Failure Pattern
Cloud event buses trust publishing workloads by metadata or IAM roles attackers can steal. Compromised systems publish malicious events that propagate rapidly.
What We See in the Field
A compromised workload publishes events that trigger downstream automations. The event bus accepts them because IAM roles are valid.
Underlying Causes
Overprivileged event publisher roles
No workload identity validation
Metadata-based trust
Automation systems trusting upstream events
Blind propagation of commands
Trust-Native Network Resolution
DTL requires events originate from workloads with valid TrustKeys. Attackers cannot publish events without proper identity validation.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.