Failure Pattern
Audit logs show which user executed a database query but not which workload acted on behalf of that user. Attackers exploit this mismatch.
What We See in the Field
A compromised workload uses valid user or service credentials to issue sensitive queries. Audit logs blame the user, not the compromised workload. Attribution is wrong.
Underlying Causes
User-level auditing without workload identity
Shared service accounts
Bearer tokens reused
Metadata spoofing
Lack of per-session cryptographic verification
Trust-Native Network Resolution
DTL attaches workload identity to every session. Audit logs now reflect both user and workload identity, restoring accurate attribution.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.