Failure Pattern
Identity Providers (IdPs) validate credentials but not the underlying system presenting them. Attackers use valid tokens to impersonate workloads.
What We See in the Field
A compromised VM sends requests using valid OAuth tokens stolen from its environment. IdPs authenticate the token. Downstream systems trust the session.
Underlying Causes
Token theft
No workload identity
Overprivileged service roles
Long-lived tokens
Blind trust in bearer authentication
Trust-Native Network Resolution
DTL requires runtime identity validation. A stolen token without the correct TrustKey cannot establish a trusted session.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.