Zero Trust Security
High scrutiny and high blast radius; proof and governance matter.
Inside this journey
-
Pre-Discovery
Align the room on outcomes, decision process, and constraints before deeper discovery.
-
Stakeholder Alignment
Confirm decision roles (CISO, VP Security, IT ops), timeline, and measurable pilot success signals (connection reliability, access latency, helpdesk ticket delta).
Alignment Questions
Start Here: The Trigger That Changed Things
- What single event or concern made you decide to explore replacing or augmenting your VPN today?
- Who in your organization is sponsoring this effort at the executive level, and who will be the day-to-day project lead?
- Which team currently owns the VPN and remote access operations today?
- Roughly how many users and which user cohorts are you thinking about for the initial pilot?
- Which three applications or classes of applications are highest priority to include in the pilot (name or describe them)?
Who's Really Steering the Ship?
- If we replaced the VPN tomorrow, who holds final authority to say 'go' or 'stop' for the pilot?
- Which individuals or roles must be at the evaluation table for a vendor to be seriously considered?
- Who will be the day-to-day administrator for the zero trust platform during the pilot, and do they have capacity for this project?
- Has there been internal resistance historically when platform or network architecture changes were proposed? Tell us about one memorable pushback and why it mattered.
- Are there non-negotiable stakeholders who must approve network-level visibility, logging, or policy changes before we proceed?
If This Breaks, Who Will Notice—and How Bad Will It Hurt?
- When you imagine the worst-case during a migration, who in the business feels the impact first and most painfully?
- Tell us about the outage, red-team finding, or audit that made this project urgent—what actually happened and what was the fallout?
- Which internal applications or services would be most damaging if they became inaccessible during a pilot cutover?
- How many helpdesk tickets per day/week are typical for remote access issues today (baseline)?
- Are there known undocumented dependencies or 'shadow apps' that typically appear during migrations? If so, how do you currently discover them?
What Would Actually Convince the Skeptics?
- What one measurable outcome would make this project an undeniable win for the CISO and for IT operations respectively?
- Which of the following metrics will you use to compare vendors during the pilot?
- For the top three metrics you selected, what are your current baselines and what improvement would be considered acceptable?
- If two vendors meet most metrics but one handles thick-client apps and RDP flawlessly while the other does not, how would that weigh in your decision?
- Who gets the final say if security and IT operations disagree on which vendor to advance?
Can We Finish This Pilot on Your Timeline—or Will Hidden Gates Stop Us?
- If you had to pick a pilot length today, what would you propose?
- What hard dates, blackout windows, or business cycles must we avoid when scheduling a pilot?
- Are there procurement or legal timelines (RFP, SOW reviews, security questionnaires) that typically add weeks to this kind of project?
- What are your non-negotiable gating criteria for pausing or rolling back a pilot (examples: >X% user impact, critical app down, spike in tickets)?
- What internal approvals are required to start the pilot (list roles and expected sign-off timeframes)?
What Would Make Your Operations Team Sleep Better?
- If your ops team could remove one fear about replacing the VPN, what would it be?
- Which operational capabilities are mandatory in the admin console for you to accept the new platform?
- How important is having a vendor engineer onsite or available in real time during initial cutover/testing?
- Who will be responsible for connector placement, patching, and day-to-day maintenance during the pilot?
- What device posture checks or endpoint controls must be enforced before granting access (select all that apply)?
Will We Be Able to See the Same Truth—Telemetry & Evaluation
- Are you willing to share pilot telemetry (connection logs, latency, helpdesk tickets) with vendors for side-by-side evaluation?
- Which telemetry types are you comfortable sharing for evaluation?
- Do you have data retention or privacy policies that limit how long or where pilot telemetry can be stored?
- How often would you like vendor evaluation meetings during the pilot to review telemetry and decide next steps?
- Who on your team will be accountable for collecting and normalizing telemetry across vendors?
Decision Mechanics: From Pilot Results to Contract
- What criteria will move this project from pilot to full deployment—who signs off and which documents do we need?
- Who holds the budget for this initiative and what internal approval thresholds should we be aware of?
- Which contractual or commercial terms are likely to be decisive (e.g., trial credits, liability limits, SLAs, support SLAs)?
- What would be an acceptable path to full production—big-bang cutover, phased rollout by app, or phased by user cohort?
