- ESX as the execution layer
- vCenter as the control layer
- Identity as the reachability layer
It does not attempt to cover every component in the VCF stack. NSX/vDefend, vSAN, and other services may exist in these environments, but they are not the focus here.
The focus is narrower, and intentionally so.
Most real-world compromise scenarios in virtualized infrastructure do not begin with individual product weaknesses. They begin with access paths that already exist, and identity that already works. From there, control expands through normal administrative interfaces rather than through exploitation of isolated components.
This series assumes that model from the start.
It also assumes that compromise is more likely to occur through valid access than through broken systems. That distinction is important, because it changes where security effort actually matters in practice.
The industry still over-focuses on exploits#
Most public discussion around VMware security revolves around patching, CVEs, and the possibility of hypervisor-level exploits.
Those things matter.
But they also receive disproportionate attention because they are visible, measurable, and easy to communicate.Real-world compromise paths are usually less dramatic.
Most environments are not lost because attackers discovered an unknown ESX vulnerability. They are lost because identity, management access, segmentation, and operational trust relationships quietly drifted into reachable states over time.
In practice, compromise is far more likely to happen through valid access than through novel exploitation.
That distinction matters because it changes where defensive effort actually produces meaningful risk reduction.
How to read this series#
Each post focuses on one layer of the model:
- ESX — execution and why it is a high-value target
- vCenter — control concentration and operational impact (not published yet)
- Identity — reachability, federation, and access paths (not published yet)
- Closing the loop — how identity, vCenter, and ESX connect into a single attack path model, and what it means when the entire control plane is viewed as one continuous system rather than separate security domains (not published yet)
Together, they describe how control behaves in practice once environments scale beyond a single system.
Core assumption#
The underlying assumption throughout is simple:
If identity is valid, the rest of the stack behaves as designed.
ESX executes instructions. vCenter defines operational intent. Identity determines whether either becomes reachable at all.
Closing note#
This is not a compliance guide, and it is not a configuration checklist. It is a model of how control actually behaves once infrastructure is in use, in the real world.
