Failure Pattern
Firewalls rely on ports, IPs, and metadata. Attackers operate inside trusted ranges and bypass firewall logic entirely.
What We See in the Field
A compromised cloud workload sends malicious traffic on allowed ports. Firewalls see nothing wrong because the traffic matches expected patterns. East-west compromise continues unchecked.
Underlying Causes
Legacy firewalls assumptions
IP range-based trust
Port-based policies
Missing workload authentication
Blind acceptance of encrypted internal traffic
Trust-Native Network Resolution
DTL enforces identity before traffic reaches the firewall. Policies are evaluated based on TrustKeys rather than ports or IPs. Attackers cannot masquerade as trusted workloads.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.