- What is the single next step you want from us after this discovery conversation?
-
Current Access & Risk Mapping
Document VPN topology, blast-radius scenarios, application inventory, and undocumented dependencies that must be discovered before migration.
Current State
Starting Point: What's On Your Plate Today
- Quick snapshot—how many remote users rely on your VPN today?
- Which VPN or remote-access technologies are currently in production?
- Who owns day-to-day operations and policy changes for that VPN (team/title)?
- When was the last meaningful outage or performance incident tied to the VPN, and what was the immediate business impact?
- Do you maintain a living inventory of apps behind the VPN today (percentage complete)?
If One Compromised Session Could Tell a Story, What Would It Say?
- Imagine an attacker gained one VPN credential—how easily could they move laterally across your environment?
- Have red team or penetration tests flagged lateral movement originating from the VPN in the last 24 months? Describe the most concerning finding.
- What mechanisms currently prevent a VPN session from accessing unrelated business-critical systems?
- How do you quantify the blast radius today—what data or scenarios do you use?
- How would a high-impact lateral movement event affect revenue, compliance, or customer trust in your view?
Where Are The Invisible Dependencies Hiding?
- How confident are you that your current app inventory captures every service the VPN exposes (including scripts, scheduled jobs, and CI systems)?
- List the categories of legacy or undocumented apps that you suspect are still reachable only via VPN (e.g., internal build servers, printer services, license servers).
- Which discovery methods have you used to uncover hidden dependencies?
- How long does it typically take your team to validate whether an application can function without VPN access?
- Can you share one example of an undocumented dependency that caused a disruptively unexpected outage or rollback?
How Much Latency Is Too Much? (And Who Notices First)
- When users complain about remote access performance, which symptoms appear first—slowness logging in, app timeouts, RDP lag, or something else?
- What are your current SLA or target goals for connection latency and session reliability for remote engineers?
- Which tools or telemetry sources do you use to measure access latency and connection reliability?
- How many helpdesk tickets per 1,000 remote users per month relate to connectivity or application access problems?
- Tell us about one performance problem that had measurable business cost (time, lost revenue, missed deadlines).
Do Your Admins Feel Empowered or Handcuffed?
- If you asked your network team whether current firewall/VPN policy granularity matches business intent, what would they say?
- How many distinct firewall/VPN rulesets or security groups do you maintain for remote access (approximate count)?
- Which policy controls are non-negotiable for replacement (for example: per-app allowlists, time-of-day restrictions, group-level exceptions)?
- How do you currently audit and prove that access policies are correctly limiting risk for compliance or cyber insurance reviews?
- Describe a recent policy change that was difficult to implement and why it was painful operationally.
If You Could Shrink The Blast Radius Overnight, What Would Change?
- What three measurable outcomes would convince you a new access model reduced blast radius and improved security?
- Which user population would be the best candidate for an initial pilot to prove reduced blast radius and why?
- What minimum duration and sample size do you require to trust pilot telemetry (days and user count)?
- Which metrics will you weight most in a vendor comparison—connection reliability, access latency, helpdesk ticket delta, thick-client compatibility, policy granularity, or something else?
- In an ideal shift, what operational or financial benefit would make leadership say 'we made the right call'?
Testing the Tough Stuff: Thick-Client and RDP Reality Check
- Which business-critical applications rely on thick-client binaries, native sockets, or RDP that browsers can't proxy?
- How often do remote users rely on RDP or VDI for core workstreams versus browser-based tools?
- Are there file share protocols, license managers, or native databases that require IP-level access today? Please list them and their owners.
- What is the tolerance for any functional regression on these apps during a pilot (zero tolerance, minor acceptable, acceptable with rollback plan)?
- Who on your team will own compatibility testing and who signs off on application acceptance?
Telemetry, Rollback & Signals: What Will Convince You?
- What single telemetry signal would make your SRE or SOC say 'this new access model is safer than VPN'?
- Which telemetry sources can you share during a pilot (VPN logs, endpoint telemetry, helpdesk tickets, SIEM events)?
- What would trigger an immediate rollback during a pilot (criteria and threshold)?
- How frequently do you want joint evaluation checkpoints (daily, weekly, bi-weekly) and who must attend?
- Are there legal, compliance, or vendor rules that limit telemetry sharing or external logging during an evaluation?
