PATTERN Cited by 1 source
Require access before reachability¶
Intent¶
Prevent newly deployed or misconfigured applications from being reachable on the network before an explicit access policy is attached — closing the window where a live app has no authentication or authorization.
Problem¶
In zero-trust deployments, the default assumption is that every app has an access policy. But new apps (or misconfigured ones) may be deployed without one — accidentally exposed on the network with no identity check. In a flat network, this becomes lateral-movement opportunity.
Solution¶
Make network reachability conditional on the existence of an access policy. If no policy is configured for an application endpoint, the infrastructure does not route traffic to it — the app is unreachable by default, not open by default.
Production example¶
Cloudflare's "Require Access Protection" feature: discovered after an engineer shipped a misconfigured tool. In their deployment the exposure stopped at the tool itself (zero-trust prevented lateral movement), but the pattern was built to prevent even that — newly deployed apps can't be reachable before an access policy is in place.
(Source: sources/2026-06-09-cloudflare-defend-against-frontier-cyber-models)