBOARDING ════════════════════════════════════════════════════════ VENDOR: ThreatGuard Solutions (managed SOC service) threatguard-solutions.com Trust Score: 87/100 /security: Comprehensive trust center — SOC2 Type II, ISO 27001 /compliance: GDPR, HIPAA, PCI DSS, FedRAMP Moderate /about: Founded 2018, 450 employees, 3 offices /leadership: CISO with 20yr experience, stable C-suite /case-studies: 12 enterprise case studies including Fortune 500 /careers: 87 active positions — growing company /partners: Technology alliances: Palo Alto, CrowdStrike, Splunk Domain Age: 2,555 days (7 years) | PageRank: 5.2 Countries: US, UK, Singapore IAB: Technology / Information Security RECOMMENDATION: APPROVED for Tier 2 vendor access Conditions: Annual re-assessment, quarterly trust score review

LATERAL MOVEMENT DETECTION — DOMAIN BASELINE DEVIATION ════════════════════════════════════════════════════════════ HOST: FINANCE-SERVER-03 Baseline domains (normal): 12 domains (all Trust >80) erp.sap.com, api.salesforce.com, auth.okta.com... NEW DOMAINS (last 2 hours — NOT in baseline): temp-storage-service.xyz Trust: 4/100 | Age: 6 days | Country: Belarus | PR: 0.0 /api: File upload endpoint active ALERT: Data exfiltration staging — finance server uploading data remote-admin-toolkit.com Trust: 8/100 | Age: 21 days | Country: Russia | PR: 0.0 /products: Remote access tool (likely RAT download) Web Filtering: Hacking Tools ALERT: Attacker establishing persistence via remote access tool AUTOMATED RESPONSE: → FINANCE-SERVER-03 isolated from network → All connections to flagged domains terminated → IR team alerted with full domain intelligence context → Memory forensics initiated on isolated host

DYNAMIC POLICY ADAPTATIONS — THIS WEEK ════════════════════════════════════════════════════════ TIGHTENED (3 policy changes): 1. CVE-2026-1847 Response Trigger: Mass exploitation of VPN gateway vulnerability Action: All domains <14 days old with /products containing "VPN" → BLOCK Affected: 147 exploit domains pre-emptively blocked Duration: Until patch deployment confirmed enterprise-wide 2. Vendor Compromise Alert Trigger: secure-msg-platform.com trust dropped to 22/100 Action: All traffic to this vendor sandboxed + DLP enforced Affected: 340 users who access this messaging platform Duration: Until vendor re-verified or replacement deployed 3. Geopolitical Escalation Trigger: East Asia semiconductor targeting campaign detected Action: Enhanced screening for all domains hosted in high-risk regions Affected: Minimum trust threshold increased from 30 to 50 for APAC domains Duration: 30 days, then re-evaluate based on threat landscape LOOSENED (1 policy change): 4. New Partner Onboarded Trigger: ThreatGuard Solutions passed trust assessment (87/100) Action: Added to Tier 2 vendor access with monitoring Affected: SOC team can now integrate with ThreatGuard APIs

ZERO TRUST MATURITY ASSESSMENT — CISA MODEL ════════════════════════════════════════════════════════ Pillar Level Domain Intel Integration Identity Advanced Trust scores inform identity-based access Devices Advanced Device domain baselines enforce policy Network Initial Microsegmentation uses domain intelligence Application Advanced App governance uses domain trust scores Data Initial DLP policies reference domain reputation OVERALL MATURITY: INTERMEDIATE (3.2/5.0) IMPROVEMENT ROADMAP: Q1 2026: Network pillar — Implement domain-based microsegmentation Q2 2026: Data pillar — DLP policies use domain trust for data classification Q3 2026: Automation — Fully automated trust re-verification pipeline Q4 2026: Target maturity: Advanced (4.2/5.0)

SUPPLY CHAIN ZERO TRUST — 412 VENDOR DOMAINS ════════════════════════════════════════════════════════ TIER 1 VENDORS (Critical — 34 domains): All require Trust >85 + quarterly re-verification Current status: 32 compliant | 2 below threshold BELOW THRESHOLD: data-processing-vendor.com — Trust: 67/100 (was 89) /compliance: ISO 27001 expired | /leadership: CPO departed ACTION: 30-day remediation window, access restricted to read-only infrastructure-monitoring.io — Trust: 71/100 (was 85) /security: Pen test date removed | /careers: -60% postings ACTION: Enhanced monitoring, backup vendor evaluation started TIER 2 VENDORS (Important — 128 domains): All require Trust >60 + semi-annual re-verification Current status: 119 compliant | 9 near threshold TIER 3 VENDORS (Standard — 250 domains): All require Trust >40 + annual re-verification Current status: 241 compliant | 9 non-compliant