Hidden Costs & Operational Overhang
- Estimate the recurring operational hours your team spends per month on VPN rule changes, break-fix, and tuning.
- How often do firewall rule changes require coordination across 3+ teams (routing, security, app owners, helpdesk)?
- What hidden costs or risks do you associate with continuing to operate the VPN long-term (licensing, single point of failure, audit exposure)?
- How many FTEs on your helpdesk are primarily dedicated to remote access troubleshooting?
- If you could reclaim a percentage of that time, what would you reallocate those resources to?
Next Steps & Decision Hygiene
- Who are the decision-makers and formal approvers for a pilot (title/role)—who has veto power?
- What procurement or legal constraints should we anticipate for a 60–90 day parallel pilot?
- What is your target timeline to start a discovery-led pilot if the scope and protections are acceptable?
- Who will be the primary operational owner for the pilot (name/title) and who will be the technical day-to-day contact?
- What would be a small but meaningful next-step you’d like from us to make moving forward easier?
-
-
Solution Experience
Run a side-by-side scenario using the customer context to show how the agent reduces blast radius, improves connection times, and supports thick-client/RDP sessions.
Experience Meetings
- Solution Experience Kickoff — Confirm Context & Success Metrics
- Test Plan & Scenario Design — Map Customer Context to Side-by-Side Scenarios
- Environment Prep & Baseline Measurement
- Side-by-Side Execution Session (Live Run)
- Post-Run Analysis & Decision Workshop
- Capture all telemetry and evidence necessary for decisions and vendor comparison.
- Acquire a reliable baseline dataset under the customer's current VPN for direct comparison.
- Ensure the side-by-side agent environment mirrors production context and is validated.
- Establish a clear go/no-go decision and rollback plan to minimize customer risk.
- Customer to run the agreed baseline scripts and upload logs to the shared location.
- Seller to verify agent telemetry is streaming to dashboards and correlated with baseline identifiers.
- Both parties to sign-off on the go/no-go checklist before the live execution window.
- Re-state Objectives & Roles
- Demonstrate measurable reduction in lateral exposure for the agreed blast-radius scenario.
- Show statistically significant improvement (or parity) in connection times and access latency.
- Prove that thick-client and RDP workflows function without breaking under the agent.
- Introductions & Roles
- Seller to collect and share side-by-side logs, packet captures, and dashboard exports for each scenario.
- Customer to validate and sign off each scenario as 'meets criteria' or 'requires remediation'.
- If issues found, both parties to agree on immediate mitigations and schedule re-run windows.
- Catalog any undocumented dependencies discovered during the run for remediation planning.
- Executive Summary of Outcomes
- Reach a mutual decision on whether the side-by-side proved the future state against the customer's consequences.
- Produce a prioritized remediation and rollout plan for any outstanding compatibility gaps.
- Agree on measurement and reporting cadence for the remainder of the pilot or next evaluation steps.
- Seller to generate a concise side-by-side comparison report (metrics, artifacts, and recommended remediation) within 48 hours.
- Customer to review and accept the report, marking each scenario as 'validated' or 'requires remediation'.
- Both parties to agree owners and dates for remediation tasks and any follow-up test windows.
- If validated, schedule the Validation Checklist meeting to prepare for wider pilot expansion.
- Make the current state crystal clear in one sentence to eliminate ambiguity.
- Surface and quantify the business/operational consequence of the current state.
- Agree a one-sentence future-state outcome that the side-by-side must prove.
- Lock success signals and the measurement plan so the run has objective pass/fail criteria.
- Confirm pre-work, data access, and responsible owners to avoid delays.
- Customer to provide canonical app inventory, network topology diagram, and list of undocumented dependencies.
- Customer to grant telemetry/API access and create the agreed test accounts for the pilot cohort.
- Seller to produce a one-page measurement plan mapping metrics to data sources and dashboards.
- Assign a single pilot owner from the customer side who will validate results and coordinate triage.
- Review App Inventory & Blast-Radius Threats
- Produce a prioritized, executable scenario list that directly ties to the customer's consequences.
- Define explicit measurement and pass/fail criteria per scenario.
- Agree where and how the customer will validate each proof step to force confirmation.
- Finalize the test scripts and schedule for the live execution.
