VMware vDefend adds zero‑trust for VCF

Private cloud security is the thing here — specifically the problem of stopping east-west attacks once an intruder is already inside your environment. That has always been the awkward part of zero trust in virtual infrastructure. You can write policies, but actually enforcing them across VMs, Kubernetes workloads, and day-two operations gets messy fast. Broadcom’s May 5 release of VMware Cloud Foundation 9.1 is the new piece because it folds fresh vDefend capabilities directly into that control plane, not as a sidecar product bolted on later. ### What actually shipped? The release is VMware Cloud Foundation 9.1, announced by Broadcom on May 5, 2026. Broadcom pitched VCF 9.1 as a private-cloud platform for production AI, but one of the more practical changes sits in security: new VMware vDefend features for lateral protection, policy automation, and threat prevention inside VCF environments. That means the security story is now part of the platform story. (news.broadcom.com) ### Why does “lateral security” matter so much? Perimeter controls help at the edge, but ransomware and hands-on-keyboard attackers usually do their real damage by moving sideways — from one workload to the next. In a virtualized estate, that means hopping between VMs, services, and now Kubernetes clusters. vDefend is Broadcom’s answer for that layer: microsegmentation, distributed firewalling, and IDS/IPS that live close to the hypervisor instead of depending on traffic hairpinning through separate appliances. (news.broadcom.com) ### What changed in vDefend 9.1? The most concrete new feature is Distributed IDS/IPS Turbo Mode. Broadcom says it lifts threat-prevention throughput from 3 Gbps to 9 Gbps per host, and up to 9 Tbps in a single VCF instance. That matters because zero-trust controls often lose internal political support when teams think inspection will slow east-west traffic. Broadcom is basically trying to remove the “security costs too much performance” objection. (community.broadcom.com) ### Is this just for virtual machines? No — and that is one of the bigger shifts. vDefend for VCF 9.1 now extends the same distributed IDS/IPS protection to VMware vSphere Kubernetes Service workloads, not just VMs. So the platform team does not have to treat containers and virtual machines as two different security universes. One policy model can follow both. ### What about automation? (blogs.vmware.com) Broadcom also added self-service lateral security with VCF Automation. The point is to let platform teams define a security baseline once, then let tenants or app teams onboard faster without opening a ticket every time they need segmentation rules. Think of it like guardrails baked into the provisioning path rather than a separate approval queue after deployment. (blogs.vmware.com) ### Where do compliance and recovery fit? They are part of a broader VCF push, not a standalone vDefend feature drop. Broadcom has been repositioning VCF as a governed private-cloud control surface with built-in security and compliance services, especially for regulated and AI-heavy environments. So when vDefend gets tighter integration, the real play is operational — fewer separate tools, more policy enforced from the same platform layer that deploys and manages workloads. (blogs.vmware.com) ### Who should care first? Teams already on VCF 9.0 or planning a move into VCF are the obvious audience. If you run mixed VM and Kubernetes workloads, or you need tighter east-west controls without adding more appliance sprawl, this release is more relevant than the “AI platform” branding might suggest. The catch is that the value shows up most clearly if you are willing to let VCF become the operating center for security policy too. (news.broadcom.com) ### Bottom line? This is Broadcom making a bigger bet on bundled private-cloud security. vDefend in VCF 9.1 is not just another firewall feature list — it is an attempt to make zero-trust enforcement native to the VMware stack, fast enough for modern workloads, and simple enough that platform teams will actually turn it on. (news.broadcom.com) (techdocs.broadcom.com)