- Run MTR from approved bastion or monitoring hosts.
- Limit who can execute privileged network diagnostics.
- Avoid unrestricted automated scans against external networks.
- Treat hop data as potentially sensitive infrastructure metadata.
- Redact internal IP and host naming from shared reports.
- Store reports in restricted locations.
- Coordinate with firewall/IDS teams to avoid false incident escalation.
- Respect rate limits and probe intervals in production.
- Use documented target allowlists for recurring diagnostics.