- Seller to deliver detailed test scripts for each scenario including commands, expected outputs, and telemetry points.
- Customer to mark the apps and IP ranges that must be in-scope and highlight any sensitive systems requiring special handling.
- Both parties to agree on the run window and expected duration for each scenario.
- Seller to prepare dashboards and log collectors for real-time comparison against baseline VPN metrics.
- Topology & Connector Placement Review
- One-sentence Current State
- Scenario A — Blast-Radius Containment Test
- Baseline Metric Collection Plan
- Select Representative Scenarios
- Deep-dive Metrics Comparison
- Impact Mapping to Consequences
- Map Metrics to Each Scenario
- Scenario B — Connection Time & Latency Comparison
- Consequence Quantification
- Deploy & Validate Agents/Connectors
- Decide Next Steps & Acceptance
- Define Future State (one sentence)
- Define Stepwise Proof Actions
- Baseline Test Execution
- Scenario C — Thick-Client & RDP Functionality
- Real-time Telemetry Review
- Go/No-Go & Risk Mitigation
-
Pilot Scope
Define pilot boundaries: user cohort (200–500 engineers), target applications/connectors, measurement plan, and vendor comparison criteria.
Scope Configuration
- Install endpoint access agent on user devices
- Integrate with SSO/Identity Provider
- Deploy application connectors for internal apps
- Provision per-application encrypted micro-tunnels
- Configure per-application role-based access policies
- Enable RDP and thick-client tunneling
- Configure device posture enforcement
- Set up split DNS and internal name resolution
- Forward session and audit logs to SIEM
- Deploy high-availability connector clusters
- Enable clientless browser access for web apps
- Activate session recording and live threat alerts
Scope Questions
Install endpoint access agent on user devices
- Which endpoint operating systems must the agent support?
- How many devices/users will need agent installation for the pilot?
- How do you prefer agents to be installed?
- Do you have an existing MDM/endpoint management solution to orchestrate installs? If yes, which one?
- Are there corporate policies or AV products that block unsigned drivers or kernel modules the agent might need?
- Do you require offline or air-gapped device support for the agent? Describe constraints if any.
Integrate with SSO/Identity Provider
- Which Identity Provider(s) do you use for authentication?
- Which federation/protocols are required for integration?
- Do you require automated user/group provisioning (SCIM) from your IdP?
- Are there multiple authentication domains or tenants that must be supported?
- Do you require MFA enforcement or specific conditional access policies for pilot users?
- Who are the IdP owners and technical contacts (name, team, email)?
Deploy application connectors for internal apps
- How many internal applications do you plan to include in the pilot?
- What types of applications will need connectors?
- Where must connectors be deployed for each app (on-prem, cloud VPC, DMZ) — list per application if possible.
- Are there network or firewall constraints (static IPs, NAT, port ranges) that affect connector placement?
- Do any applications require protocol translation, header injection, or application-layer proxies?
- Who are the application owners/SMEs we can coordinate with for connector testing?
Provision per-application encrypted micro-tunnels
- Which specific applications should have per-application micro-tunnels provisioned for the pilot?
- What are your expected performance requirements per application (e.g., latency targets, throughput)?
- Do you require end-to-end encryption standards or ciphers (e.g., TLS1.3 only, FIPS)?
- Should tunnels be persistent or on-demand per session?
- Are there regulatory or data residency constraints governing where tunnel endpoints may reside?
- Do you require split-tunnel behavior or full tunnel for selected apps?
Configure per-application role-based access policies
- What user roles/groups should be mapped to application access for the pilot?
- Should policies be based on identity only or include device posture, location, and time of day?
- Do you need coarse-grained (app-level) or fine-grained (action/resource-level) policy controls?
- Will policy changes require a formal approval workflow or change window?
- Are there temporary/exceptions workflows (e.g., emergency access) that must be supported during pilot?
- How should policy audit logs be retained and who needs access to them?
Enable RDP and thick-client tunneling
- Which RDP/back-end versions and ports are in use (e.g., RDP over TCP 3389, custom ports)?
- List thick-client applications that must function through tunnels (name, protocol, typical ports).
- Do clients require clipboard, file transfer, or drive-mapping across the tunnel?
- Do you require SSO into thick-clients/RDP sessions or separate credential prompts?
- Are there performance baselines for RDP/thick-client sessions we should measure during the pilot?
