Failure Pattern
IDS tools detect signatures and anomaly patterns but cannot detect identity forgery inside trusted channels.
What We See in the Field
A compromised workload uses normal protocols and expected metadata. IDS tools see nothing malicious because the attacker mimics expected patterns.
Underlying Causes
Signature-based detection
Metadata-based attribution
Encrypted east-west traffic
No verified identity
Low-fidelity context
Trust-Native Network Resolution
DTL embeds cryptographic identity into every session. A given IDS tool gain access to true identity signals, enabling accurate detection.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.