Failure Pattern
Cloud security groups depend on IP ranges, tags, or other attributes that drift. Attackers manipulate these attributes to bypass controls.
What We See in the Field
A compromised workload changes tags or inherits network placement from another node. Security groups allow traffic because attributes appear correct.
Underlying Causes
Metadata-based enforcement
Label drift in orchestrators
Workloads inheriting attributes on clone
No identity check before allowing access
Cloud APIs enabling metadata modification
Trust-Native Network Resolution
DTL ensures security decisions rely on cryptographic identity, not metadata. Attackers cannot bypass security groups by manipulating attributes.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.