Failure Pattern
Legacy protocols like SMB, NFS, and LDAP trust network location, not workload identity. Attackers exploit protocol assumptions.
What We See in the Field
A compromised workload uses these protocols to access sensitive systems. The protocols trust the client because it appears internal.
Underlying Causes
Protocols designed without identity
Legacy authentication models
Network location-based trust
Outdated security assumptions
No per-session trust mechanism
Trust-Native Network Resolution
DTL wraps legacy protocols in trusted sessions. The underlying protocol becomes irrelevant because identity validation occurs before any communication.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.