Failure Pattern
Legacy routing decisions depend on IP addresses that move, drift, or get reused. Attackers exploit legacy routing blind spots to appear as trusted workloads.
What We See in the Field
A compromised system moves into an IP range associated with trusted traffic. Routing sends sensitive data to the attacker. Logs show legitimate IPs.
Underlying Causes
IP-based trust
VM mobility
NAT obscuring origin
Dynamic addressing
Routing unaware of true identity
Trust-Native Network Resolution
DTL adds trust metadata to routing decisions. Sessions cannot be routed unless originating from a workload with a verified identity. Routing becomes identity-aware.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.