Failure Pattern
Service accounts and IAM roles often grant far more access than necessary. Attackers use one compromised role to spread across environments.
What We See in the Field
A compromised workload uses its service role to access unrelated systems. The permissions technically allow it. IAM sees nothing wrong. Attackers pivot invisibly.
Underlying Causes
Overprivileged IAM roles
Lack of workload-level segmentation
Trust in metadata rather than identity
Complex permissions hard to audit
Long-lived service credentials
Trust-Native Network Resolution
DTL restricts communication to workloads with verified identity. Even broad roles cannot act outside of trust boundaries enforced by the protocol.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.