A diesel fuel nozzle and an electric car charging plug held facing each other, with overlaid text comparing threat detection to zero trust.

When a Zero Trust Firewall is Not a Zero Trust Firewall

Here’s a good example of a security vendor claiming to offer a Zero Trust firewall that’s fundamentally different from everything else on the market. Technically, it isn’t. The same claim is made about their browser software. For the same reason, that isn’t zero trust either.

It’s a threat detection firewall with better marketing. The single point of failure that breaks the entire Zero Trust model is “inspect all traffic for threats”. For this solution to be based on the concept of Zero Trust that text would read “inspect all traffic and assume every URI is untrusted unless verified as legitimate.”

Zero trust at the URI level for phishing protection has a simple rule. Every URI is untrusted by default until it’s verified as legitimate. If that rule isn’t enforced, zero trust doesn’t exist.

What’s being described is traffic inspection, TLS decryption, IPS signatures, and domain blocking. That’s detection. It makes a judgement after traffic is already allowed. Unknown and first seen links are still treated as safe unless flagged.

Inspection isn’t trust. Decrypting traffic doesn’t authenticate a destination. Blocking known bad domains doesn’t verify good ones. Wildcards and reputation systems pre trust what hasn’t been proven.

A brand new phishing site over HTTPS will pass straight through this model. That isn’t an edge case. Unclassified user accounts and dangerous links hosted on otherwise safe domains will also be assumed to be safe by default. That combination isn’t incidental. It’s the dominant failure mode of phishing.

Calling this zero trust creates false assurance.

If Mixpanel were to adopt this firewall, they still wouldn’t be safe from future SMS phishing attacks like the one that led to customer data theft affecting customers such as OpenAI and a ransom demand against companies behind sites like Pornhub. The entry point would still be a link. That link would still be allowed because it’s new, encrypted, and unclassified. Under this model, that outcome wouldn’t be a failure. It would be expected behaviour.

In a scenario like that, Mixpanel would arguably have grounds to blame their security vendor. Not because any security solution should be perfect, but because the product was sold under a promise it couldn’t technically keep.

No security solution is perfect. MetaCert Zero Trust for web links isn’t perfect either. But over 7 years, no person or organization using it has fallen for any form of impersonation, and we’ve only ever been made aware of 5 false positives.

Perfection isn’t the standard. Honesty is.

When a solution is marketed as zero trust but still assumes unknown links are trusted by default, failure isn’t an anomaly. It’s inevitable. And at scale, false promises don’t degrade gracefully. They fail catastrophically.

It’s important to write about this because companies need to understand who is selling threat detection and who is selling zero trust. These are fundamentally different categories of cybersecurity. The difference matters as much as the difference between an electric car and a diesel car. They solve the same high level problem but they work in completely different ways and carry different risks and tradeoffs.

When an organization decides to migrate to a zero trust architecture, it needs to know which vendors actually build products around that concept. That decision comes before choosing features or deployment models. You pick the category first, then the vendor, then the solution.

Car makers have to be clear about what they sell because buyers make decisions based on drivetrain first, not seat fabric. Security vendors should be held to the same standard.

If unknown links are allowed, you’re not doing zero trust. You’re doing the same threat detection firewall the industry has relied on for 20 years.

A flowchart titled Do you have a Zero Trust strategy for anti phishing security guides the reader through a series of yes or no questions. It starts by asking whether every URL is assumed dangerous unless verified. Paths that rely on AI, regex, filters, reputation scores, or lack a large dataset of verified URLs all end with the conclusion that the organization has traditional security, not Zero Trust. Only the path that assumes all URLs are dangerous by default and relies on a large dataset of verified URLs concludes with You have a Zero Trust strategy for anti phishing. The MetaCert logo appears in the corner, reinforcing authorship and context.



For any browser, firewall, app, API, chatbot, or security control to credibly claim Zero Trust, it must follow this flow exactly. Every URL must be treated as untrusted by default. Access is only allowed, or risk is explicitly flagged, when legitimacy has been verified. If that condition isn’t met, it isn’t Zero Trust. It’s traditional security using new language.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed with MetaCert’s latest updates, expert analysis, and real examples exposing how digital deception works and how it can be stopped.

A diesel fuel nozzle and an electric car charging plug held facing each other, with overlaid text comparing threat detection to zero trust.

When a Zero Trust Firewall is Not a Zero Trust Firewall

Here’s a good example of a security vendor claiming to offer a Zero Trust firewall that’s fundamentally different from everything else on the market. Technically, it isn’t. The same claim is made about their browser software. For the same reason, that isn’t zero trust either.

It’s a threat detection firewall with better marketing. The single point of failure that breaks the entire Zero Trust model is “inspect all traffic for threats”. For this solution to be based on the concept of Zero Trust that text would read “inspect all traffic and assume every URI is untrusted unless verified as legitimate.”

Zero trust at the URI level for phishing protection has a simple rule. Every URI is untrusted by default until it’s verified as legitimate. If that rule isn’t enforced, zero trust doesn’t exist.

What’s being described is traffic inspection, TLS decryption, IPS signatures, and domain blocking. That’s detection. It makes a judgement after traffic is already allowed. Unknown and first seen links are still treated as safe unless flagged.

Inspection isn’t trust. Decrypting traffic doesn’t authenticate a destination. Blocking known bad domains doesn’t verify good ones. Wildcards and reputation systems pre trust what hasn’t been proven.

A brand new phishing site over HTTPS will pass straight through this model. That isn’t an edge case. Unclassified user accounts and dangerous links hosted on otherwise safe domains will also be assumed to be safe by default. That combination isn’t incidental. It’s the dominant failure mode of phishing.

Calling this zero trust creates false assurance.

If Mixpanel were to adopt this firewall, they still wouldn’t be safe from future SMS phishing attacks like the one that led to customer data theft affecting customers such as OpenAI and a ransom demand against companies behind sites like Pornhub. The entry point would still be a link. That link would still be allowed because it’s new, encrypted, and unclassified. Under this model, that outcome wouldn’t be a failure. It would be expected behaviour.

In a scenario like that, Mixpanel would arguably have grounds to blame their security vendor. Not because any security solution should be perfect, but because the product was sold under a promise it couldn’t technically keep.

No security solution is perfect. MetaCert Zero Trust for web links isn’t perfect either. But over 7 years, no person or organization using it has fallen for any form of impersonation, and we’ve only ever been made aware of 5 false positives.

Perfection isn’t the standard. Honesty is.

When a solution is marketed as zero trust but still assumes unknown links are trusted by default, failure isn’t an anomaly. It’s inevitable. And at scale, false promises don’t degrade gracefully. They fail catastrophically.

It’s important to write about this because companies need to understand who is selling threat detection and who is selling zero trust. These are fundamentally different categories of cybersecurity. The difference matters as much as the difference between an electric car and a diesel car. They solve the same high level problem but they work in completely different ways and carry different risks and tradeoffs.

When an organization decides to migrate to a zero trust architecture, it needs to know which vendors actually build products around that concept. That decision comes before choosing features or deployment models. You pick the category first, then the vendor, then the solution.

Car makers have to be clear about what they sell because buyers make decisions based on drivetrain first, not seat fabric. Security vendors should be held to the same standard.

If unknown links are allowed, you’re not doing zero trust. You’re doing the same threat detection firewall the industry has relied on for 20 years.

A flowchart titled Do you have a Zero Trust strategy for anti phishing security guides the reader through a series of yes or no questions. It starts by asking whether every URL is assumed dangerous unless verified. Paths that rely on AI, regex, filters, reputation scores, or lack a large dataset of verified URLs all end with the conclusion that the organization has traditional security, not Zero Trust. Only the path that assumes all URLs are dangerous by default and relies on a large dataset of verified URLs concludes with You have a Zero Trust strategy for anti phishing. The MetaCert logo appears in the corner, reinforcing authorship and context.



For any browser, firewall, app, API, chatbot, or security control to credibly claim Zero Trust, it must follow this flow exactly. Every URL must be treated as untrusted by default. Access is only allowed, or risk is explicitly flagged, when legitimacy has been verified. If that condition isn’t met, it isn’t Zero Trust. It’s traditional security using new language.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed with MetaCert’s latest updates, expert analysis, and real examples exposing how digital deception works and how it can be stopped.

Recent blog posts