Failure Pattern
Service discovery registries broadcast service locations without verifying workload identity. Attackers weaponize this to plan lateral movement.
What We See in the Field
A compromised workload queries discovery endpoints and receives a full map of internal services. Attackers target vulnerable systems next.
Underlying Causes
Discovery endpoints trusting all clients
No identity validation for queries
Metadata provided universally
Lack of segmentation around discovery APIs
Architectural exposure from service enumeration
Trust-Native Network Resolution
DTL requires identity validation for discovery operations. Only trusted workloads can query or consume service location information.
Broken Trust Assumption
This failure pattern has played out repeatedly in real security incidents—not because of missing tools, but because of how trust is assigned.
In breaches such as SolarWinds, Capital One, Okta, and MOVEit, attackers did not bypass security controls. They operated through them, using valid identities, trusted credentials, signed code, and encrypted sessions. Security systems accepted these signals as proof of legitimacy, allowing malicious behavior to proceed.
The common thread across these incidents is structural: identity was assumed based on trust signals, not proven at the moment of execution.