7 min

According to Cisco, what we need is not so much new security products, but a completely new architecture to better protect organizations and especially their workloads. That’s what Hypershield is supposed to accomplish.

Hypershield is a big announcement for Cisco. A very big one, even, based on what Cisco CEO Chuck Robins and EVP and GM Security and Collaboration Jeetu Patel have to say about it. Robbins calls it “one of the most significant security innovations in our [Cisco’s, ed.] history.” Patel, in conversation with us, talks about “the best story yet.”

We often hear superlatives from vendors about new products and services. But this really comes across as different. Hypershield is an architecture for which Cisco has taken multiple components and forged them into a whole. Parts of the technology it uses for Hypershield was originally created for use in hyperscalers public clouds, hence the name. Cisco is now bringing this to enterprise environments, specifically data centers, cloud environments, as well as OT environments.

Security where it’s needed

This ‘reimaging’ of the security architecture is Cisco’s response to the ever-increasing security challenges facing organizations’ distributed application environments. The physical infrastructure (and therefore applications) of enterprise organizations’ data centers is changing considerably. Just think of the increasingly important role for GPUs instead of CPUs, or the rise of DPUs to offload workloads. The same goes for applications. These have gone from a relatively orderly three-layer structure (web, logic, data) to collections of microservices in Kubernetes clusters, which in turn need to know which other clusters they can and cannot talk to.

The threat landscape is also becoming increasingly complex and sophisticated. This makes it increasingly difficult to get security where it is needed. With Hypershield, that should become possible again. Cisco is so convinced of the qualities of the new architecture that it even claims that with this announcement, it wil tip the scales in favor of the defenders, away from the attackers.

Even companies like Cisco do not make this kind of claim very often. What exactly is Cisco Hypershield, and what makes it so special? We asked Jeetu Patel these and other questions during a chat we had with him prior to this announcement.

Three problems in search of a solution

According to Patel, three problems are impossible or very difficult to solve using existing security architectures. These are segmentation, patching and upgrades.

Segmentation is now something that needs to be done to and between things like applications and clusters that are connected through APIs. Previously, those components didn’t exist, and it was only about creating segmentation to separate physical servers. Patching is still a big issue in 2024. How often do we read about vulnerabilities that need to be patched, after which organisations only partially implement the required patches? This is not only because organizations don’t prioritise it enough. Sometimes, it can also be a lack of insight into the infrastructure. Finally, upgrades are also very difficult, according to Patel, partly because it must be done manually. If you have a large environment, this can simply become too much to handle.

What is striking, as far as we are concerned, is that the three problems Patel is talking about are actually not that hugely complex in and of itself. That is, all three are part of basic cybersecurity hygiene. That, however, is precisely what many organizations lack. In part, this is because the environments in which the actions must take place have become too complex. Naturally, closing these gaps has the potential to have a major impact on organisations’ cyber resilience.

Components for the solution are available

According to Patel, the above problems “cannot be solved by the next version of something that already exists, it has to be the first version of something new.” Does he mean that Cisco has created something completely new? Not per se, because “the technology building blocks are available.” That is, after the necessary in-house development and an acquisition here and there, Cisco now has these components in its own portfolio.

The three components that make up Cisco Hypershield are eBPF (extended Berkeley Packet Filter), accelerated computing and – of course – AI. “These three components solve the three big problems we identified above,” Patel points out. The last two are fairly obvious. Without an autonomously operating AI in the background, you can’t solve the problems because otherwise, it would all still be a partially manual endeavour. And without hardware acceleration, it is also difficult to deliver the required performance. Hypershield, therefore, leverages components such as DPUs to analyze and react to anomalies in application and network behaviour. This brings security closer to the workloads that need to be protected.

TIP: Cisco XDR aims to reduce alert fatigue, increase signal to noise ratio


The third component of Cisco Hypershield deserves some extra attention. The presence of eBPF in the new product makes it clear why Cisco acquired Isovalent recently. That company, along with Meta, is the creator of the Cilium project. This project provides eBPF functionality to developers and as such to the programs they develop.

eBPF has long been one of the most popular projects in the open-source community. This in itself is not surprising, as it offers quite a bit of added value. Thanks to eBPF, you can run programs in the kernel and the OS. This allows you to add eBPF programs at runtime. The fact that it is in the kernel means that it is maximally efficient and, therefore, performs maximally. Applications of eBPF are plentiful. Delivering network functionality and load balancing in demanding environments, for example, and delivering fine-grained observability related to security at low overhead. The speed and efficiency, coupled with the security and observability capabilities, make it so valuable to Cisco Hypershield.

An interesting thing to note: Cisco’s acquisitions of Isovalent and Splunk create quite an unusual situation. Isovalent is obviously one of the main contributors to Cilium, which ranks third among popular projects on GitHub after Kubernetes and Open Telemetry. Splunk is the largest contributor to Open Telemetry. So, with the acquisitions of these two players, Cisco is now, by proxy, one of the largest contributors to popular open-source projects. Let’s hope it stays that way.

Cisco seems to have been serious about open-source in recent years, to the extent of what’s possible for a company like Cisco. It has also further developed several open-source components in a separate business unit. Of course, a company like Cisco always has a bigger goal. This is also evident with the acquisition of Isovalent. eBPF has been made part of a Cisco proposition. Cilium, however, remains open source. That will continue to be developed under the auspices of the Cloud Native Computing Foundation.

How does Cisco Hypershield work?

Now that we’ve clarified what technologies Cisco Hypershield consists of, let’s also take a brief look at its capabilities. The product consists of three solutions:

  • Distributed Exploit Protection: this should address the patching problem. Basically, this makes any device or endpoint in the data center and cloud infrastructure a so-called enforcement point. Hypershield can resolve any new vulnerability in minutes, according to Patel. It tests the fix (or patch) and also deploys it. Not just for a single device or endpoint, but for all instances that are part of this distributed environment, which you can think of as a fabric.
  • Autonomous Segmentation: the name says it all. With this Hypershield aims to solve the segmentation problem. There’s a big observability component to this, something Cisco has added throughout its portfolio in recent years. Hypershield continuously monitors the entire infrastructure and autonomously determines if there should be any changes to the network’s policies. In this way, it can quickly respond to any intrusion by an attacker.
  • Self-qualifying Upgrades: this third and final functionality of Hypershield should ensure that administrators never have to manually upgrade anything again. Patel compares its operation to that of upgrades on our smartphones. Everything happens automatically in the background. This is possible because Hypershield creates and uses a second data plane for this purpose. It runs the upgrade on a digital twin, testing the software with the workloads, policies and other features that make the location where it runs a unique environment. If everything works well, Hypershield performs the upgrade with no downtime.

No new technology, but new architecture

All in all, Cisco Hypershield is definitely an interesting new product by our reckoning. While it may not be based on radically new technology, Cisco has brought the various components together in a new way. So the underlying architecture of Hypershield is indeed new.

Whether Cisco Hypershield actually changes the architecture of security as a whole, as Patel claims toward the end of our conversation, and tips the balance back toward the defenders, may be a bit too early to say. In any case, though, it is a good example of the very deep integration of different technologies to minimize gaps in defense. This is a development that is visible and needed all over the security market. With that in mind, we can only applaud the introduction of Cisco Hypershield.

Also read: Cisco builds integrated and open security platform; what does that mean?