One policy hierarchy. From tenant to packet. Hierarchical, most-restrictive-merge.
CyMatrix is a hierarchical policy engine. NetworkPolicy, RuntimePolicy, DevicePosturePolicy, GeolocationPolicy, and DLP (380+ patterns with real validators) flow from SYSTEM → TENANT → NETWORK → VM. Translated to OVN ACLs in real-time and enforced at the logical switch layer.
One tenant's policy can never expose another tenant's data. OVN address-set isolation at network layer; DLP at data layer. Both enforced from the same hierarchical policy.
Real validators (Verhoeff for Aadhaar, MOD-97 for IBAN, Luhn for credit cards) — not regex approximations. 380+ patterns out of the box.
Impossible-travel detection (Mumbai login + London login 10 minutes later = blocked). Country-of-origin enforcement for export controls.
VM-level firewall rules synthesized from policy. Hot-reload, no agent. OVN translates declarative intent to flow rules in <1 second.
Forcepoint is moving to SaaS-only. CyMatrix DLP is on-prem and integrated into VDI/RBI/audit — no separate scan agent on endpoints.
When requester = approver, the request is BLOCKED at request-time — not just logged. Most products only log the violation; we prevent it.
Higher-scope policy wins on conflict. SYSTEM > TENANT > NETWORK > VM. Predictable, auditable, debuggable.
Real validators (IBAN MOD-97, Aadhaar Verhoeff, Luhn) — not regex approximations.
Policy change to network ACL in <1s. Hot reload, no restart, no agent.
Every policy change attributed, immutable, exportable to SIEM. One audit log across all enforcement points.
Block requester = approver violations at request-time. Most competitors only log.
Zscaler at network edge + CyMatrix at workload = full coverage. Different layers, fully complementary.
30-day proof of concept on two idle servers. We bring the SE. You bring the use case.