Failure Pattern
Containers inherit identity from pods or nodes. Attackers compromise a single container and reuse identity across restarts.
What We See in the Field
A malicious container impersonates other containers by inheriting service accounts or certificates. Logs assign actions to the wrong components.
Underlying Causes
Shared certificates
Inherited metadata
Ephemeral workloads
No hardware-bound identity
Fast lifecycle hiding compromise
Trust-Native Network Resolution
DTL assigns a per-workload identity that persists independently of container lifecycle. Each container session must validate identity cryptographically.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.