Assessment 1 Arham Plag Report......................../pdf

" '()((
" ' ()),)" -. '"/( '01 233 '0-/2" -.,2 "()- 4
"" '()""'
5 0236
7/) ( 8)
9 ) ( 8)
,-.)/'01
2 :)9 ) (27/) ( ;
)" -! )' ) 2 '?) 8)" )) ''2#/)) '2A-
3 -- '07/)) '- B
)" -))2 -) 1 26- 2)-/2" ) 2
3 -- '09 )) ' B
)" -))1 #/)) '2A-./)' '?) 8)" )) '
3 9 ) ('(7/) ( B
)" -! ) '?) 8)" )) '32 - ')./)'#/)) '2A-
4'5'0."1
B C') 2' )-/2" -
B D/ ") '-
; E/ )) (!2A-FE)/( ')D3 2-G
67"89 -81
367"89 -81 '":";
:-/-3 " /-) 8)' 3/) '-,/'(4
H/2-6-) I-02 )-A( 36)("/ '),2'6 '"'- -) '" -))
!/(- ) )32),2'2-/ -- '4C,! ') " - ) '0-)2'0 .! J0
),26/)2 1 !4
.L0 -')' " --2 6' '( ")2,32 4M! 1 2.! I(2 " '(6/
,"/-6/2)) ') ') 2 ,2,/2) 22 1 !4
"!""" "103 ).3?"#()(.A ,-.//.0"12 3)04.5444677849:;;67:
"!""" "103 ).3?"#()(.A ,-.//.0"12 3)04.5444677849:;;67:

,-.)/'01
2 :)9 ) (27/) ( ;
)" -! )' ) 2 '?) 8)" )) ''2#/)) '2A-
3 -- '07/)) '- B
)" -))2 -) 1 26- 2)-/2" ) 2
3 -- '09 )) ' B
)" -))1 #/)) '2A-./)' '?) 8)" )) '
3 9 ) ('(7/) ( B
)" -! ) '?) 8)" )) '32 - ')./)'#/)) '2A-
4'5'0."1
B C') 2' )-/2" -
B D/ ") '-
; E/ )) (!2A-FE)/( ')D3 2-G
4'5'0."1
-/2" -! )) 0 -)'/ 2,)" -! ) ') -/ -- '4H1 233 '0-/2" -! ') ( -36 (4
50 (";'!1
?#A#'07. B7:"19'7232CA3DA3E FG
2 50 (";'!1
H.'-76710"' 4".)7' '89'7232EA2A32 FG
"9""" "103 ).3?"#()(.A ,-.//.0"12 3)04.5444677849:;;67:
"9""" "103 ).3?"#()(.A ,-.//.0"12 3)04.5444677849:;;67:

Assessment 1: AI-Assisted Critique
Unit: ICT604 - IT Security
Student Name: Muhammad Arham Ullah
Student ID: 62907
Date: 7
th
September 2025











"7""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:
"7""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:

Table of Contents

Assessment 1: AI-Assisted Critique 1
Selected Paper 3
Paper’s First Page 3
Section 1 3
GPT Prompt: 3
Section 2 4
ChatGPT Output 4
Section 3 7
Human Critique and Justification 7
Section 4 8
References 8








" """ "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:
" """ "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:

Selected Paper

Paper’s First Page

Section 1
GPT Prompt:
Act as an expert in cybersecurity and academic research. Your task is to write a 500-w
ord critical critique of the following research paper. The critique must be structured, s
cholarly, and analytical.

Paper Title: "Evaluating Zero Trust Network Access: A Framework for Comparative
Security Testing"

Author: Derron Carstensen

"6"""&"103 .3""-..0 -..0"12 304.44464:6:
"6"""&"103 .3""-..0 -..0"12 304.44464:6:

Focus your critique on the following aspects:
1. Methodology: Evaluate the robustness and validity of the testing framework. Is it r
eproducible? Are the chosen tests (across Identity, Devices, Networks, Applications,
Data) sufficient to measure Zero Trust maturity?
2. Findings & Analysis: Discuss the significance of the results. What do the dispariti
es between vendors (e.g., Product A's application strength vs. Product D's device post
ure failures) reveal about the ZTNA market?
3. Limitations: Identify and elaborate on at least two potential limitations of the stud
y. Consider scope (only 5 vendors), the lab environment (simplified setup), or the ano
nymization of vendors.
Section 2
ChatGPT Output
Critique of "Evaluating Zero Trust Network Access: A Framework for
Comparative Security Testing" by Derron Carstensen
Derron Carstensen's white paper, "Evaluating Zero Trust Network Access: A
Framework for Comparative Security Testing," presents a timely and practical
contribution to the increasingly crowded and often misleading ZTNA market. By
moving beyond vendor checklists and proposing an empirical, test-driven framework
grounded in established standards like NIST SP 800-207 and the CISA Maturity
Model, the author addresses a critical gap for security practitioners.
The methodology is a significant strength. The development of a controlled lab
environment simulating both trusted and untrusted locations provides a reproducible
foundation for testing. The mapping of specific tests—such as Step-Up MFA for
Identity, definition freshness for Devices, and service cloaking for Networks—to the
five core Zero Trust pillars is logical and comprehensive. This approach effectively
translates abstract principles into measurable security outcomes. The use of real-world
attack tools (Metasploit, Nmap) and simulated malicious data transfers (Meterpreter,
EICAR, PII/PCI data) enhances the validity of the tests, ensuring they reflect actual
threat scenarios rather than theoretical compliance.

