Failure Pattern: Data Leakage
Most data leakage uses legitimate, trusted channels rather than malicious ones. Security tools struggle because the traffic looks normal.
What We See in the Field
A compromised workload sends sensitive data to attacker-controlled systems using allowed protocols. DLP tools miss it because the originating system is trusted.
Underlying Causes
Overprivileged workloads
Lack of origin identity validation
Trusted internal services misused
Blind reliance on TLS
Metadata-based trust decisions
Trust-Native Network Resolution
DTL enforces workload identity before any data flow. Attackers cannot use trusted channels because they cannot present valid TrustKeys. Exfiltration attempts fail at session creation.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.