Failure Pattern
Distributed tracing systems assume identity remains consistent throughout a request’s lifecycle. Attackers exploit drift to appear legitimate.
What We See in the Field
A compromised workload calls downstream services using inherited identity. Distributed tracing shows the request as originating from the wrong workload. Attack paths become invisible.
Underlying Causes
Identity drift in orchestrators
Shared service accounts
Inherited certificates
Metadata reused across pods
No workload-level verification
Trust-Native Network Resolution
DTL provides immutable identity anchors. Tracing captures the true identity of each workload participating in the request chain, blocking impersonation.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.