AI-powered breach containment: How Illumio stops hidden threats before they spread

Keith Shaw: Hi everybody, welcome to DEMO, the show where companies come in and show us their latest products and platforms. Today I'm joined by Brian Pitta, Vice President of Solutions Architecture at Illumio. Welcome to the show, Brian. Brian Pitta: Thank you very much for having me.

Keith: All right, tell me about Illumio and what you're going to be showing us on DEMO today. Brian: Absolutely.

Illumio has been around for over 10 years, and we focus exclusively on giving organizations visibility into their environments and using that visibility to help them segment those environments.

Over the past six months to a year, we've developed a new part of our product called Illumio Insights, which takes the visibility we collect and helps customers find risk from lateral movement across their environments. That’s what I’ll be showing you today.

Keith: Within an enterprise, who are the main users of this? Is it strictly an IT tool, or does it touch other parts of the business? Brian: It touches a lot of parts of the business. Our traditional buyer is in the security space—the CISO organization.

They want to control the risk from lateral movement. But we also see SOC teams getting involved, since Insights helps them respond to incidents. App and cloud teams also benefit, because they want to understand what's happening in their environments and leverage that visibility.

Keith: Yeah, I keep hearing security people talk about lateral movement. That’s when a hacker or bad actor gets in and starts moving through other systems, right? That’s been a persistent problem? Brian: It has. In a lot of breaches, the pattern is the same.

It's not a critical asset that's compromised initially—it's usually some forgotten server that wasn’t patched. You have a flat network where everything is connected, and the attacker moves host to host until they reach the crown jewels. We're looking to stop that spread.

Keith: So what’s the main problem you're helping companies solve? Why should someone be watching this? Brian: Most enterprise environments are flatter than people think. That means they’re too connected. Networks are built for performance and efficiency, not segmentation. That overly permissive connectivity is dangerous.

The problem is even worse in the public cloud—across AWS, Azure, GCP, containers, and on-prem data centers. Trying to manage it all under one policy model is extremely difficult. We help simplify that.

Keith: If a company isn’t using Illumio, what are they doing instead? Ignoring the problem? Using a different tool? Brian: More often than not, they know there's a problem but aren’t fully addressing it yet. Some try to solve it with existing tools. Illumio doesn’t build new enforcement points.

We’re not another firewall—we orchestrate what you already have. But with hybrid environments, every platform handles things differently, so trying to build a unified solution is where they often run into challenges.

Keith: Do you find companies are more concerned with speed and performance, rather than security or lateral movement prevention? Brian: Absolutely. It’s about speed to market. How fast can we migrate to the cloud? Security is often an afterthought.

First they build the environment, then they ask how to secure it—rather than building it securely from day one.

Keith: All right, let’s take a look at the demo. Show us what you’ve got. Brian: At Illumio, we talk about building a graph for customers. A graph consists of nodes and edges. For us, nodes are your resources—servers, databases, storage—and edges are the connections between them.

That’s our core visibility: what compute resources do you have, and how are they connected? Here’s an example of what this graph looks like in a public cloud—an Azure environment with compute workloads, managed databases, storage accounts, and all the interconnections.

Each line represents network flows you can drill into to see which ports are being used, how much data is being sent, and more. The graph shows what's happening in your environment, but it doesn’t tell you where the risks are. That’s what Illumio Insights solves.

We analyze that graph and identify the areas where you should focus. We’re talking about environments producing petabytes of flow logs. Insights helps you prioritize what your threat-hunting team should investigate. Here’s our Insights Hub.

It shows several key categories: * Workloads talking to known bad IPs * Data transfers leaving the environment * Risky services in use * Unexpected regional connections You can click into each of these widgets to dig deeper. For example, let’s look at risky traffic.

Illumio categorizes potentially risky services—like SMB or TeamViewer. Some of these might be normal, others are often exploited.Let’s say TeamViewer is detected in your environment. Most enterprises would consider that suspicious. You can click on it, and Insights shows you which workloads are using it.

Here, we see a VDI instance transferring five gigabytes over TeamViewer. That’s not typical behavior. From there, you can go back to the graph and trace how that VDI is connected across the environment.

In this example, it’s communicating with: * Other VDIs * Managed databases in AWS * Managed databases in Azure * Managed databases in GCP That’s highly unusual and a big clue something is wrong.

Keith: So Insights highlights the risk, and then you can use the graph to see what else that system is doing? Brian: Exactly.

It shows risky communication, and from there, you can investigate and see all the findings tied to that machine: * It’s reaching out to known bad IPs * It’s transferring large volumes of data * It’s connected to nearly everything Every “Insight” is tied to what we call decorated flows—we enrich flow logs with business context: * What cloud is it in?

* What tags does it have? * What kind of workload is it? This saves hours of time, especially in cloud environments with ephemeral workloads. You get full context when the flow occurred.

Then you can take action: segment it, quarantine it, or apply new policies. We’re also introducing AI-driven analysis—what we call the “automated analyst.” You can choose a persona, like threat hunter, and it will review the environment, prioritize the top risks, and generate workflow-ready reports.

You can open tickets in ServiceNow or Jira, assign tasks, and streamline the investigation process.

Keith: When companies first see the visibility Illumio provides, are they surprised? Brian: Always.

During POCs, we turn it on, and the first response is usually, “That can’t be right.” Then, about an hour later, they say, “Wow, that workload was misconfigured.” It lights up the environment and shows what’s really going on.

Keith: How long does it take to set up? Brian: We’re completely agentless—you don’t need to install any Illumio software. To get Insights and visibility, all we need is read-only API access. In the cloud, you can light up your entire environment in minutes.

I had one customer turn on 114 Azure subscriptions in five minutes. Within the hour, we were reviewing dashboards.

Keith: If someone’s watching and wants to try this, what should they do? Do you offer a free trial? Brian: Absolutely. Go to the Illumio website. You can start with a free trial of Insights using a sandbox with synthetic data.

Then pivot to onboarding your own data for two weeks or longer to test it in your environment.

Keith: Brian, thanks again for being on the show and for the demo. Brian: Appreciate it. Thanks for having me. Keith: That’s going to do it for this episode of DEMO. Be sure to like the video, subscribe to the channel, and drop your thoughts in the comments.

Thanks for watching.