“Zero Trust” has become a boardroom comfort phrase, recited by vendors, codified by regulators, and nodded at by executives. But words and head-nods are not rigor. A Zero Trust program that is never attacked is unproven. And unproven security is fiction.

The False Comfort Of Zero Trust

Declaring Zero Trust and aligning it to a framework feels safe. It looks mature on paper — but attackers don’t care about architectures. They test for lateral movement, privilege escalation, and exfiltration. The only meaningful response is to test the same way, continuously, antagonistically, and without assumptions.

MITRE ATT&CK: The Zero Trust Crucible

MITRE ATT&CK documents attackers’ methods. Zero Trust defines defenders’ principles. Separately, they’re incomplete. Combined, they create defensible proof. Every countermeasure demands testing because:

  • A device isn’t “trusted” because it booted cleanly. It must resist compromise in live conditions.
  • A user isn’t “trusted” because they authenticated once. Their behavior must be interrogated as if hostile.
  • A workload or cloud service isn’t “trusted” by policy. They must prove integrity through ongoing validation of secure configurations.
  • Data isn’t protected by classification. It can only be considered protected when exfiltration attempts fail in practice.

This is the foundation for Zero Trust testing: an operational discipline where every trust claim is challenged against real adversarial behavior.

The Toolkit Of Trial

Testing must move from audit checklists to controlled attacks. Ask not “Do we have a control?” but “Does the control survive assault?”

Representative trials include:

  • Dropping controlled malware to test containment.
  • Simulating insider scraping to test throttling and monitoring.
  • Executing privilege escalation in the cloud to test detection and response.

In our recent report, Validate Zero Trust Controls With MITRE ATT&CK, we provide strategic guidance on creating a Zero Trust testing program as well as toolkits. We build a model for executing tests and understanding how to protect your organization against techniques mapped to ATT&CK TTPs across devices, identities, workloads, networks, and data.

The framework enables CISOs to move from asserting Zero Trust to demonstrating it by surfacing coverage gaps and measuring resilience through repeatable adversarial trials.

Boards must act not on faith but only on proof. The right answer to “What is our risk exposure?” is not a posture statement but a test report: “Here’s what we broke, and here’s what survived.”

Connect With Me

Forrester clients can request an inquiry or guidance session with me to discuss this research further.

I will also be presenting sessions at the upcoming Forrester Security & Risk Summit taking place in Austin, Texas, from November 5–7.