Failure Pattern
VDI systems authenticates users, not devices. Attackers compromise endpoints and ride VDI sessions into internal systems.
What We See in the Field
A compromised laptop logs into VDI systems with valid credentials. VDI grants the session full access. Downstream systems trust VDI traffic without verifying device identity.
Underlying Causes
Authentication without device verification
Inherited trust from VDI sessions
Overprivileged VDI access
No workload identity
Metadata-based trust across VDI infrastructure
Trust-Native Network Resolution
DTL enforces device identity. VDI sessions cannot act trusted unless the connecting device presents valid TrustKeys.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.