Month: October 2025

Blog
Research

Unused Secrets: The loaded guns in your infrastructure

Yuval Lazar's avatar
Yuval Lazar Head of Security Research

Table of Contents

Picture an armory of weapons left loaded and unattended. They aren’t being watched, they aren’t being maintained, and no one intends to use them – but every one of them is ready to go off the moment someone picks them up. That’s what unused secrets represent in modern infrastructure: live credentials sitting like loaded guns, one careless moment or malicious hand away from pulling the trigger and starting the fire.

Our latest analysis reveals:

These aren’t harmless leftovers. They’re live rounds scattered across your environment. Each one expands the attack surface, each one drains resources, and each one invites the possibility of a breach.

Where Secrets Hide

The data shows Kubernetes sits at the center of the problem. Workloads overwhelmingly lean on environment variables, while vaults and secret managers are layered on top. Instead of solving the problem, this combination multiplies it: more systems, more secrets, more risk.

*The numbers do not complete to 100% since there is duplication between the sources

The Hidden Cost of Unused Secrets

Unused and over-provisioned secrets don’t just sit idle – they actively create risk:

  • Expanded attack surface: A single forgotten credential can enable lateral movement.
  • Operational drag: Rotations, audits, and vault management consume precious cycles.
  • Visibility gaps: Teams know where secrets are stored, but rarely which ones are truly needed.
  • Compliance exposure: Audits become brittle when dormant secrets linger in the system.
  • Operational cost: Every secret stored in a secret manager carries a direct financial cost, multiplying with sprawl.

Leaving secrets loaded but unused is like leaving weapons armed and unattended. It’s not a question of if they’ll be misused – it’s a matter of when.

Why Vaults Aren’t Enough

Vaults were designed to centralize storage, not solve usage. They give organizations a sense of control while secrets continue to multiply underneath. The problem isn’t where secrets live. The problem is that they exist at all.

As automation accelerates and workloads become more ephemeral, vault-based models simply cannot keep pace. Secret sprawl isn’t contained – it’s just relocated.

The Alternative: Secretless Access

At Hush, we believe the strongest protection is eliminating static secrets entirely. Our platform replaces them with dynamic, policy-driven access that delivers:

  • Just-in-time, least-privilege access – nothing over-provisioned, nothing idle.
  • No static secrets to steal, leak, or rotate.
  • Real-time visibility into actual workload-to-service interactions.
  • Adaptive IAM policies enforced at runtime, derived from observed behavior.

This isn’t incremental improvement. It’s a new foundation: secretless, identity-driven, and built for Zero Trust.

Closing the Gap

Secrets should enable, not endanger. Yet nearly half of them do nothing but weigh down security teams and expose organizations to risk.

With Hush, you can finally turn the page. Instead of managing more and more secrets, you can remove them from the equation altogether. The result: leaner, safer infrastructure where access is precise, dynamic, and invisible to attackers.

Because the only secure secret is the one that doesn’t exist.

Still Using Secrets?

Let's Fix That.

Get a Demo
Blog

Why Runtime Insight Is the Missing Piece in Certificate Management

Shmulik Ladkani's avatar
Shmulik Ladkani CTO and Co-Founder

Table of Contents

As infrastructure becomes more automated and distributed, machine identities are now central to enterprise security.

Every container, API Client, and AI agent needs to prove who it is, and certificates are essential for proving that identity. They’re used to encrypt traffic, authenticate services, and establish trust between machines.

Certificates are the core piece of your machine identity puzzle.

But they’re often treated as low-level plumbing: issued, deployed, and forgotten.

Without visibility into how they’re used, by whom, or whether they’re still associated with active services, certificates quietly become a risk, not a control.

The Hidden Risk of Certificate Sprawl

In today’s environments, certificates are issued constantly by cloud platforms, automation tools, CI/CD pipelines, and developers themselves. Most organizations are managing thousands of certificates across a hybrid infrastructure.

But few can answer basic questions like:

  • Where are all our certificates, and what services depend on them?
  • When do they expire?
  • Are they still needed, or orphaned by deleted resources?
  • Are they vulnerable to future quantum threats?

This leads to mounting risk:

  • Expired certs break production services without warning
  • Forgotten certs create shadow access paths
  • No central visibility means no one knows what’s trusted

What You Can’t See Can Hurt You

Traditional certificate tools only show surface-level metadata like issuance dates, expiration, and key size. They don’t reveal live usage or encryption health, which are essential to understanding real risk.

Here’s what they can’t tell you:

  • Is this cert actually being used?
  • What process or workload is using it?
  • Is that workload behaving as expected?
  • Was the cert copied and reused somewhere else?
  • Is it granting more access than it should?

Without runtime visibility, certificates become static and dangerous. They silently grant trust, but offer no way to verify whether that trust is still valid.

Runtime Intelligence Changes the Game

To manage certificates as living components of machine identity, you need to see them in action, not just at creation, but every time they’re used.
Runtime visibility introduces a new layer of intelligence into certificate management:

Live Usage Insight
 See which identities are using which certificates, where, and how.

Real-Time Risk Detection
Surface anomalies like certificate misuse, unauthorized duplication, or expired certs still being provisioned.

Eliminate Ghost Certs
 Identify and remove certificates that are no longer needed, reducing attack surface and complexity.

Post-Quantum Readiness & Compliance Validation
 Continuously assess each certificate’s cryptographic strength against NIST post-quantum standards and enterprise compliance frameworks, ensuring your environment is future-proof and quantum-safe.

Auto-Remediation for Weak or Non-Compliant Certs
 When risky, expired, or non–post-quantum-compliant certificates are detected, Hush automatically replaces them with secure, policy-aligned alternatives, no manual effort required.

What This Enables

Bringing runtime context into certificate management unlocks:

  • Proactive prevention of outages and misconfigurations
  • Dramatically reduced operational burden for security and DevOps teams
  • Proactive certificate hygiene that reduces attack surface
  • Enforcement of least privilege, even for machine-to-machine trust
  • Continuous compliance with post-quantum readiness and modern security frameworks

It turns certificate management from a static checklist into a real-time risk management tool.

Rethinking Machine Identity Starts Here

Digital certificates validate the authenticity of machine identity, they’re the foundational layer of machine identity.

Treating them as static is not enough.
Managing them in isolation, without understanding behavior, puts security and availability at risk.

By combining certificate inventory with runtime visibility, organizations can finally manage machine identities with the same rigor we apply to human users, and build a stronger, more scalable foundation for Zero Trust.

The future of machine trust is real-time, intelligent, and identity-first.
And it starts with making certificates visible, contextual, and controlled.

‍

Still Using Secrets?

Let's Fix That.

Get a Demo