- Are there specific security controls for RDP sessions (e.g., clipboard disable, screen lock) that must be enforced?
Configure device posture enforcement
- Which device posture checks are required before granting access?
- Do you already have MDM/EDR telemetry available for posture evaluation?
- Should failed posture checks block access, quarantine, or present a remediation flow to the user?
- How frequently should posture be reevaluated during a session?
- Do you require automated remediation or ticket creation when posture fails?
- Are there special device classes (lab machines, shared terminals, CI/CD agents) that need different posture rules?
Set up split DNS and internal name resolution
- Do you currently use split-horizon DNS or conditional forwarding for internal names?
- Which internal domains and DNS zones must be resolvable via the pilot connectors?
- Will clients use system DNS, DNS proxy, or DoH/DoT for internal name resolution?
- Are there internal name resolution dependencies (LDAP, AD Web Services, internal CA) that require DNS entries?
- Are there requirements for caching TTLs or DNS failover during DNS server outages?
- Describe any DNSSEC or zone-signing requirements that must be preserved.
Forward session and audit logs to SIEM
- Which SIEM solution(s) will ingest session and audit logs for the pilot?
- What log formats and transport methods are preferred (syslog, HTTPS JSON, agent-forward, API)?
- What retention and access-control requirements exist for session recordings and audit logs?
- Do logs require PII/masked fields or redaction before forwarding to SIEM?
- Who manages SIEM ingestion and mapping (internal SOC team or vendor)? Provide contact.
- Are there bandwidth or storage constraints for log forwarding we should plan for?
Deploy high-availability connector clusters
- Which regions or datacenters require connector presence for HA and low latency?
- What are your availability SLAs or RTO/RPO targets for connector uptime?
- Estimated concurrent sessions and peak connections expected during pilot?
- Do you require multi-AZ or active-active connector clusters versus active-passive?
- Are there maintenance windows or change freeze periods that restrict connector upgrades?
- Will connectors be deployed on VMs, containers, or appliance hardware? List preferences.
-
Mutual Commit
Agree pilot terms (60–90 days), responsibilities, rollback criteria, telemetry sharing, and evaluation cadence.
Agreement Modules
- Statement of Work (SOW)
- Pilot Agreement & Terms
- Roles & Responsibilities (RACI)
- Rollback & Remediation Criteria
- Telemetry & Data Sharing Agreement
- Evaluation Cadence & Acceptance Criteria
- Trial Licensing & Billing Terms
- Security & Access Controls Addendum
- Support & Escalation Plan
- Change Control & Scope Management
- Confidentiality & Data Protection (NDA/DPA)
- Termination & Exit Plan
- Acceptance Sign-off & Decision Authority
-
Deployment
Operationalize rollout with readiness checks, enablement, and outcome validation.
-
Pre-Deployment Readiness
Confirm app mappings, connector placements, device posture checks, test accounts, and owners are in place for a low-risk pilot run.
Readiness Questions
Quick Snapshot: Who’s In This Room?
- Tell us who is sponsoring this initiative and who will be the day-to-day contact for the pilot (name, role, email)
- What user population are you planning to pilot with?
- What is your target pilot duration?
- Which measurable signals would you use to call the pilot a success? (pick up to three, then describe)
- Who from your team owns rollback decisions if the pilot interrupts business operations? (name & role)
- What's the earliest date you’d be ready to begin a low-risk parallel pilot?
If Your VPN Failed Tomorrow, How Fast Would You Notice?
- When was the last time a VPN outage materially impacted productivity or revenue at your company?
- Describe a specific incident (outage, red team finding, or audit) that prompted interest in replacing or segmenting VPN access
- If a single compromised VPN session could roam freely inside your network right now, what systems or teams would you expect to be at greatest risk?
- How emotionally urgent is this project to leadership—are they demanding a fix immediately, open to a measured pilot, or skeptical?
- What would be the organizational consequences if a pilot caused a high-severity outage during business hours?
Where Does Your Access Architecture Actually Live Today?
- Who owns the VPN estate today (team or role)?
- Map your current VPN topology at a high level (centralized hub, regional concentrators, cloud-hosted, appliance at each DC, other)
- Approximately how many unique applications or services does the VPN currently provide access to (give a number or range)?
- Which access patterns are most common through your VPN today (select all that apply)?
