Failure Pattern
Certificate rotation addresses long-term credential exposure but does not stop attackers from using stolen certificates during their valid window.
What We See in the Field
Attackers use valid certificates taken from compromised workloads. Rotation schedules do not revoke access immediately. Logs show trusted sessions because cert validation passes.
Underlying Causes
Certificates not bound to hardware
Certificate rotation: reuse across workloads
No device identity validation
Long certificate lifetimes
Compromised certificates remain valid until rotation
Trust-Native Network Resolution
DTL uses TrustKeys that cannot be transferred or cloned. Sessions require matching device identity and a valid TrustKey. Stolen or duplicated certificates cannot establish trust.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.