MTD creates a mapping from the obfuscated network to the real network, known only to CryptoniteNXT, to enable flow of traffic across the traditional network infrastructure. Software-defined segmentation creates a decision point regarding whether a packet should be permitted through that mapping. This decision minimizes exposure and contains attacks while allowing legitimate communications to take place.
At a per-user and per-service level, CryptoniteNXT decides at line speed whether a given packet needs to be permitted through the network. Unless absolutely necessary, the packet is not delivered to the endpoint thereby preventing malicious packets from ever reaching a protected endpoint. As with MTD, this protection is always on at every endpoint, so all traffic is protected.