Blog · Carve-Out Tech

The network is the spine. Separate it badly and nothing else lands.

Carve-out network separation is the work of giving Newco its own network identity, perimeter, and connectivity model so that nothing on Newco depends on the seller's network past TSA exit. The track is one of the heaviest infrastructure workstreams inside the broader carve-out advisory program because every other technology cutover assumes the network is in place. Underestimate it, and ERP cutover, application migration, and email migration all stall behind it. Plan it as a first class workstream from Day One and the rest of the technology exits ramp on time.

6
Workstreams
9-15mo
Typical Duration
8 min
Read Time
2026
Last Updated
Section 01

What carve-out network separation actually covers. Everything that carries a packet.

Network separation covers the full stack: wide area connectivity between Newco sites and to the internet, local area networks inside each site, wireless coverage, remote access for users, segmentation between Newco and the rest of the world, DNS, IP address allocation, firewalls, and the operational tooling around all of it. The seller usually delivers most of this as a TSA service on Day One, then Newco builds its own and cuts over before TSA exit.

The scope reveals itself differently depending on how the seller's network is built. A flat enterprise network that runs everything on one address space requires heavy re addressing work for Newco. A network already segmented along business unit lines may allow Newco to inherit a clean segment, simplifying the lift. The buyer-side advisor scopes the actual state inside the first month and sizes the work against the TSA timeline.

Network separation is also where the carve-out perimeter gets enforced at the technical layer. Every flow that crosses between the seller and Newco environments is a candidate for a firewall rule, an inspection point, or a removed connection. The TSA service catalog should list the legitimate flows; everything else gets blocked once Day One stabilizes.

Section 02

Pick the target architecture before Day One. Decisions that compound for years.

The Newco target network architecture decides cost, operational complexity, and exit speed. Three design choices dominate. First, the WAN model: dedicated MPLS, SD WAN, or pure internet with overlay. Second, the perimeter model: enterprise grade firewalls, cloud delivered security stack, or a managed service. Third, the operational model: internal team, managed service provider, or a hybrid.

Smaller carve-outs almost always end up on cloud delivered security and SD WAN because the per site economics and the time to stand up favor that path. Larger carve-outs with regulatory constraints sometimes still pick traditional MPLS plus on premise firewalls, but only when the operating model can sustain it. The buyer-side advisor pressure tests the architecture against the Newco run rate forecast so the network design fits the standalone P and L.

The target architecture also drives the vendor choices for routers, firewalls, monitoring, and identity. Vendor selection should be locked by month two so procurement and shipping can happen in time for the cutover wave. Late vendor selection is one of the most common reasons for network exit slips.

Section 03

Day One connectivity options. Most carve-outs ride the seller WAN at close.

On Day One, very few carve-outs have their own network ready. The usual pattern is that Newco rides the seller's network under a TSA service while Newco builds its own. The buyer-side advisor negotiates the network TSA scope so Newco gets pass-through connectivity, monitoring, and a defined service level, with clear demarcation on what Newco can change and what stays under seller control.

A small number of carve-outs go for a Day One independent network. This works when the carve-out perimeter is small, the geographic footprint is contained, or the seller is unwilling to provide network services under TSA. The Day One independent path is faster to exit but heavier on Day One readiness work and requires more upfront capital. The trade off is documented in the cost case for the operating partner before the design is locked.

A third pattern is the hybrid: Newco builds its own internet edge and security stack on Day One but consumes site connectivity from the seller. This preserves Newco autonomy on policy and inspection while postponing the heavier site by site migration work. The hybrid model pairs with carve-out Day One readiness.

Section 04

Cutover sequencing across sites. Wave by wave, never big bang.

Network cutovers run in waves. Pilot site first to validate the architecture and the operational tooling. Then the smallest sites, where the operational impact of any glitch is contained. Then progressively larger sites, with the headquarters or the primary data center as the last wave. The wave plan is locked at the end of the design phase and tracks against the TSA exit milestone.

Each wave has a rehearsal, a cutover window, and a stabilization period. Rehearsals run on a representative subset of users at the site, validating WAN failover, security policy, and application reachability. The cutover window is usually a maintenance weekend with clearly defined rollback criteria. Stabilization runs for one to two weeks with elevated support coverage, after which the wave is signed off and the next wave begins.

Sites with manufacturing, healthcare operations, or trading floors need additional rehearsal because the cost of a network outage is high. The buyer-side advisor builds extra contingency into the schedule for these sites and confirms the recovery time objective with the operating leadership before the cutover. The work pairs with TSA exit IT separation.

Section 05

Security policy and segmentation. Not a copy of the seller.

A common trap is to copy the seller's security policy wholesale into Newco. The policy was built for the seller's risk profile, regulatory footprint, and operational scale. Newco needs a policy sized for the standalone business. Carrying over rules that were appropriate for the seller can leave Newco both over invested in some controls and under invested in others.

The right approach is a baseline derived from the Newco target operating model. Standard segmentation for production, corporate, and untrusted zones. Access controls aligned with the identity model coming out of the directory migration. Egress inspection sized for the Newco user population. Vendor remote access locked down to the legitimate set. The buyer-side advisor reviews the policy with the Newco CISO and the operating partner before cutover.

Segmentation also needs to enforce the carve-out perimeter. Any flow between Newco and the seller environments must terminate at a controlled boundary, with logging and the ability to terminate the flow at TSA exit. Leaving open trust relationships behind is one of the most common security findings in post exit audits. The work pairs with carve-out cybersecurity Day One.

Section 06

Failure modes that cause exit slips. Known patterns. Avoidable patterns.

Three failure modes account for most network exit slips. The first is late vendor selection, where procurement of routers, firewalls, or circuits did not start in time to support the cutover wave plan. The fix is to lock vendor decisions inside month two and treat procurement lead times as binding constraints on the schedule.

The second is hidden application dependencies on the seller's network. Applications that rely on the seller's DNS, internal certificate authorities, or directory services break when the network cuts over. The fix is a discovery sweep that maps application dependencies to network services before the cutover wave begins. The buyer-side advisor pushes this work into month three at the latest.

The third is insufficient testing of failover and recovery. Sites cut over without proven recovery paths and the first incident becomes a crisis. The fix is rehearsal discipline: every wave runs failover scenarios before the cutover is signed off. The combination of these three disciplines moves network separation from a high risk track to a manageable one. The work pairs with carve-out active directory migration and carve-out endpoint management.

Related Reading

More on carve-out technology.

Free Download

Get the buyer-side TSA Exit Playbook.

The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.

No spam. Unsubscribe in one click. · Read the overview first →

The network is the spine. Separate it badly and nothing else lands.
TSA Exit Acceleration

Run the network separation on the TSA timeline. Without slipping the exit.

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.

White paper

The TSA Exit Playbook

Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.

Read the playbook →
White paper

The IT Separation Playbook

Stand up standalone IT before the TSA meter and the seller's dependencies compound against you.

Read the playbook →
The Day One Letter

Get buyer-side TSA intelligence every two weeks

One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.

Subscribe to The Day One Letter →