Author: jacob

Blog
Identity Security

Why Storm the Castle When You Already Hold the Keys to the Kingdom?

Yuval Lazar's avatar
Yuval Lazar Head of Security Research

Table of Contents

What the Salesloft and Gainsight Breaches Really Tell Us About NHI Risk

For years, enterprises have fortified their perimeter – hard MFA, hardened SaaS, locked-down identity layers. But in 2025, the weakest link isn’t the castle gate anymore. It’s the messenger walking through it with unquestioned trust.

In today’s ecosystem, that messenger is an integration with privileged access, and the recent Salesloft and Gainsight breaches exposed just how vulnerable that blind spot is. Attackers didn’t battle their way in – they entered as invited guests.

Security teams who understand this shift are already ahead of the rest of the industry.

The Pattern: Compromise the Integration, Skip the Hard Part

Salesloft to Salesforce

In August 2025, threat actor UNC6395 compromised OAuth and refresh tokens tied to the Drift integration.
Those tokens – trusted Non-Human Identities (NHIs) – opened direct, legitimate access to hundreds of Salesforce orgs.

Once inside, attackers didn’t stop at CRM data. They exfiltrated downstream secrets:

  • Snowflake tokens
  • Cloud access keys
  • Support-case content
  • Internal operational metadata

They bypassed MFA and stepped straight into authenticated privilege.

Gainsight to Salesforce

On November 21, Just weeks later, Salesforce disclosed unusual activity tied to another integration – Gainsight.
Again: no Salesforce vulnerability, no platform exploit.

The door was opened by an integration holding elevated OAuth scopes – another NHI trusted by default. Salesforce’s statement was unambiguous: “No indication that this resulted from any vulnerability in the Salesforce platform.”

Salesforce revoked all active access and refresh tokens for the gainsight apps and removed those apps temporarily from the AppExchange. New reporting suggests the Gainsight breach might reuse secrets taken from the Salesloft/Drift incident, indicating that attackers are chaining these breaches.

Google Threat Intelligence is attributing the Gainsight breach to the related threat-actors that hit Salesloft (clusters such as UNC6240 / ShinyHunters).

The Shared Pattern: NHIs as High Privilege Attack Vectors

Both breaches followed the same blueprint – and it’s one every modern defender must internalize:

  1. Compromise an integration token (NHI with broad scopes)
  2. Enter customer environments with full legitimacy
  3. Move laterally across connected systems
  4. Harvest embedded credentials and secrets
  5. Pivot into cloud infrastructure

This is large-scale, low-friction supply-chain compromise powered by unmonitored NHIs. Defenders who don’t see this pattern are operating blind.

What You Can Do Now – If You Want to Stay Ahead

1. Inventory premium-scope integrations

Map every integration, service account, and bot touching critical systems.
If you can’t see it, you can’t defend it.

2. Govern third-party integrations like first-class identities

Every vendor app is now part of your attack surface.
Demand audit logs, token controls, and operational transparency.

3. Scope and rotate all tokens / service accounts

Least privilege is not optional.
Long-lived tokens are liabilities – shorten them.
Broad scopes are risks – tighten them.

4. Formalize NHI-focused incident triage

If you find a compromised token:

  • Revoke instantly
  • Rotate downstream secrets
  • Block or delete the previous versions
  • Trace every integration that touched that token
  • Assess which downstream identities could be abused
  • Model possible lateral movement paths

Teams who do this well are the ones who stop incidents early – before attackers reach the crown jewels.

The Bottom Line

Sophisticated attackers no longer storm the castle.
They compromise the trusted identity already carrying the master key – the integration, the bot, the token, the NHI.

Security teams who want to lead – not react, must elevate NHI security to the same level as human identity.
Because in 2025, the kingdom doesn’t fall through the gate – it falls through the integration.

Still Using Secrets?

Let's Fix That.

Get a Demo
Blog
Research

Unused Secrets: The loaded guns in your infrastructure

Yuval Lazar's avatar
Yuval Lazar Head of Security Research

Table of Contents

Picture an armory of weapons left loaded and unattended. They aren’t being watched, they aren’t being maintained, and no one intends to use them – but every one of them is ready to go off the moment someone picks them up. That’s what unused secrets represent in modern infrastructure: live credentials sitting like loaded guns, one careless moment or malicious hand away from pulling the trigger and starting the fire.

Our latest analysis reveals:

These aren’t harmless leftovers. They’re live rounds scattered across your environment. Each one expands the attack surface, each one drains resources, and each one invites the possibility of a breach.

