If your security strategy starts with “upgrade everything,” you don’t have a strategy—you have a wish.

Most legacy environments can’t be modernized on a timeline that matches threat velocity. The goal is to reduce blast radius quickly without breaking uptime.

Here’s a practical 30-day playbook to isolate risk in “can’t-patch” systems (OT, lab gear, old Windows, embedded devices, vendor-controlled platforms).

Days 1–7: Asset reality check
– Discover what’s actually on the network (including shadow IT)
– Identify crown jewels, unsafe protocols, and any inbound/outbound paths
– Document owners, purpose, and acceptable downtime

Days 8–15: Segmentation that works in the real world
– Create/validate zones: critical, legacy, user, vendor, internet-facing
– Default-deny between zones; allow only required flows
– Block lateral movement paths (SMB/RDP where not needed, east-west traffic)

Days 16–23: Controlled remote access
– Replace “VPN to everything” with least-privilege access
– Use jump hosts/bastions, MFA, per-session approvals, and full session logging
– Time-bound vendor access; restrict to specific assets and ports

Days 24–30: Monitoring and response readiness
– Centralize logs (firewall, auth, jump host, EDR where possible)
– Alert on new services, new outbound destinations, and unusual admin activity
– Test 2–3 incident runbooks: isolate a segment, revoke access, restore from known-good

This doesn’t eliminate the need to modernize. It buys you time and reduces risk while procurement, validation, and downtime windows catch up.

What’s your biggest blocker in legacy environments: visibility, segmentation, vendor access, or monitoring?