Detection vs control debate
CimTrak argued that detection and control are different problems and suggested combining SASE with integrity monitoring to operationalize Zero Trust and support DoD Comply‑to‑Connect workflows. The post framed integrity monitoring as a complement to access controls rather than a replacement. (x.com)
Security teams can spot tampering and still fail to stop it. CimTrak’s argument is that detection and access control solve different jobs, and Zero Trust needs both. (zscaler.com) System integrity monitoring works like a seal on a package: it watches for unauthorized changes to files, settings, and configurations after a device is already in use. Access control decides who or what gets in, and under what policy. (zscaler.com) The Department of Defense’s Zero Trust Strategy, published October 21, 2022, says perimeter defenses are no longer enough and calls Zero Trust a department-wide framework rather than a single product. The document describes a “never trust, always verify” model for users, devices, applications, and data. (dodcio.defense.gov) Comply-to-Connect, or C2C, is the Defense Department’s automated process for deciding which devices can authenticate and connect to the Defense Department Information Network. Cisco’s June 6, 2025 overview says C2C also requires out-of-compliance devices to be remediated automatically and reported on across the full workflow. (cisco.com) That is where the detection-versus-control split becomes concrete. A tool can detect that a server drifted from its approved configuration, but a separate control plane is usually needed to quarantine that machine, cut access, or force a policy change. (zscaler.com) Cimcor and Zscaler formalized that pitch on May 15, 2025, when Cimcor announced integrations between the CimTrak Integrity Suite and Zscaler’s Zero Trust Exchange. The companies said the setup could trigger policy-driven responses that isolate compromised systems and restrict unauthorized access. (prweb.com) Cimcor expanded the case in a September 11, 2025 blog aimed at federal buyers. The company said earlier Comply-to-Connect efforts relied on fragmented network access control tools and point-in-time checks, while continuous integrity verification could tie device trust directly to secure access. (cimcor.com) Zscaler’s own solution brief describes the division of labor in plain terms: CimTrak detects integrity or compliance deviations, and Zscaler changes access policies when a system is no longer trusted. That framing treats integrity monitoring as a complement to access control, not a replacement for it. (zscaler.com) The debate is not whether detection matters. The live question for defense networks and other large enterprises is whether they can connect detection to enforcement fast enough that “always verify” applies after login, not just before it. (dodcio.defense.gov)
