Audits Istio service meshes for evidence-backed Zero Trust maturity, attack paths, and remediation priorities.
90
90%
Does it follow best practices?
Impact
93%
1.19xAverage score across 4 eval scenarios
Advisory
Suggest reviewing before use
Audit actual enforcement, not configuration intent. Never invent cluster state or treat a resource's existence as proof that it applies to traffic.
Accept live-cluster access, command output, manifests, architecture diagrams, traffic requirements, or any combination. Establish:
If live access is available, read
references/EVIDENCE_COLLECTION.md and collect the
minimum required evidence. If only supplied artifacts are available, inventory what is present
and mark missing evidence as UNKNOWN.
VERIFIED, INFERRED, or UNKNOWN.targetRefs scope before judging coverage.REGISTRY_ONLY an egress firewall; it only controls unknown destinations known
to the proxy and can be bypassed by traffic outside mesh capture.Map control-plane revisions, injection or ambient enrollment, gateways, waypoint coverage, proxy health, trust domains, and mesh-wide settings. Run static analysis before interpreting individual policies.
Checkpoint: Stop and report UNKNOWN coverage if the workload inventory cannot be mapped
to a data plane. Do not score unenrolled workloads as protected.
Map workloads to ServiceAccounts and SPIFFE identities. Flag unrelated workloads sharing an identity, production use of default identities when permissions are broad, trust-domain alias expansion, certificate errors, and unexpected plaintext paths.
Resolve effective PeerAuthentication from mesh to namespace to workload and port. In ambient
mode, account for ztunnel mTLS and use STRICT to identify bypass paths; DISABLE is not
supported for ambient workloads.
Checkpoint: Before authorization analysis, document effective mTLS for every assessed source/destination pair. Principal- and namespace-based authorization conclusions are unreliable where peer identity is unavailable.
Map RequestAuthentication and AuthorizationPolicy to workloads. Check:
CUSTOM providers that are absent, fail open, or are not applied as intendedtargetRefs mistakes, revision skew, and policies with no matching workloadUse references/POLICY_EXAMPLES.md for complete vulnerable
and hardened examples. Recommend dry-run and traffic tests before enforcing disruptive policy.
Checkpoint: Compare intended communication with effective ALLOW, DENY, CUSTOM, and AUDIT behavior. If policy intent is unavailable, classify excess access as probable rather than verified.
Build a source-to-destination matrix for production, development, platform, monitoring, and administrative workloads. Verify representative allowed and denied flows.
Construct plausible lateral-movement paths from exposed or lower-trust workloads to sensitive assets. For each hop, record required identity, protocol, policy decision, and uncertainty. Revisit identity or authorization findings when a path contradicts earlier assumptions.
For ingress, review gateway listeners, TLS modes, credential references, wildcard hosts, routing reachability, client authentication, and gateway authorization.
For egress, review mesh and Sidecar outbound modes, ServiceEntry scope, egress gateways,
DNS behavior, network policies, and direct-IP or host-network bypasses. Verify whether external
destinations are merely registered, routed through a gateway, or actually restricted by an
independent network control.
When ambient is present, map namespace enrollment, ztunnel health, waypoint attachment, and which policies require L7 enforcement. Identify traffic that receives only L4 enforcement.
For multi-cluster meshes, verify trust anchors, trust-domain aliases, east-west gateway exposure, remote-cluster secrets, identity uniqueness, and cross-cluster policy assumptions.
Run static analysis, inspect effective proxy configuration, and execute representative positive and negative traffic tests where permitted. A negative test must show that forbidden traffic fails; a positive test must ensure remediation does not break required traffic.
When evidence conflicts:
Read references/SCORING_AND_MATURITY.md before assigning
severity, Zero Trust score, maturity level, or confidence. Severity depends on reachability,
asset sensitivity, exploit prerequisites, blast radius, and compensating controls.
Do not award maturity credit for controls that are configured but not verified on in-scope workloads.
Use references/OUTPUT_TEMPLATE.md. Every finding must include:
Prioritize immediate containment, then 30-day and 90-day work. State assumptions, evidence gaps, residual risk, and the tests required to close each unknown.