Last updated: April 29, 2026
Firewalls see headers, not intent. A firewall rule that permits “outbound HTTPS to any destination” lets through: legitimate web browsing, cloud-based C2, data exfiltration, DNS over HTTPS, file sharing, and cryptocurrency mining — because they all look like HTTPS. This module is about why firewall logs alone never catch modern attackers, and what actually works.
Why this happens
Firewalls were designed to block unwanted traffic. Modern attacks don’t use unwanted traffic — they use wanted traffic turned to unwanted purposes. Every organization needs its employees to browse the web, use SaaS, join video calls, and exchange email. Every one of those protocols is a potential C2 channel, data exfiltration vector, or attack payload delivery mechanism.
The firewall’s fundamental capability — header-based decisions — is poorly matched to a world where 95% of outbound traffic is TLS-encrypted HTTPS that the firewall cannot inspect without TLS interception. And TLS interception breaks certificate pinning, breaks many SaaS applications, and creates its own attack surface at the interception proxy.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.