- Describe any custom routing, hairpinning, or security appliances that a migrated session would still need to touch (e.g., DLP, proxy chaining)
What Could Be Hiding Behind ‘It Just Works’?
- How confident are you that you have a complete inventory of dependencies that the VPN currently enables?
- What methods have you used to discover undocumented dependencies (network flows, packet captures, helpdesk logs, interviews, none)?
- Share one example of an undocumented dependency you discovered in a past migration and the impact it had
- How long does it usually take you to map an application’s full connectivity profile (ports, hosts, backends, firewall rules)?
- What internal sources of truth (CMDB, asset inventory, network diagrams) do we have permission to access during discovery?
How Do Your Users Really Connect—And How Fragile Is That?
- Which client types do your users rely on most (choose all that apply)?
- Which mission-critical thick-client apps must remain fully functional during the pilot? Please list by name and business owner
- What percentage of pilot users rely daily on RDP or other remote desktop sessions?
- Have you previously attempted browser-only ZTNA or gateway-based ZTNA for these apps? What broke and why?
- How do you currently validate thick-client behavior (test accounts, synthetic monitoring, user feedback)?
Can This Pilot Be Run Without a Fire Drill?
- Who will be the on-call operational owner during pilot execution (name & role)?
- Which rollback criteria would trigger an immediate revert to VPN for affected users?
- Do you already have test accounts and service accounts set up for every critical application the pilot touches?
- Which device posture checks are required before granting access (OS version, EDR present, disk encryption, patch level)?
- What maintenance window or change freeze restrictions must we respect during the pilot?
How Will You Rig the Scoreboard?
- Which baseline metrics do you currently collect that we should use for side-by-side comparison?
- What SLO or SLA thresholds would you consider non-negotiable for pilot acceptance?
- Who will own telemetry sharing and vendor comparison reporting during the pilot?
- Do you require raw telemetry (pcap/flow), aggregated dashboards, or both for evaluation?
- How frequently should we review pilot progress with stakeholders?
Who Gets to Say Yes or No?
- List the decision-makers who must sign off on pilot acceptance and on full deployment (names and roles)
- What criteria beyond technical compatibility will influence the buy decision (cost, vendor roadmap fit, compliance, procurement terms)?
- How will you score or compare vendors—are there weighted criteria we should know about?
- Who needs to be involved in live troubleshooting during pilot execution (network, security, app owners, helpdesk)?
- Are there legal or compliance constraints on telemetry sharing with vendors (e.g., PII, export controls)? Please explain
Imagine the Pilot Went Flawlessly—What Happens Next?
- If the pilot meets your success signals, what is your expected timeline to expand beyond the pilot group?
- Which downstream projects depend on a successful pilot (cloud migration, firewall decommissioning, segmentation initiatives)?
- What internal change management work will be required to replace VPN (runbooks, trainings, updated support flows)?
- What are the top three risks you foresee after a successful pilot when scaling to the wider organization?
- What support or guarantees from the vendor would most reduce your organizational friction when approving full deployment?
Final Checklist: Do We Have the Low-Risk Pilot Essentials?
- Confirm which of the following are already in place for the pilot (select all that apply)
- If any checklist item is missing, which is the single highest-priority gap to address before start?
- Provide the names and contact info for the app owners and the engineers who will validate thick-client and RDP behavior
- Are there environmental constraints for connector placement (e.g., air-gapped segments, cloud-only apps, on-prem-only workloads)? Please describe
- On a scale of 1–5, how ready is your organization operationally to run a parallel pilot alongside the existing VPN (1 = not ready, 5 = fully ready)?
-
Pilot Execution
Run the parallel pilot (our agent alongside the VPN), collect telemetry across vendors, monitor helpdesk tickets, and log compatibility issues in real time.
-
Validation Checklist
Verify acceptance: connection reliability, access latency, thick-client and RDP behavior, and complete app coverage before wider cutover.
Validation Questions
How this began — the moment that pulled you into this work
- Tell the story of the single event (outage, red team, audit, or executive ask) that started this evaluation—what happened and when?
- Which of the following best describes the immediate trigger for this project?
- Who sponsored or signed off on initiating the project, and who is the operational owner pushing it forward?
- What immediate business consequences did the trigger cause (revenue loss, compliance risk, customer impact, engineering downtime)? Be specific and attach any metrics you have.
