Failure Pattern
Network baselines tools rely on past behavior and metadata. Attackers mimic legitimate patterns to bypass detection.
What We See in the Field
Attackers run administrative-like commands that fit historical behavior patterns. Baselines classify the behavior as normal. Movement spreads undetected.
Underlying Causes
Behavioral similarity between admin and attacker
Metadata identical across systems
No identity fingerprinting
History-based detection models easy to evade
Dynamic cloud workloads invalidating baselines
Trust-Native Network Resolution
DTL requires identity on every session. Attackers cannot mimic trusted workloads because identity cannot be forged. Baselines become unnecessary when trust is enforced upfront.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.