Zero Trust Has Grown Up. Here’s What Its Founders Say Is Coming Next.

Zero Trust has grown up.

That’s how Chase Cunningham and John Kindervag describe the current state of the security strategy they’ve nurtured from concept to global movement.

“When I got to Forrester, I inherited someone else’s baby,” Chase joked. “That parent was John. And now the baby’s a teenager.”

It wasn’t always this way. But today, Zero Trust is everywhere. John and Chase are now helping security leaders around the world reimagine how they protect what matters most.

So what’s fueling the momentum — and what’s next?

In our latest The Segment podcast episode, I sat down with John, the Godfather of Zero Trust, and Chase, known in the industry as Dr. Zero Trust, to talk about the strategy’s rise, the power of security graphs, and what it really means to think like an attacker.

Zero Trust is a strategy. Full stop.

When John and Chase first started evangelizing Zero Trust about 15 years ago, the response wasn’t exactly enthusiastic.

“My first speech had 14 people in the room,” John said. “And most of them told me I was an idiot.”

But now, it’s global. From small businesses to international governments, organizations are finally putting containment and visibility at the heart of their security strategies.

Chase believes we’ve crossed the Zero Trust chasm. “The ‘haterade’ still flows online, but the adoption is real,” he said.

They’re leading Zero Trust workshops everywhere, from Taiwan to Switzerland. In fact, John said he recently addressed cybersecurity leaders at Bletchley Park in the UK, home of the original codebreakers.

What’s fueling this growth? They both agreed that it’s the ability of Zero Trust to resonate at every level, from security engineers to executive decision-makers and board members.

Since its beginning, Zero Trust hasn't been about what technology to buy. It’s a framework for building resilient organizations that works across every function at any scale.

Security graphs are changing the cyber game

Zero Trust is such a unique strategy because it continues to work even as the industry evolves. One of the biggest leaps forward right now is how organizations are adopting Zero Trust alongside security graphs.

Chase’s new book, Think Like an Attacker: Why Security Graphs Are the Next Frontier of Threat Detection and Response, outlines how graph analysis is helping defenders understand their infrastructure with the same clarity attackers already have.

“When I was in the military, we went from five successful ops a month to 300 once we used graph models,” Chase said. “Why? Because we understood the terrain.”

John agrees. In his five-step model for Zero Trust, security graphs are the engine behind step two: map the transaction flows. Without that map, Zero Trust becomes guesswork.

“Good maps win wars,” he said. “Bad ones get you lost.” And the same can be said in cybersecurity.

Good maps win wars. Bad ones get you lost.

Know your security priorities or risk losing control  

Security graphs are also helping security teams prioritize what matters most.

Both John and Chase emphasized that cybersecurity leaders need to rethink what success looks like. “If everything is a priority, then nothing is,” Chase warned.  

That’s why defining the protect surface — the most critical data, applications, and services in your network — is foundational.

From there, security leaders can use graph-driven visibility to make informed decisions and deploy controls with purpose. John put it plainly: “Most people hope nothing bad will happen. That’s not a risk strategy.”

Instead, security teams must accept that attackers will get in. Our job is to contain their movement and minimize the blast radius.

Think like an attacker — or stay a step behind

One of the most compelling takeaways from our discussion was this: defenders need to flip the script.

“Attackers don’t follow compliance checklists,” Chase said. “They move fast, play dirty, and exploit the things you think are safe.”  

That’s why it's not enough to monitor alerts or patch known vulnerabilities. Defenders need to understand the enemy’s mindset because chances are attackers already understand your infrastructure better than you do.

Attackers don’t follow compliance checklists. They move fast, play dirty, and exploit the things you think are safe.

And while red teaming has been around for decades, John stressed that it’s time to evolve. “We used to do penetration tests and deliver 200-page reports that no one acted on,” he said. “Now, we need targeted tests that ask: can an attacker get to my protect surface, and how fast can I contain them if they do?”

AI can be an ally if you’re careful

AI can be a real help for evolving how we see, understand, prioritize, and act on threats. While both John and Chase are skeptical of the AI hype, they’re bullish on the potential.

“AI isn’t magic,” Chase said. “It’s math. But if it helps defenders move at machine speed, use it.”

John added that the value of AI is in helping organizations accelerate their response. “If you deploy an airbag the same way you do change management, you die,” he said. “We need an automated response. AI can get us there.”

AI isn’t magic. It’s math. But if it helps defenders move at machine speed, use it.

But it’s not just about buying a tool labeled “AI.” It’s about ensuring your existing infrastructure is ready for it. Graph-based visibility, policy engines, and segmentation should already be in place to make real-time action with AI possible.

Zero Trust has earned its seat at the table

The most inspiring part of our conversation was seeing how far Zero Trust has come. From casino pen tests and hotel gym chats to advising generals and lawmakers, John and Chase have turned an idea into a movement.

That movement is no longer a niche concern for IT. It’s a boardroom issue, a national priority, and a strategic imperative.

As John put it: “The attackers are building machines to defeat us. So, we must build machines to defeat them.”

To do that, we need better maps, smarter systems, and the courage to prioritize what matters most.

Listen to our full conversation on The Segment: A Zero Trust Leadership Podcast via Apple, Spotify, or our website.