The Trojan Horse worked. But what if the gates had no handles on the inside?
Troy fell not because the Greeks were stronger. It fell because the defenders stopped watching the inside. The soldiers were already in the courtyard. When the gates opened from within, it was over.
Now imagine the horse still gets through — but the gates have no handles on the inside. The soldiers pour out, run around the fortress finding nothing, and the defenders pick them off at their leisure.
That is what a properly enforced egress firewall looks like. Most organisations are running the first version.
The security industry has spent two decades obsessing over ingress. Perimeter firewalls. WAFs. Zero-trust access. It makes intuitive sense — don’t let the horse through the gates. But modern malware doesn’t announce itself. It arrives as a package dependency, a container image, a misconfigured workload. It gets in through legitimate channels — and then it needs to get data out.
The breach is rarely the intrusion. The breach is the exfiltration. And exfiltration requires egress.
Without egress controls, a compromised workload can reach any IP on the internet — beaconing to a C2 server, exfiltrating your database to an S3 bucket in a region you’ve never heard of, establishing a reverse shell. Your ingress rules, perfectly configured, won’t stop a single byte of it.
What enforced egress means in practice
In Kubernetes: NetworkPolicy with explicit allow-lists, not defaults that permit all outbound. Your inference workload reaches your internal model store — nothing else. Your backup job reaches your private object store — nothing else. Everything else: blocked by default. Not logged for later review. Blocked.
Egress policy is not a security feature. It is an architectural statement about who owns your data and where it is allowed to go.
The Trojans weren’t careless. They built walls, trained soldiers, maintained watch. They just didn’t account for the threat already inside. Your perimeter controls are your walls. Necessary — not sufficient.
The gate handles on the inside are yours to remove.
Next: zero-trust egress in bare-metal Kubernetes — NetworkPolicy patterns, DNS egress filtering, and why your service mesh might be giving you a false sense of control.