Failure Pattern
Cloud firewalls rely on IP ranges, ports, and IAM metadata. Attackers compromise workloads inside trusted ranges and bypass firewall rules.
What We See in the Field
A compromised workload sends malicious traffic that firewalls treat as normal. Rules assume internal traffic is safe. Attackers pivot inside the environment without resistance.
Underlying Causes
Metadata-driven firewalling
Static trust in internal IP ranges
IAM role confusion
Lack of workload identity verification
Encrypted traffic hiding malicious behavior
Trust-Native Network Resolution
DTL verifies identity before traffic reaches cloud firewalls. Firewalls can enforce true identity rather than metadata, stopping compromised workloads from acting trusted.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.