Failure Pattern
Shared service accounts are used across workloads, making it impossible to distinguish legitimate actions from compromised actions.
What We See in the Field
A compromised workload uses a shared service account to perform malicious activity. Logs show the shared identity, hiding the true actor.
Underlying Causes
Shared credentials
Metadata-based attribution
No workload-bound identity
Inherited certificates
Overprivileged shared service identities
Trust-Native Network Resolution
DTL replaces shared identities with workload-specific TrustKeys. Attribution becomes precise. Each workload carries its own non-transferable identity.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.