Where Secrets Hide

The data shows Kubernetes sits at the center of the problem. Workloads overwhelmingly lean on environment variables, while vaults and secret managers are layered on top. Instead of solving the problem, this combination multiplies it: more systems, more secrets, more risk.

*The numbers do not complete to 100% since there is duplication between the sources

The Hidden Cost of Unused Secrets

Unused and over-provisioned secrets don’t just sit idle – they actively create risk:

  • Expanded attack surface: A single forgotten credential can enable lateral movement.
  • Operational drag: Rotations, audits, and vault management consume precious cycles.
  • Visibility gaps: Teams know where secrets are stored, but rarely which ones are truly needed.
  • Compliance exposure: Audits become brittle when dormant secrets linger in the system.
  • Operational cost: Every secret stored in a secret manager carries a direct financial cost, multiplying with sprawl.

Leaving secrets loaded but unused is like leaving weapons armed and unattended. It’s not a question of if they’ll be misused – it’s a matter of when.

Why Vaults Aren’t Enough

Vaults were designed to centralize storage, not solve usage. They give organizations a sense of control while secrets continue to multiply underneath. The problem isn’t where secrets live. The problem is that they exist at all.

As automation accelerates and workloads become more ephemeral, vault-based models simply cannot keep pace. Secret sprawl isn’t contained – it’s just relocated.

The Alternative: Secretless Access

At Hush, we believe the strongest protection is eliminating static secrets entirely. Our platform replaces them with dynamic, policy-driven access that delivers:

  • Just-in-time, least-privilege access – nothing over-provisioned, nothing idle.
  • No static secrets to steal, leak, or rotate.
  • Real-time visibility into actual workload-to-service interactions.
  • Adaptive IAM policies enforced at runtime, derived from observed behavior.

This isn’t incremental improvement. It’s a new foundation: secretless, identity-driven, and built for Zero Trust.

Closing the Gap

Secrets should enable, not endanger. Yet nearly half of them do nothing but weigh down security teams and expose organizations to risk.

With Hush, you can finally turn the page. Instead of managing more and more secrets, you can remove them from the equation altogether. The result: leaner, safer infrastructure where access is precise, dynamic, and invisible to attackers.

Because the only secure secret is the one that doesn’t exist.

Still Using Secrets?

Let's Fix That.

Get a Demo
Blog

Why Runtime Insight Is the Missing Piece in Certificate Management

Shmulik Ladkani's avatar
Shmulik Ladkani CTO and Co-Founder

Table of Contents

As infrastructure becomes more automated and distributed, machine identities are now central to enterprise security.

Every container, API Client, and AI agent needs to prove who it is, and certificates are essential for proving that identity. They’re used to encrypt traffic, authenticate services, and establish trust between machines.

Certificates are the core piece of your machine identity puzzle.

But they’re often treated as low-level plumbing: issued, deployed, and forgotten.

Without visibility into how they’re used, by whom, or whether they’re still associated with active services, certificates quietly become a risk, not a control.

The Hidden Risk of Certificate Sprawl

In today’s environments, certificates are issued constantly by cloud platforms, automation tools, CI/CD pipelines, and developers themselves. Most organizations are managing thousands of certificates across a hybrid infrastructure.

But few can answer basic questions like:

  • Where are all our certificates, and what services depend on them?
  • When do they expire?
  • Are they still needed, or orphaned by deleted resources?
  • Are they vulnerable to future quantum threats?

This leads to mounting risk:

  • Expired certs break production services without warning
  • Forgotten certs create shadow access paths
  • No central visibility means no one knows what’s trusted

What You Can’t See Can Hurt You

Traditional certificate tools only show surface-level metadata like issuance dates, expiration, and key size. They don’t reveal live usage or encryption health, which are essential to understanding real risk.

Here’s what they can’t tell you:

  • Is this cert actually being used?
  • What process or workload is using it?
  • Is that workload behaving as expected?
  • Was the cert copied and reused somewhere else?
  • Is it granting more access than it should?

Without runtime visibility, certificates become static and dangerous. They silently grant trust, but offer no way to verify whether that trust is still valid.

Runtime Intelligence Changes the Game

To manage certificates as living components of machine identity, you need to see them in action, not just at creation, but every time they’re used.
Runtime visibility introduces a new layer of intelligence into certificate management:

Live Usage Insight
 See which identities are using which certificates, where, and how.

Real-Time Risk Detection
Surface anomalies like certificate misuse, unauthorized duplication, or expired certs still being provisioned.

