Welcome to the 6th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Rule Analysis feature. This post focuses on the SSP Segmentation Report.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

Traditional security architectures often resemble fortified castles—strong perimeter walls with limited internal protections. Once adversaries breach these external defences, they can navigate through internal networks with minimal resistance. This reality makes network segmentation not just a best practice but a critical security requirement.

Effective segmentation minimizes attack surfaces, protects sensitive data, and helps organizations meet regulatory compliance standards. However, implementing segmentation without proper visibility and measurement can lead to incomplete protection or operational complexity.

The Security Segmentation Report: Your Security Scorecard

The Security Segmentation Report is a vDefend SSP feature that evaluates your organization’s implementation of microsegmentation and security policies. This reporting capability provides several key benefits:

• Visibility and Assessment: The report analyzes network traffic flows to determine how effectively your security policies prevent unauthorized lateral movement. It examines both allowed and blocked traffic patterns to identify potential gaps in your security posture.
• Segmentation Scoring Modes: Organizations can choose between Strict and Relaxed scoring modes depending on their security maturity. The Strict mode applies more rigorous evaluation criteria, ideal for organizations seeking precise measurements of their security implementation. The Relaxed mode offers a less severe assessment, suitable for organizations still developing their segmentation strategies.
• Actionable Intelligence: Rather than simply presenting data, the report delivers specific recommendations for leveraging vDefend Distributed Firewall capabilities. These insights help security teams prioritize improvements and track progress over time.

The Segmentation Report provides a snapshot of your SDDC security posture and offers recommendations for leveraging Distributed Firewall capabilities to establish a robust defence against malicious actors.

To generate a security segmentation report, a minimum of 1,000 unique traffic flows must be present during the selected analysis period. After you deploy the SSP platform and activate security intelligence, you must allow the tool to capture the flows before starting any analysis.

Note: Flows for VMs added to the DFW exclusion list are excluded from the Security Segmentation Report.

After SSP has captured the 1000 unique flows, click the Calculate Score button to generate an overall score of the SDDC’s current security posture.

Select the mode that suits your environment.

The tool typically takes 5-10 minutes to generate the security score.

Evaluating Your Security Segmentation Report

Scroll to the bottom section to see what factors were considered for score generation.

The report analyzes several key dimensions to measure the effectiveness of your network segmentation strategy.

1. Core Security Controls: This assessment examines your Distributed Firewall configuration, focusing on its ability to validate network and transport layer protocols that defend against fundamental IP-based threats. The evaluation also verifies whether malicious IP reputation feeds are enabled along with their associated protective rules.
2. Shared Infrastructure Management: This section evaluates how traffic is controlled for critical data center services, including DHCP, DNS, NTP, and LDAP, among others. The platform monitors 14 distinct infrastructure services to ensure appropriate access policies are enforced. A comprehensive list of these monitored services is available in the documentation.
3. Environment Separation: The report measures how effectively your development, staging, and production environments are isolated from one another. Proper separation minimizes the potential for cross-contamination between environments and maintains operational stability.
4. Application-Level Segmentation: This criterion evaluates controls governing traffic both within individual applications and between different applications. Effective policies in this area prevent unauthorized lateral movement and safeguard sensitive data transmissions.
5. Legacy Technology Detection: The assessment combines port analysis with application-layer identification to uncover the use of outdated protocols such as TLS versions prior to 1.2, SMB versions before 2, SSL, Telnet, and similar deprecated technologies. When workloads include the Guest Introspection driver, the system also identifies operating systems that have reached end-of-life status.

The assessment score indicates security level as follows:

• 0-50: Low security
• 51-80: Medium security
• 80+: High security

To understand the score in greater detail, generate the full segmentation report.

Generate a Security Segmentation Report

To generate a new report, navigate to the Monitor & Plan > Security Segmentation Report tab and click Generate Report.

Enter the report name and select the time range of the traffic to be analyzed. Select the Security Segmentation Score mode.

Click Generate to start the report creation.

Depending on the number of flows to be analyzed, the report generation typically takes 5-10 minutes for completion.

Click on the 3 dots and download the report for analysis. A nice PDF is generated and is broken down into various sections as shown below.

The report’s Executive Summary section delivers a top-level overview of your Security Segmentation Score. It provides details of the traffic that must be secured.

The overview of the current segmentation section lists the At-risk workloads and workloads with blast radius. The report also shows the unprotected flows (matching DFW default allow rule). The At-Risk workloads are the workloads that have:

The report also shows the entry point of the blast radius.

In the example below, the terminal servers are talking to the Microsoft Public IP address, which is external to the datacenter. In the executive summary, securing external communication is clearly called out, as the workloads that have inbound or outbound connections over external IP addresses are vulnerable to attacks.

In the security recommendation section, the report provides the security measures that must be taken to strengthen the security posture and achieve true microsegmentation.

There are many more such examples in the report, and it’s not possible to cover them all, as they vary from environment to environment.

Best Practices for Leveraging the Report

To maximize value from the Security Segmentation Report:

• Start with a Baseline Assessment: Generate an initial report in Relaxed mode to understand your current state without overwhelming your team with strict penalties.
• Regular Monitoring: Schedule periodic report generation to track improvement trends and identify emerging security gaps.
• Correlate with Threat Intelligence: Combine segmentation reports with Security Services Platform features like Network Detection and Response to gain comprehensive threat visibility.
• Iterate Policy Development: Use report recommendations to progressively tighten security policies, moving from Relaxed to Strict scoring as your segmentation maturity increases.

Conclusion

The VMware vDefend Security Segmentation Report represents more than a compliance checkbox—it provides a strategic tool for building resilient security architectures. By combining comprehensive visibility with actionable recommendations, the report enables organizations to systematically strengthen their defences against modern cyber threats.

As attack techniques continue evolving, the ability to measure, monitor, and improve network segmentation becomes increasingly critical. Organizations leveraging the Security Segmentation Report gain both the insight and guidance needed to implement effective zero-trust architectures that protect their most valuable digital assets.

The transition from perimeter-based to segmentation-based security requires careful planning and continuous refinement. With tools like the vDefend Security Segmentation Report, organizations can navigate this transformation with confidence, building security postures that adapt to emerging threats while maintaining operational efficiency.

And that’s it for this post.

In the next post of this series, I will discuss the Security Intelligence feature. Stay tuned!!!

I hope you enjoyed reading this post. Feel free to share this post on social media if it’s worth sharing.