""""&"103 .3""-..0 -..0"12 304.44464:6:
""""&"103 .3""-..0 -..0"12 304.44464:6:

The findings are revealing and underscore the paper's core hypothesis: not all ZTNA
solutions are created equal. The results demonstrate a clear maturity gap between
vendors. For instance, Product A excelled in application-layer controls and visibility
but showed gaps in SQL injection detection and data-layer DLP for SMB traffic.
Conversely, Product D consistently failed device posture checks due to a lack of
native functionality, relying instead on external integrations. These disparities are
crucial for organizations to understand; they highlight that a solution strong in one
pillar (e.g., Network segmentation) may be critically weak in another (e.g., Data
protection), complicating procurement decisions.
However, the study has limitations. First, the scope of only five anonymized vendors,
while practical, limits the generalizability of the findings. It raises the question of how
other solutions in the market would perform. Second, the lab environment, while
sufficient for controlled testing, lacks the complexity of a large enterprise network
with thousands of endpoints, hybrid cloud applications, and complex identity
federations. Testing in such a simplified setting may not capture all performance and
scalability challenges.
Despite these limitations, the paper's implications are substantial. It provides a much-
needed methodology for objective comparison, empowering organizations to validate
vendor claims. By highlighting specific capability gaps—like the widespread failure
in Data Loss Prevention across most products—it also directs vendors toward areas
needing improvement and guides future research towards more complex testing
environments. This work is a vital step towards demystifying Zero Trust and holding
solutions accountable to the principles they claim to uphold.
";""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:
";""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:

"""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:
"""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:

Section 3
Human Critique and Justification
ChatGPT came up with a coherent and largely correct summary, my review shows
that there are some key shortcomings in its critique, as it does not reflect the subtleties
of strengths and weaknesses of a paper.

The methodology is analyzed only on a superficial level by the AI. It rightly points
out the lab setup as a strength, but does not criticize a major methodological decision:
the use of Microsoft Defender as the only Endpoint Protection Platform (EPP). The
paper indicates that this was because it has been widely embraced in enterprises but
this brings the risk of a vendor-specific bias. Stronger design would have been to test
the framework with a selection of EPP/EDR vendors (i.e., CrowdStrike, SentiLOne)
and guarantee the device posture checks are actually agnostic (D. Carstensen, 2025).
This is an unobtrusive yet significant limitation on reproducibility and scope of the
study the AI overlooked.

When it comes to findings, the AI points to the maturity gap correctly, but is not
critical in its depth. It enumerates findings without generalizing the most important
lesson the obvious trade off between network and data-centric vendors. Product B had
a better score in Data protection (DLP), but worse in malicious file detection and
sections of Application security. The same was not true of Product A. This implies an
underlying architectural discontinuity in ZTNA market between solutions that were
developed out of network firewalls and solutions that are developed out of data
security or SWG heritage (CISA, 2023). This is one of the strategic lessons that
should be considered by decision-makers, but the AI has fully ignored.

The AI found the anonymization of vendors as a limitation but took it as a weakness.
This is, according to my judgment, one of the strongest points of the paper
academically and objectively speaking. The lack of brand bias created through
anonymization, the necessity to pay attention to the capabilities, not the name, and
guarantees the research relevance due to the constant updates of the products by the
":"""&"103 .3""-..0 -..0"12 304.44464:6:
":"""&"103 .3""-..0 -..0"12 304.44464:6:

vendors. The AI could not see this intentional and wise design decision, which is the
inability to understand academic honesty and unbiased study (S. Rose,2020).

The conclusion on implications made by the AI is generic. It ought to have
underscored the strong practical application of the paper: the paper offers a template
that internal security departments can use to create their own test laboratories and
perform these assessments prior to acquisition (CISA, 2023). It is a direct contribution
to the practitioner community because it is a how-to, not merely analysis, but action.

Even though AI can create a structured summary, it did not have the complexity of
critical analysis, contextual awareness, and the capability to recognize subtle design
decisions, which is paramount to a genuinely worthwhile academic review. It mangles
summary and analysis.

Section 4
References
1.

D. Carstensen, "Evaluating Zero Trust Network Access: A Framework for
Comparative Security Testing," white paper, Jun. 2025.
2.

S. Rose, O. Borchert, S. Mitchell, and S. Connelly, "Zero trust architecture," NIST
Special Publication 800-207, Aug. 2020. doi: 10.6028/NIST.SP.800-207.
3.

Cybersecurity and Infrastructure Security Agency (CISA), "Zero Trust Maturity
Model, Version 2.0," U.S. Department of Homeland Security, 2023. [Online].
Available:https://www.cisa.gov/sites/default/files/202304/zero_trust_maturity_model
_v2_508.pdf

"""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67:
"""" "103 ).3?",-.//.0 ,-.//.0"12 3)04.5444677849:;;67: