Skill Being Reviewed
Skill name: segmentation
Skill path: skills/network/segmentation/
False Positive Analysis
Benign-looking evidence that can be over-scored today:
zone: production-app
inbound_segmentation:
app_to_data: restricted
user_to_app: via load_balancer
outbound:
route: 0.0.0.0/0 via NAT gateway
ports: [443]
proxy_required: false
dns: any resolver
claimed_result: segmented
The current skill is strong on zone maps, trust boundaries, east-west traffic, DMZ design, CDE validation, and segmentation testing. It does not require reviewers to prove that sensitive zones have explicit outbound boundaries. A workload can be well segmented laterally but still reach arbitrary internet destinations, bypass approved proxies or DNS controls, or exfiltrate through a broad NAT route.
Coverage Gaps
- Production, management, CDE, OT/IoT, or crown-jewel zones can have unrestricted
0.0.0.0/0 or ::/0 outbound access without a finding.
- Egress can bypass secure web gateways, DNS firewalls, service mesh egress gateways, DLP, or inspection points through NAT, public IPs, peering, VPN, or transit routes.
- Port-only allowlists such as outbound 443 can be treated as segmentation even when destination, tenant, FQDN, or SaaS constraints are absent.
- Direct external DNS can bypass monitored resolvers and DNS policy.
- Temporary broad egress exceptions can persist without owner, expiry, compensating control, or review evidence.
Recommended Improvement
Add an egress boundary and internet exit evidence gate requiring source zone/workload, approved destinations, enforcement point, DNS path, direct internet route review, inspection/logging evidence, and exception lifecycle fields. Extend the report with an egress boundary matrix and add findings for unrestricted egress, proxy/DNS bypass, weak port-only allowlists, direct external DNS, stale exceptions, missing destination inventory, and untested alternate egress paths.
Bounty Info
Skill Being Reviewed
Skill name:
segmentationSkill path:
skills/network/segmentation/False Positive Analysis
Benign-looking evidence that can be over-scored today:
The current skill is strong on zone maps, trust boundaries, east-west traffic, DMZ design, CDE validation, and segmentation testing. It does not require reviewers to prove that sensitive zones have explicit outbound boundaries. A workload can be well segmented laterally but still reach arbitrary internet destinations, bypass approved proxies or DNS controls, or exfiltrate through a broad NAT route.
Coverage Gaps
0.0.0.0/0or::/0outbound access without a finding.Recommended Improvement
Add an egress boundary and internet exit evidence gate requiring source zone/workload, approved destinations, enforcement point, DNS path, direct internet route review, inspection/logging evidence, and exception lifecycle fields. Extend the report with an egress boundary matrix and add findings for unrestricted egress, proxy/DNS bypass, weak port-only allowlists, direct external DNS, stale exceptions, missing destination inventory, and untested alternate egress paths.
Bounty Info