---
title: "Network Bridge Report"
date: 2026-05-10
---
<!-- licenses: platform -->

<div class="alert alert-info">
<svg class="alert-icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg>
<div class="alert-body">

Most users should start with the [Network Map](network-map.md). It surfaces the same multi-homed bridge assets — and goes further with subnet clustering, choke-point ranking, hop-filter tracing, and exports to Gephi, Cytoscape, and Visio.

</div>
</div>

The ((network bridge report)) finds assets that bridge two or more network segments. These ((multi-homed)) assets are the pivots an attacker uses to move between zones — between guest Wi-Fi and corporate LAN, between IT and OT, or between an internal segment and the public internet.

## Accessing the report

* **Reports** — Open it directly at `/reports/analysis/bridges` from the Reports menu, or [https://console.runzero.com/reports/analysis/bridges](https://console.runzero.com/reports/analysis/bridges).
* **Network Map** — The same assets appear on the [Network Map](network-map.md) under the **Pivots** stat in the Network Intel card (`multi_homed:t`). Each multi-homed asset shows up once in every subnet it has an address in, with edges drawn between the copies so you can see exactly which segments it bridges.

## How bridges are detected

runZero detects network bridges by collecting extra IP addresses returned in responses to common discovery probes — NetBIOS, SNMP, MDNS, UPnP, and others — and by correlating MAC addresses across subnets. A bridge is reported whenever the same asset is observed with addresses in two or more distinct subnets.

![Network Map filtered with `multi_homed:t`, showing a high-risk EOL Windows asset (`10.10.0.1` / `FACTORY-FFU-02`) bridging the `10.10.0.0/24` segment to the `10.66.0.0/24` OT segment with a callout reading "Multi-homed: can become pivot point"](img/network-map-multi-homed-4-9.jpg)

The detection is opportunistic. Hardened endpoints (host firewalls, disabled discovery services) may not reveal their other interfaces, so the report can miss bridges. Treat what it shows as a floor, not a ceiling.

## Reading the report

* **External networks** are drawn in red, **internal networks** in green.
* Edges connect a subnet to every multi-homed asset that has an address in it.
* Single-homed assets are omitted to keep the graph readable.

The visualization is intentionally segmentation-focused; it is not a full topology view. For a full Layer-2 / Layer-3 picture, use the [Network Map](network-map.md). For switch-port–level connectivity, use the [Switch Topology](switch-topology-report.md) report.

## Querying multi-homed assets directly

Every bridge in this report is a multi-homed asset. You can query them straight from the inventory:

```
multi_homed:t
multi_homed:t AND has_public:t        # bridges with at least one public IP
multi_homed:t AND category:OT         # OT pivots — top-of-register OT risk
```

Combine with `subnet_class:OT`, `category:IT`, `risk:high`, or `eol:t` to surface the bridges that matter most for segmentation hardening.

## See also

* [Network Map](network-map.md) — full interactive topology with bridge / pivot analysis built in.
* [Understanding network segmentation](understanding-network-segmentation.md) — background on segmentation gaps and how to remediate them.
* [Switch Topology](switch-topology-report.md) — switch-port–level connectivity from SNMP and integrations.