Failure Pattern
Service meshes and container sidecars authenticate using certificates inherited from pods. Attackers compromise a pod and use the sidecar to spread through the mesh.
What We See in the Field
Traffic flows between compromised and legitimate workloads without resistance. Sidecars treat all pod-originated traffic as trusted. Identity confusion spreads rapidly.
Underlying Causes
Certificate inheritance
Pod-level identity
Overprivileged mesh permissions
Sidecar-based trust
No hardware-bound workload identity
Trust-Native Network Resolution
DTL verifies identity before traffic enters the mesh. Sidecars enforce trust at the workload level rather than the pod level. Impersonation becomes impossible.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.