Network Cartography vs. Topology: Why the Difference Matters for Security
February 2026 · 5 min read NETWORK SECURITY
Security teams across enterprises rely on network topology diagrams to understand their infrastructure. These maps show routers, switches, access points, and how devices physically or logically connect. But here's the problem: topology alone doesn't tell you how your network actually communicates. It shows potential paths, not real flows. This is where network cartography—the actual, real-time mapping of communication patterns—becomes critical to security. Understanding the difference can mean the gap between missing a lateral movement attack and catching it in real time.
What Is Network Topology?
Network topology is the blueprint of your infrastructure. It describes the arrangement of network nodes, the connections between them, and the hierarchy of how devices are organized. A typical topology diagram shows routers at the core, managed switches connecting to access points, and end devices hanging off those access points. You get a clean, hierarchical view: headquarters to branch offices, data center to cloud, client to server.
Topologies come in logical and physical varieties. Physical topology describes the actual cables and hardware paths data might take. Logical topology describes how data flows in protocols and software—TCP/IP routes, VLAN assignments, firewalling rules. Both are useful for network administration, capacity planning, and understanding design intent. They're essential documentation.
But topology is static. It answers the question: "How could data move?" Network topology is designed once and updated infrequently. It captures architecture, not behavior. A new access point might not be documented for weeks. Shadow traffic on a forgotten VLAN won't appear on the diagram. The CEO's guest WiFi, rogue IoT devices, or a technician's temporary bridge between network segments—none of these show up in topology until someone explicitly charts them.
What Is Network Cartography?
Network cartography is the continuous, real-time mapping of actual communication. Rather than documenting how devices should connect, cartography observes how they do connect, at scale, in real time. It treats your network infrastructure not as a set of connecting systems (routers, switches, access points) but as a connected system—a living, breathing organism where data flows dynamically based on user behavior, application needs, and current conditions.
Cartography answers the question: "How is data actually moving right now?" Every packet, flow, and session contributes to a real-time map of communication patterns. Unlike topology, cartography captures what's real: the actual traffic between your enterprise applications, the communication patterns of your users, the lateral movement paths attackers might exploit. It shows not just the infrastructure, but the behavior running on top of it.
The key difference is observability. Cartography is derived from network telemetry—packet captures, NetFlow data, application logs, DNS queries, TLS handshakes. It's built from what the network is actually doing, not from what an engineer documented months ago. This means cartography automatically detects configuration drift, rogue devices, unusual communication patterns, and the footprints of attackers moving laterally through your network.
Why Security Teams Need Cartography
East-west traffic—communication between hosts on the same network segment—is where modern attacks live. An attacker exfiltrating data doesn't usually go back through your firewall or intrusion prevention system (both optimized for north-south boundary protection). Instead, they move laterally, hopping from one compromised device to another, staying within the network. Topology diagrams don't capture this traffic. They show you that two servers are on the same VLAN, but not which users actually talk to which servers, when, and how often.
Cartography reveals the baseline of normal east-west communication. When an attacker pivots to a new host, they must communicate differently than legitimate users. They may query an LDAP server they've never accessed. They may establish connections at odd times of day. They may exfiltrate to an external IP address at unusual volumes. Against a cartographic baseline of real behavior, these anomalies become visible. Against a static topology diagram, they're invisible.
Moreover, cartography helps security teams understand actual business communication patterns. Which databases does the payroll application really access? Which external APIs does your SaaS platform call? What is the normal volume and frequency of communication between offices during business hours versus after-hours? This behavioral context is invaluable for threat detection. It's the difference between a suspicious alert and noise.
How Sensilla Uses Network Cartography
Sensilla's network detection and response (NDR) platform builds real-time cartography from network telemetry. Rather than relying on topology documentation or static firewall rules, Sensilla observes actual network behavior—flows, DNS, TLS metadata, and application protocols—and constructs a living map of communication patterns. This cartography becomes the foundation for behavioral threat detection. Sensilla's AI models learn normal patterns and flag deviations in seconds, from lateral movement to data exfiltration to command-and-control beaconing.
By combining cartography with human analysis, Sensilla's team can validate alerts and guide containment actions. Topology helps engineers build the network. Cartography helps security teams defend it.