Automated Moving Target Defense

Runtime Microsharding Shrinks the Enterprise Attack Surface

Tom McNamara

July 16, 2025

The attack surface at the application layer is broken into many small and animated pieces at runtime to disrupt threats.

The modern enterprise has evolved into a sprawling digital ecosystem—comprising multi-cloud workloads, APIs, microservices, third-party integrations, and a growing list of non-human identities. But while innovation has transformed how we build and scale software, it has also dramatically expanded the enterprise attack surface.

Today’s adversaries exploit this sprawl with industrial efficiency. They conduct deep reconnaissance, move laterally between systems, steal static credentials, and pivot through environments with shocking speed and precision. Defensive tools—no matter how advanced—are often reactive, static, and fragmented.

What if, instead of trying to secure a fixed attack surface, we removed it altogether?

This is the revolutionary promise of Cloud Native Automated Moving Target Defense (AMTD)—a cyber defense approach and architectural strategy that breaks the attack surface into many small, ephemeral pieces (microshards), hides them with motion, and ultimately (from the viewpoint of the threat) makes the entire enterprise footprint harder to see, understand, or attack.

Runtime Microsharding is new paradigm built on Cloud Native AMTD, unique to Hopr.

What Is Runtime Microsharding?

Runtime Microsharding is the act of fracturing the large attack surface of an enterprise's application layeer into many small, short-lived shards, each representing a tiny fragment of what was once visible to an attacker. These shards are ephemeral by design—they come into existence only when needed (“Just In Time” access control), disappear after use, and animate the enterprise attack surface. From the viewpoint of the attacker, the attack surface is constantly shifting in appearance and accessibility.

To the attacker, this approach turns a digital enterprise from a static, legible target into a dynamic, unpredictable environment. Think of it as replacing a still photograph with a dynamic kaleidoscope—nothing stays in one place long enough to be understood or exploited.

To attackers, the surface is a mirage.
It appears at a distance—but when they try to reach it, there’s nothing there.
No response. No endpoint. No path to exploit.

Where traditional network segmentation, access control, or endpoint protection create continual visibility and hard edges, runtime microsharding creates complexity through motion and fragmentation. It animates the application layer—not because it responds to threats, but because it prevents threats from ever orienting themselves in the first place.

The Attack Surface Is the Battlefield

To understand the need for runtime microsharding, we need to acknowledge an uncomfortable truth: the modern enterprise is overexposed and vulnerable.

  • Every service and application port is a potential target.
  • Every workload identity, API endpoint, or certificate is a doorway.
  • Every integration creates a new risk.
  • Every static, predictable asset gives attackers something to study.

Despite our best efforts, conventional authentication and authorization methods render these ‘surfaces’ visible to attackers—available to scan, probe, and exploit. Even many Zero Trust solutions, when implemented without architectural change, become just a policy layer change on a fundamentally exposed system.

Runtime microsharding flips this script. Instead of hardening the existing attack surface, it removes large portions of it from the attacker’s view—not through obfuscation, but by transforming how applications expose themselves and communicate.

Animation as Defense: The Power of Motion

Traditional cyber defenses assume a static posture: detect, analyze, block. But attackers are dynamic. They adapt, pivot, and escalate. In contrast, Cloud Native AMTD introduces defense through motion—where the infrastructer itself appears to constantly changes to all but trusted workloads.

With Runtime Microsharding:

  • Attack points of the application layer flicker in and out of existence, making consistent scanning and mapping impossible.
  • Identity and communication channels are also sharded and short-lived, so even if credentials are intercepted, they are already obsolete.
  • Untrusted attempts to access a microshard becomes a black hole, the microshard disappears when 'touched' by the attacker.

From the attacker’s perspective, it’s like watching a building and seeing it constantly change— the doors and windows appear momentarily, only to vanish again and reappear somewhere else. This invisibility in motion is not just a feature—it’s the foundation of the defense.

Benefits of Runtime Microsharding in Enterprise Security

Let’s examine why runtime microsharding—and the Cloud Native AMTD that enables it—represents a radical leap forward in security architecture.

1. Reduced Reconnaissance Window

Attackers begin with reconnaissance. They scan for open ports, accessible services, and unprotected APIs. Runtime microsharding the application layer minimizes the time and space available for discovery—because each microshard exists only briefly and only to authorized and trusted applications.

This effectively blinds external attackers. There is no stable application network map to create. There are no ‘always-on’ workloads or endpoints to exploit.

2. Elimination of Static Credentials

A major vector of attack today is credential theft—API keys, tokens, and certificates are static and reused across systems. Runtime microsharding disrupts this by using dynamic credential hopping to render access only to trusted application workloads, ensuring that each shard uses credentials that are valid ”just in time” and only in the moment of a specific transaction.

This makes credential theft nearly impossible. The attacker isn’t just late—they’re in the wrong time and place entirely.

3. Disruption of Lateral Movement

In a traditional network, once inside, attackers often move laterally—jumping between systems to escalate privilege or exfiltrate data. But with a microsharded application attack surface:

  • There’s no reliable endpoints (application and API endpoints) to exploit.
  • No workload can talk to another unless identity trust is re-established for that exact moment.

This disconnects the interior of the network at the highest layer of the stack—the application layer—forcing every interaction to go through fresh trust verification. This can't be bypassed by a threat, and all threat attempts to connect to an application workload are black-holed without a response to the threat. Lateral movement becomes infeasible.

4. Dynamically Enforced Least Privilege

Rather than assigning long-lived permissions or roles, runtime microsharding grants access just in time and only to two specific application workloads. A microshard is created when it’s needed, for a specific function by specific trusted applications, and then closes. This approach enforces least privilege by default, rather than relying on fragile static policies.

5. Confusion and Frustration for Attackers

Attackers depend on clarity and predictability. They map systems. They look for patterns. They chain vulnerabilities.

Runtime microsharding makes the application layer (across all cloud environments) appear chaotic, incomplete, and shifting. This disrupts the entire attack chain:

  • Initial access becomes difficult.
  • Persistence becomes impossible.
  • Lateral movement is blocked.
  • Exfiltration paths are severed.

Even advanced adversaries cannot easily avoid or overcome a Cloud Native AMTD, and they are forced to burn time and resources chasing ghosts, all while defenders stay ahead.

Why Cloud Native AMTD Matters Now

The case for Cloud Native AMTD is urgent. Enterprise infrastructures have reached a point where conventional cyber defenses have hit a ceiling of effectiveness, and attackers have noticed. Offensive AI cyber threats, quantum computing, and complexity are the tipping point.

  • Machine identities now outnumber human users by an order of magnitude.
  • Hybrid and multi-cloud environments are flat and interwoven, making network segmentation ineffective.
  • AI workloads, IoT devices, and decentralized data pipelines are blurring the perimeter entirely.
  • Quantum computing, not far away, will accelerate the demise of current security architectures in many ways.

In this context, legacy defenses are crumbling. Static controls, manual access policies, and fixed trust models cannot keep up with a world where:

  • Everything talks to everything.
  • Everything is exposed by default.
  • Everything is changing—except our security model.

Cloud Native AMTD is a reboot. It’s a framework designed for movement, ephemerality, and automation. Runtime microsharding is the effect that enables this transformation.

Why Incrementalism Is Not Enough

Many security leaders feel locked into incremental improvement—buying more tools, tuning more policies, chasing compliance. But the scale of today’s threats—and the sophistication of adversaries—demands architectural change, not product layering.

Runtime microsharding is only possible with Cloud Native AMTD, and it challenges the fundamental assumption that the attack surface must always exist (i.e., must be static) and be protected.

Consider this question: What if we remove the attack surface from view before it can be attacked? What if we never give threats the stability they need to succeed?

This is a shift from:

  • Defense after detection ➡️ Defense through invisibility
  • Access control before runtime ➡️ Access only at runtime
  • Static credential protection ➡️ Credentials that disappear after use

It’s not just better—it’s different.

From Innovation to Adoption: A Call to Action

Leading organizations—especially those handling sensitive data, IP, or infrastructure—must begin preparing for this transition now.

That doesn’t mean replacing everything overnight. It means recognizing that:

  • Static workload access (authentication) must be redesigned for ephemeral trust.
  • Long-lived credentials must give way to single-use secrets.
  • Visibility, control, and policy enforcement must evolve to match the pace of microsharded systems.

Platforms like Hopr's Enterprise Ultra are pioneering this shift, introducing credential hopping, identity-aware proxies, and ephemeral encryption without key exchanges to help enterprises transition. But the goal isn’t just vendor adoption—it’s architectural revolution.

Security teams should:

  • Audit where static exposure still exists—especially in API and workload communications.
  • Prioritize applications that need protection or isolation with microshards.
  • Challenge assumptions about persistent access and permanent identities.
  • Invest in infrastructure upgrades that can support dynamic runtime identity trust verification and attack surface microsharding.

Conclusion: A Moving Target is Hard to Hit

Cybersecurity is an arms race—but most defenders are stuck guarding walls that attackers have already mapped, including the defenses that guard them. It’s time to stop building bigger walls and start removing them from view entirely.

Runtime microsharding from a Cloud Native AMTD offers a path forward: a dynamic, ephemeral, animated defense that frustrates attackers and protects enterprise value.

Let the attackers chase shadows. You’ll be too fast—and too fragmented—to catch.