Failure Pattern
Endpoint Detection & Response (EDR) detects malicious processes but does not verify the identity of the system sending traffic. Attackers weaponize trusted endpoints to conduct normal-looking operations.
What We See in the Field
A compromised workload runs allowed processes that connect to internal systems. EDR sees nothing suspicious. The attack spreads through trusted channels.
Underlying Causes
Process monitoring without identity validation
Endpoint trust based on agent presence
Stolen credentials reused on legitimate endpoints
Allowed processes abused for malicious intent
Network actions misattributed to trusted systems
Trust-Native Network Resolution
DTL ensures every network session originates from a validated workload identity. EDR becomes more effective because actions cannot be misattributed or passed off as trusted.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.