By Camellia Chan
Modern cyberattacks no longer rely on brute force or noisy exploitation. Instead, they target the assumptions built into how systems start, update, and prove integrity. In this article, Camellia Chan explains why software-led and cloud-first security approaches are insufficient against these threats, and why Hardware Root of Trust is emerging as a critical pillar for system integrity, regulatory assurance, and next-generation zero trust architectures.
When we think of great heists, our minds often drift to the movies. The Ocean’s trilogy, for example, where attackers bypass the cash on the casino tables – that’s small change, a distraction – to target the big score from inside the main vault. The real prize sits behind layers of controls, which fail when attackers have a clearer map of the environment than the operators defending it.
Yet, Hollywood is now reality. While security teams monitor dashboards and alerts at the “casino floor” of IT – network traffic, identities, cloud workloads – adversaries are increasingly heading straight for the “vault”. They exploit hardware-level operations such as firmware, boot processes and memory access, operating out of sight of most defence tools. The result is a growing imbalance: defenders react to the noise at the surface – deliberate distractions – while attackers embed themselves deeper into the stack.
And once they’re beneath the operating system, many of today’s tools go blind. It’s time to rethink where digital trust begins.
Why software-only, cloud-first security stacks are struggling
For years, cybersecurity has been shaped by software-defined architectures and cloud scale. Speed became the strategy: patch faster, detect earlier, automate response. Those capabilities still matter, but they were built on a critical assumption: that defenders could detect and respond faster than attackers could exploit weaknesses – and that this advantage would persist as adversaries evolved.
That assumption no longer holds.
Software-based defences depend on known threat signatures, behavioural patterns, and telemetry generated by the environments they are protecting. However, firmware-level breaches sit below traditional detection layers, while zero-day exploits bypass controls built around what’s already known. By the time suspicious activity surfaces, the system may already be compromised at its core.
Cloud-first architectures add another challenge. Defenders often lack direct control or visibility into the hardware layer where workloads actually execute. This abstraction can obscure low-level threats, allowing attackers to manipulate telemetry, disable software protections, or persist beyond reboots.
Crucially, modern attacks are not brute force attempts to break encryption or overwhelm defences. They exploit the assumptions built into how systems start, update, and prove what’s genuine.
How modern Hardware Root of Trust goes deeper than traditional approaches
At the centre of this shift is Hardware Root of Trust (HRoT): a security architecture that embeds trust directly into the hardware layer of a device. US National Institute of Standards and Technology (NIST) defines it as “an inherently trusted combination of hardware and firmware that maintains the integrity of information.” In practice, HRoT serves as the anchor for system trust from the moment power is applied.
Earlier implementations of hardware trust were often narrow and passive: secure boot, protected key storage, isolated cryptographic functions. Those remain important, but modern HRoT is far more active. It continuously validates device identity, verifies firmware authenticity, and measures platform state in real time, independently of the operating system and application logic.
The key difference is enforcement. HRoT doesn’t wait for software to flag suspicious behaviour or for teams to respond after the fact. If a component deviates from its expected state or unauthorised changes are detected, it can stop the action at the hardware layer before intrusion spreads.
This autonomy is critical. HRoT cannot be paused, spoofed, or socially engineered. It does not depend on cloud connectivity or trusted software agents. Its authority is rooted in immutable identity and verifiable state.
Importantly, this is not about encrypting everything. Encryption only protects what it is instructed to protect. And those instructions can be manipulated. When applied indiscriminately, encryption can also reduce visibility, giving attackers cover inside environments that look “secure.” HRoT supports a more selective approach: knowing what must be sealed, what should remain observable, and when to intervene.
What the HRoT model means for CISOs in practice
For CISOs, HRoT represents an opportunity to strengthen resilience, meet regulatory demands, and finally realise true zero trust.
From a resilience standpoint, it changes the balance between prevention and response. By validating integrity from power-on and continuously during operation, it reduces reliance on post-incident investigation and recovery. Compromised devices and systems are stopped early, limiting blast radius and disruption.
Regulators are already reinforcing this direction. Frameworks such as the US Department of Defense’s CMMC explicitly highlight HRoT as a stronger foundation for assurance. NIST continues to invest in standards that recognise hardware-backed integrity as essential to modern security architectures.
Market signals reflect the same momentum. HRoT solutions are seeing sustained growth as organisations seek protections anchored in silicon rather than policy alone. Confidential computing and Trusted Execution Environments are accelerating adoption of encrypted-in-use protections, while TPMs and hardware-backed attestation are increasingly tied to compliance, cyber insurance, and zero-trust mandates.
Reframing where security starts
In heist movies, defenders lose when they focus on the distractions and miss the vault. Cybersecurity is facing the same challenge.
HRoT is not a silver bullet, but it is a necessary evolution. It shifts security from reactive patchwork to embedded assurance, redefining how software defences are built.
The next frontier of cybersecurity doesn’t sit higher up the stack. It’s deeper – inside the chip.
