A CISO's Guide to the
AMTD Landscape

Automated Moving Target Defense (AMTD) is a powerful strategy, but "AMTD" is an umbrella term for a variety of approaches. Let's clarify the landscape so you can choose the right tool for the right problem.

The AMTD Market Can Be Confusing

The AMTD Landscape

There is only one AMTD built for Zero Trust for Workloads that protects access and data in transit.

Comparing Endpoint, Network, and Cloud Native AMTD

What it 'stops' ...
What it 'moves' ...
The defense method is ...
The layer of the stack is ...
What it represents ...
Where to 'use' it ...
Who provides it ...
You wouldn't use Antivirus to secure your network.
Don't use Endpoint or Network AMTD to secure your cloud workloads.

A CISO's Cheat Sheet:
Matching the "Benefit" to Your "Security Gap"

Each AMTD category provides a different proactive benefit by moving a different target. Here is a simple breakdown of the attacks that each category is designed to prevent, and the critical gap that remains.
Endpoint/Runtime AMTD
Primary Benefit: Protects a single machine (server or endpoint) from having malicious code execute in its memory.
Network AMTD
Primary Benefit: Hides the network path (IPs/ports) to your assets, making them difficult for attackers to find.
Cloud Native AMTD
Primary Benefit: Protects the access to workloads and their communications, making untrusted workload access nearly impossible.
Endpoint AMTD Prevents:
- Ransomware Execution
- Zero-Day & In-Memory Exploits
- Fileless & Evasive Malware  
- Living-off-the-Land (LotL) Attacks
Network AMTD Prevents:
- Network Reconnaissance
- IP-based Targetting
- Port Scanning
- Eavesdropping & IP Snooping 
Cloud Native AMTD Prevents:
- Credential Theft and Misuse
- Machine Identity Spoofing
- Lateral Movement
- API Key and Session Hijacking
- Man-in-th-Middle Attacks 
- AI-driven reconnaissance
- Quantum Attacks

The "Security Gap" Endpoint AMTD Leaves:
It is "blind" to credential theft. An attacker with a valid, stolen API key can sensitive data, and this defense will cannot prevent it.
The "Security Gap" Network AMTD Leaves:
It is "path-centric." It doesn't stop an attacker who is already on a trusted path (e.g., a compromised microservice) from using stolen credentials.
The Cloud Native AMTD "Security Gapfiller" :
By focusing on Layer 7 and access credentials, this is the only proactive defense against the primary cause of major cloud breaches —an attack vector that the other AMTD methods are not designed to stop.

Feature by Feature Comparison

Feature

Others

Hopr rotates the identity and secret credentials at high frequency.
Existing solutions rely on static or semi-static credentials that are easy targets for adversaries.
Hopr verifies trust in a workload identity at each session.
Automated PKI certificate identities, may be self-signed, seldom rotate and lack a workload identity chain of trust.
Hopr immediately discovers compromised API key and prevention of their misuse by threat actors
Conventional authentication cannot recognize compromised keys when they arrive for authentication. Stolen keys are easily abused.
Hopr scales with operations in real-time and in all environments.
Existing solutions can't operate across all cloud environments in real time and interrupt operations to rotate secrets.
Hopr hardens access to both endpoints to prevent  attacks.
Existing solutions may protect the API endpoint, but do not protect the client endpoint in an exchange.
Hopr ensures bi-directional confidentiality and integrity of data in transit between endpoints.
Existing solutions may use TLS or mTLS, but these may not be present everywhere, leaving data exposed.
Hopr rejects all malware from untrusted source before it reaches an endpoint.
Existing solutions may scan traffic for malware, but inspection can't find all malware before it is delivered to an endpoint.
Hopr eliminates the "secret zero" problem since secrets aren't stored.
Secrets vaults require more access keys. Creating a chain of keys and storage.
Click the image to watch

See the WoSP in operation

Click the image at left to watch a 3:36 (min:sec) recorded demo of Hopr WoSPs protecting workload access, encrypting workload communications, and refusing untrusted workload connections.
Watch the Demo

The Strategic Takeaway:
The Application Layer is Your "Security Gap"

Exfiltrated API credentials 

Buy Now
Learn more
Threats know that the application layer has the most vulnerabilities and is the place to find data and get the most value from their attack.

Exfiltrated API credentials 

As the matrix above shows, you can have a "clean" server (protected by Endpoint AMTD) and a "hidden" network (protected by Network AMTD), and still suffer a catastrophic attack at the application layer.
Buy Now
Learn more

Exfiltrated API credentials 

The application layer is the critical security gap in modern cloud-native architectures, and it's the gap Hopr.co was purpose-built to close
Buy Now
Learn more

Exfiltrated API credentials 

Buy Now
Learn more
Our Cloud-Native AMTD is the only approach that focuses protection at the application layer. By "hopping" workload access credentials at high frequency, we animate and shrink the attack surface to confuse, disrupt, and reject threats.

The Bottom Line

We Are Defining the Category for Cloud Defense

Hopr was named by Gartner in 'Emerging Tech: AMTD Advances Proactive Cloud Defense'. This is our focus. We are the only solution that brings a proactive, credential-hopping defense to your cloud workloads.
Request a Demo
Read the Paper
Gartner, Emerging Tech: AMTD Advances Proactive Cloud Defense, Mark Wah, Lawrence Pingree, Rustam Malik, 2 January 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Case StudiesHow It WorksUnique FeaturesZero Trust - AMTD ProductsPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr provides true Zero Trust access control for workloads and APIs, powered by a Cloud Native Automated Moving Target Defense.

We use ephemeral machine identities, credential hopping, and application-layer post quantum end-to-end encryption of data in transit.

And Hopr verifies identity trust at every API transaction and eliminates the risks from static credentials across clouds, clusters, and organizations.
Copyright 2021-2025 | Hopr Corporation
CHIPS™, MAID™, SEE™ and Runtime Microsharding™ are trademarks of Hopr Corporation
CHIPS™ and MAID™ and SEE™ and Cloud Native AMTD
are protected by US Patents and patents pending.