Failure Pattern
A legacy VPN can create flat trust zones that attackers exploit. Cloud and container architectures magnify the exposure.
What We See in the Field
A compromised endpoint joins the VPN and gains unrestricted access to internal workloads. The legacy VPN trusts the entire device and exposes the entire network.
Underlying Causes
Tunnel-based trust
No workload identity
Overprivileged access
Lack of segmentation
VPN designed for static networks
Trust-Native Network Resolution
DTL replaces VPN tunnels with per-workload trust sessions. Attackers cannot enter the network unless they possess a valid TrustKey tied to their device.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.