Failure Pattern
Bastion hosts authenticate users but trust the machines connecting through them. Attackers compromise endpoints and use bastions to reach internal systems.
What We See in the Field
A compromised laptop connects to the bastion with valid credentials. The bastion allows unrestricted access because identity verification stops with authentication.
Underlying Causes
Trusting endpoints too much
Credentials reused
No workload identity
Blind trust in authenticated sessions
Broad bastion privileges
Trust-Native Network Resolution
DTL enforces device identity separate from user identity. Even with correct credentials, a compromised device cannot access internal systems.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.