Failure Pattern
Segmentation rules rely on metadata or addresses that drift as workloads scale. Attackers exploit identity drift to bypass segmentation.
What We See in the Field
A compromised workload inherits tags or IPs associated with another segment. Traffic is allowed because segmentation trusts metadata rather than identity.
Underlying Causes
Cloud drift
Metadata-based segmentation
Container lifecycle churn
Certificates reused
Segmentation unaware of workload identity
Trust-Native Network Resolution
DTL enforces segmentation using immutable identity. Segmentation rules evaluate TrustKeys instead of metadata, eliminating drift-based bypass.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.