6 July 2026
The shift to remote work was not a gentle evolution. It was a forced migration that tore down the corporate perimeter in a matter of weeks. Companies scrambled to deploy VPNs, cloud applications, and collaboration tools, but most of them did so without stopping to ask a critical question: if I cannot see my network, how can I possibly secure it?
Network visibility used to be a nice-to-have. You had a data center, a few branch offices, and a clear line of sight between users and resources. Today, that line is gone. Traffic no longer flows through a central choke point where you can inspect it. It goes from a home router, through an ISP, into a cloud provider, and then to a SaaS application. Along the way, packets vanish into black boxes owned by third parties. This is not just a security problem. It is a performance, compliance, and operational problem that cuts directly into the bottom line.

The mistake here is treating remote access as a simple extension of the office network. It is not. When a user connects via VPN, you might see the encrypted tunnel, but you have no visibility into what happens before the traffic enters that tunnel. Malware on the home machine, DNS hijacking at the ISP level, or a compromised router can all intercept data before it ever reaches your VPN gateway. Without visibility into the full path, you are blind to the first mile of every connection.
In a remote world, this becomes exponentially harder because the traffic path is fragmented. A user in Tokyo accessing a Salesforce instance hosted in the US might have their traffic routed through a half-dozen autonomous systems. If latency spikes, you need to know whether the problem is in the user's home network, their ISP, a transit provider, or Salesforce itself. Without visibility, you are guessing.
This is where endpoint detection and response (EDR) tools come into play, but they are not a silver bullet. EDR agents can tell you that a process called "svchost.exe" is making outbound connections to an IP address in Eastern Europe. That is visibility. But if the agent is not configured to capture network telemetry, you will not know what data was sent or how much. You need endpoint visibility that includes network flow data, not just process logs.
A common mistake is relying solely on antivirus or basic endpoint protection. Those tools look for known signatures. They do not tell you about unusual traffic patterns, such as a machine that suddenly starts sending large amounts of data at 3 AM. That behavior is invisible unless you have network-aware endpoint monitoring.
Traditional tools like traceroute and ping give you a rough picture, but they are inadequate for modern remote work. They show you the path, but they do not show you the health of the path in real time. If a user in Berlin has a slow connection to a cloud application hosted in Frankfurt, you need to know whether the bottleneck is in the user's home network, the Deutsche Telekom backbone, or the cloud provider's edge.
This is where synthetic monitoring and real-user monitoring (RUM) become essential. Synthetic monitoring sends test traffic along the same paths that users take, giving you a baseline for performance. RUM captures actual user sessions, showing you exactly what latency and errors they experience. Both are necessary. Synthetic monitoring tells you what is possible. RUM tells you what is happening.
Application visibility means being able to decode protocols, understand transaction times, and correlate application errors with network conditions. Tools like packet-level analysis or application performance monitoring (APM) are critical here. They let you see that a user's request took 2 seconds to reach the server, but the server took 10 seconds to respond. That tells you the problem is server-side, not network-side.
The trade-off with deep application visibility is complexity. Full packet capture generates enormous amounts of data. Storing and analyzing that data requires significant infrastructure. Many organizations fall into the trap of capturing everything but analyzing nothing. They have petabytes of packet data sitting in storage, but no one has time to look at it. The better approach is to use intelligent sampling. Capture full packets only for suspicious sessions or for specific applications that are critical to your business. For everything else, use flow-level data that gives you metadata without the storage overhead.

The solution is split tunneling, but it is controversial. Split tunneling sends only corporate traffic through the VPN and routes personal traffic directly to the internet. This reduces the load on the VPN and gives you better visibility into corporate traffic because you are not drowning in noise. The downside is that personal traffic is not protected by the corporate security stack. If the user's home network is compromised, their personal browsing could be intercepted. The right approach is to use split tunneling selectively, combined with endpoint security that protects the device regardless of how traffic is routed.
To address this, you need cloud-native monitoring tools. AWS VPC Flow Logs, Azure Network Watcher, and Google Cloud VPC Flow Logs give you visibility into traffic within the cloud. They are not as detailed as packet capture, but they show you source and destination IPs, ports, protocols, and packet counts. Combine that with cloud APM tools that trace requests across microservices. You will then be able to see that a request spent 5 seconds waiting for a database query inside the cloud, which explains the user's slow experience even though the network path was clean.
The most practical solution is to deploy lightweight agents on the user's device that collect network telemetry. These agents can measure latency to the first hop (the home router), latency to the ISP gateway, and latency to the VPN concentrator. If you see high latency at the first hop, you know the problem is in the home network. If you see high latency at the ISP gateway, the problem is the ISP. This allows you to triage issues without needing access to the user's router.
A common misconception is that you should try to control the home network. Do not do that. You cannot mandate that employees upgrade their routers or switch ISPs. What you can do is give them a diagnostic tool that helps them understand the problem and then provide guidance. For example, if the tool shows packet loss on the home Wi-Fi, you can recommend they move closer to the router or use a wired connection. That is actionable without being invasive.
The cost goes beyond wasted time. When you cannot see the network, you cannot enforce policy. You might have a policy that prohibits access to certain websites or applications, but if you cannot see what users are doing, the policy is meaningless. You might have a requirement to log all access to sensitive data, but if your logs only show encrypted VPN traffic, you are not actually logging the access. This creates compliance risks that can lead to fines or legal liability.
The mistake many organizations make is applying the same level of inspection to all traffic. They treat a Zoom call the same way they treat a file transfer to a cloud storage service. That is inefficient. A better approach is to use application-aware visibility. Identify the application type at the first packet and then apply inspection rules accordingly. Voice traffic should get minimal inspection to preserve quality. File transfers and database connections should get full inspection because they carry sensitive data.
This requires a visibility architecture that can classify traffic in real time. Traditional firewalls do this poorly. Next-generation firewalls are better, but they still have performance limits. The best solution is to use a dedicated network visibility appliance or a cloud-based visibility service that sits between the user and the application. These tools are designed to classify and inspect traffic without becoming a bottleneck.
Do not try to build your own visibility solution from scratch. The complexity of modern networks makes this impractical. Use commercial tools that are purpose-built for remote visibility. They have already solved the hard problems of traffic classification, data storage, and correlation.
Do not assume that your ISP or cloud provider will give you visibility. They will not. They have their own incentives, and those incentives do not align with your need for detailed traffic data. You must collect your own telemetry.
Do not over-collect data. More data is not better. Better data is better. If you collect everything, you will drown in noise and miss the signal. Be intentional about what you collect and why. If you cannot explain why a particular metric is important, do not collect it.
Do not forget about the human element. Network visibility tools are only useful if the people using them understand what they are seeing. Invest in training for your network and security teams. Teach them how to interpret the data and how to act on it. A tool without skilled operators is just expensive decoration.
The organizations that will thrive in this new reality are the ones that invest in visibility early. They treat it as a strategic capability, not a tactical afterthought. They build multiple vantage points, correlate data across layers, and automate responses. They understand that the network is no longer a place you go to. It is a fabric that connects everything, and you must be able to see every thread.
If you are still relying on the same visibility tools you used five years ago, you are already behind. The network has changed. Your visibility must change with it.
all images in this post were generated using AI tools
Category:
Network InfrastructureAuthor:
Marcus Gray