- How are you feeling about this initiative right now—energized, cautious, frustrated, pressured, or something else?
If it happens again, what would actually break the company?
- Describe the worst-case outcome you fear from another VPN compromise—what systems, customers, or operations would be affected?
- How likely do you think that scenario is in the next 12 months given your current controls and telemetry?
- How long would it typically take you to detect and contain a lateral movement event originating from a remote session today?
- Share a concrete example (date, impact, root cause) where an access-related failure or test exposed material risk.
- What emotional or reputational pressure does this create for you and your team when those incidents land in front of execs or auditors?
Why rely on one chokepoint that can take everyone down?
- How would you briefly describe your current VPN/access architecture (concentrators, cloud VPN, firewall hairpin, SASE, agent-based ZTNA, other)?
- How many physical or logical VPN concentrators / gateways and geographic locations are in play for remote access?
- What is your average concurrent session (remote users) count and peak observed during incidents?
- Where do you see the most operational complexity today (firewall rule explosion, NAT/hairpinning, split tunneling issues, routing, monitoring blind spots)?
- How confident are you that your admin console and policy model today give network teams the granularity they need to replace firewall rules?
The inventory you think you have vs. the one you'll discover
- How confident are you that every application, port, and dependency behind the VPN is fully documented?
- Approximately how many unique applications or services are reachable via your VPN (include web apps, databases, green-screen, thick clients)?
- Which legacy or high-friction protocols do you rely on that often cause surprises during migration?
- How do you currently discover undocumented dependencies? Select all methods you use and identify which is most effective.
- Tell us about a time you missed a dependency—what was the fallout and how long did the rollback or remediation take?
Which apps will make or break a decision—nail the critical test cases
- For the pilot cohort, which application types are absolute must-work (select all that must be validated)?
- Which single application or workflow would, if it failed during the pilot, force a rollback or block signoff?
- What level of latency increase or connection variation is tolerable for your users before the experience is considered degraded?
- Have you run compatibility tests with vendor agents against these critical apps before? If so, what were the results?
- How will you validate thick-client and RDP behavior during the pilot (automated tests, user volunteers, helpdesk tickets, synthetic monitoring)?
If the pilot only proves one thing to leadership, what must it be?
- Which of the following outcomes are you most intent on proving during a 60–90 day pilot?
- Please provide current baseline metrics we should aim to beat or match (e.g., VPN uptime %, average access latency ms, average helpdesk tickets/week).
- What pilot cohort size do you consider meaningful for decision-making?
- Preferred pilot duration?
- What specific rollback criteria would you require to stop the pilot early (e.g., X% increased tickets, Y critical app failures, security incident)?
Who will fight for this when things get uncomfortable?
- List the stakeholders who must be involved for pilot approval, execution, and final decision (operations, security, app owners, procurement, legal, exec sponsors).
- Who is the single decision maker for pilot acceptance and who will sign off on production rollouts?
- What are the most likely internal objections you'll hear from Network/IT Ops, and how have you handled similar resistance before?
- Which team will own day-to-day pilot operations and who is the escalation contact?
- How will you keep executive sponsors engaged if early wins are subtle or incremental?
Are you ready to let the data be the tiebreaker?
- What level of telemetry and log sharing are you comfortable providing to vendor teams during the pilot?
- Which of these telemetry sources can you readily export for vendor analysis?
- Who in your org owns privacy, legal, or compliance approval for sharing telemetry externally?
- How often would you prefer evaluation check-ins during the pilot (weekly, bi-weekly, cadence tied to milestones)?
- Which platform(s) would you prefer for dashboards and data delivery (select all that apply)?
If we flip the switch and users call, what’s the plan to calm things down?
- Do you have a tested rollback plan that can restore VPN-only access quickly if the pilot causes critical user impact?
- What is the maximum acceptable percentage of pilot users experiencing degraded access before you trigger rollback?
- How will you communicate pilot status and outages to users (channels and cadence)?
- Who has the authority to approve an emergency rollback during the pilot?
- Describe the executive signal or metric that would convince leadership to greenlight a wider cutover.
Next steps and what success looks like to everyone involved
- With everything we've discussed, what would you say are the top three non-negotiables for a successful pilot?
- What resources (people, time, labs, test accounts, network diagrams) can you commit to the pilot immediately?
- What would make you hesitant to proceed with a pilot right now?
- If we scheduled a 60–90 day side-by-side pilot, what would be a realistic target date to begin?
- What would you like us to deliver next—a discovery workshop, an app-mapping plan, a pilot proposal, or a technical PoC?
-
-
Success
Review pilot outcomes, decide path to full deployment, and maintain a shared backlog for issues and enhancements.
Success Reviews
- Pilot Outcomes Review (Decision)
- Technical Validation & Acceptance (Solution Experience)
- Deployment Roadmap & Phased Cutover Planning
- Shared Backlog & Continuous Improvement Workshop
- Executive Sponsor Alignment & Approval
Issues & Enhancements
- Create a prioritized backlog of pilot issues and enhancements with owners and SLAs.
- Schedule the Technical Validation & Acceptance session within two weeks to validate any fixes.
- Pre-meeting Checklist Review
- Demonstrate conclusively that the pilot delivers the defined future state using customer data.
- Confirm compatibility for all critical thick-client and RDP workflows or capture precise failure modes.
- Obtain technical acceptance or a prioritized remediation list with retest windows.
- Agree rollback criteria and the conditions under which production cutover may be paused.
- Document validated acceptance metrics and collect signatures/confirmations from technical stakeholders.
- Log any technical exceptions into the shared backlog with repro steps, priority, and an owner for remediation.
- If remediation required, define the remediation plan, owners, and retest schedule; schedule the retest session.
- Objectives, Constraints & Decision Criteria
- Agree on a concrete rollout approach with measurable gates and dates.
- Confirm required staffing, runbooks, and support model for phase 1.
- Establish risk controls, rollback procedures, and monitoring required during cutover.
- Identify procurement or budget steps and assign owners to advance them.
- Produce a phased deployment plan with milestones, acceptance gates, resource matrix, and runbooks.
- Create a cutover checklist and rollback playbook for the first wave.
- Schedule milestone review meetings and stakeholder check-ins aligned to gates.
- Workshop Objectives & Backlog Principles
- Introductions & Meeting Objectives
- Define telemetry-driven acceptance criteria for each item to prevent regressions.
- Establish a governance model and cadence for backlog triage and deployment of fixes.
- Populate the shared backlog with all pilot findings, including priority, owner, SLA, and acceptance criteria.
- Configure dashboards and alerts to track remediation progress and telemetry validation.
- Schedule weekly backlog triage meetings for the first 90 days post-cutover.
- Executive Summary of Pilot Outcomes
- Secure executive approval to proceed to full deployment or receive a clear list of executive conditions.
- Confirm budget and procurement triggers needed to start phase 1.
- Establish executive sponsor as the escalation and prioritization owner for the deployment.
- Record and circulate the executive decision, including any conditions or follow-up items.
- If approved, trigger procurement and budget allocation steps and notify deployment leads.
- Schedule the formal phase 1 kickoff meeting and invite executive sponsor for a brief opening alignment.
- Confirm whether pilot met pre-agreed success criteria and identify any formal exceptions.
- Select a recommended path forward (vendor + pilot-to-production scope) or define the set of conditions required to get there.
- Identify and assign owners for any remediation required before cutover.
- Agree a near-term timeline and decision gate for moving to deployment planning.
- Produce a concise pilot outcomes report including side-by-side vendor metrics and circulate to stakeholders.
- Assign owners and estimated effort for each critical remediation item identified.
- Deployment Options Overview
- Current State Summary (One-sentence)
- Risk & Business Impact Overview
- Review of Pilot Findings
- Current State (One-sentence)
- Phased Rollout Proposal
- Cost, Timeline, and Approval Ask
- Consequence & Business Impact Summary
- Prioritization Exercise
- Consequence Quantification
- Future State & Acceptance Criteria
- Executive Questions & Concerns
- Resourcing, Roles & Runbook Requirements
- Owner Assignment & SLA Definition
- Pilot Results Snapshot
- Risk Mitigation & Rollback Procedures
- Telemetry & Acceptance Criteria for Backlog Items
- Live Proof Using Customer Telemetry
- Formal Approval Capture & Next Executive Milestones
- Gaps, Risks, and Open Issues
- Future State Definition (One-sentence)
- Budget & Procurement Triggers