What if the tunnel protecting your network is the same tunnel an attacker uses to get in? I reverse-engineered Microsoft's VPN replacement, found the blind spots, and built the tools to exploit them. Your "secure edge" has a visibility problem, let me show you! Microsoft’s Global Secure Access (GSA), part of the Security Service Edge (SSE) wave, is positioned as the VPN replacement. It promises identity-centric, Zero Trust connectivity to the resources that matter most. Adoption is accelerating, and many organizations are beginning to treat GSA as the trusted path into their most sensitive environments. For red teamers, a trusted, pre-installed, encrypted tunnel into corporate resources doesn’t just sound like security. It sounds like an opportunity. In this talk, we’ll dissect Microsoft’s newest network security product from the inside out, layer by layer and protocol by protocol. The goal is to understand how it works, where its trust boundaries really are, and how those boundaries can be pushed. We’ll start with the fundamentals uncovered through weeks of reverse engineering. We’ll break down the authentication architecture and tunnel protocols, then walk through how GSA validates devices, manages sessions, and establishes encrypted connectivity, along with the assumptions those mechanisms rely on. From there we move into practical tradecraft and defensive lessons. We’ll cover credential exposure in client-side processes, building tunnels from unintended systems, hiding C2 traffic in inspection blind spots, abusing connector infrastructure for traffic redirection, and client-side conditions that can downgrade security controls. Whether you’re attacking or defending, one thing is now true. If GSA is your new perimeter, you need to understand what’s happening inside the tunnel.