Eliminate Ghost Certs
 Identify and remove certificates that are no longer needed, reducing attack surface and complexity.

Post-Quantum Readiness & Compliance Validation
 Continuously assess each certificate’s cryptographic strength against NIST post-quantum standards and enterprise compliance frameworks, ensuring your environment is future-proof and quantum-safe.

Auto-Remediation for Weak or Non-Compliant Certs
 When risky, expired, or non–post-quantum-compliant certificates are detected, Hush automatically replaces them with secure, policy-aligned alternatives, no manual effort required.

What This Enables

Bringing runtime context into certificate management unlocks:

  • Proactive prevention of outages and misconfigurations
  • Dramatically reduced operational burden for security and DevOps teams
  • Proactive certificate hygiene that reduces attack surface
  • Enforcement of least privilege, even for machine-to-machine trust
  • Continuous compliance with post-quantum readiness and modern security frameworks

It turns certificate management from a static checklist into a real-time risk management tool.

Rethinking Machine Identity Starts Here

Digital certificates validate the authenticity of machine identity, they’re the foundational layer of machine identity.

Treating them as static is not enough.
Managing them in isolation, without understanding behavior, puts security and availability at risk.

By combining certificate inventory with runtime visibility, organizations can finally manage machine identities with the same rigor we apply to human users, and build a stronger, more scalable foundation for Zero Trust.

The future of machine trust is real-time, intelligent, and identity-first.
And it starts with making certificates visible, contextual, and controlled.

Still Using Secrets?

Let's Fix That.

Get a Demo
Blog
Breaches

Vaults Are Done. This Train Has Left the Station.

Micha Rave's avatar
Micha Rave CEO and Co-Founder

Table of Contents

When my co-founders and I started Hush Security, one thing was painfully clear: the way companies manage secrets is broken for today’s world. Vaults and secret managers solved yesterday’s problem, storing static secrets for predictable, human-driven systems.

But today’s environments are anything but predictable. Cloud-native architectures, microservices, ephemeral workloads, CI/CD pipelines, and now agentic AI have turned machine-to-machine communication into a fast, dynamic, and complex mesh. In this reality, static secrets aren’t just outdated, they’re a liability.

Having worked together for the past decade driving product innovation in cloud security, Shmulik Ladkani, Chen Nisnkorn, Alon Horowitz, and I decided it was time to disrupt the machine-to-machine access space. Instead of building more secret scanners, we founded Hush Security to deliver technology that empowers security and operations teams to completely rethink how they manage machine access, replacing outdated approaches of secrets and vaults with a solution built for today’s scale, speed, and complexity.

Why Vaults Are Failing

Vaults were built for an era when environments were static and identities were few. A secret could be created, stored in the vault, rotated occasionally, and remain valid for months, or even years. That worked when you had monolithic apps, running on-prem and mostly talking to each other in a walled garden.

Today, environments change by the second. Containers spin up and down in milliseconds, and they converse with SaaS and services, both internal and external across the internet. Developers deploy dozens of changes daily. AI agents execute workflows we didn’t anticipate in advance. In this world:

  • Secrets sprawl across pipelines, repos, and multiple vaults (“vault sprawl”).
  • Long-lived, static credentials outlast the workloads they’re tied to.
  • Human processes and labor can’t keep up with modern machine access needs.

The result? An operational mess for DevOps, blind spots for security, and a wide fertile attack surface for adversaries.

Breaches prove the point. In one of many identity-related attacks, back in 2022, Uber had privileged access management (PAM) in place and strong security measures, yet attackers still gained full access after finding a hardcoded vault admin password in a script. A single leaked credential unraveled everything. In a recent breach involving Salesloft Drift, hundreds of OAuth tokens were exfiltrated and abused, compromising 700 tech companies.

Vaults can store secrets securely, but they can’t stop secrets from leaking, being reused, forgotten or being abused.

Agentic AI Makes It Worse

Agentic AI, autonomous agents that carry out autonomous business workflows, and connect programmatically on behalf of users and applications without governance and oversight, magnifies the problem. These agents make real-time decisions: querying databases, deploying services, calling APIs.

Traditional secret provisioning workflows fail here because:

  • Secret excessive sprawl – Agents and MCPs require lots of access, extending the risk and the attack surface.
  • Vibe coding and Shadow AI – secrets are embedded in code, unsupervised and unmanaged.
  • Principle of least privilege breaks – giving AI broad, long-lived access is a security nightmare.

The result? Either AI agents are blocked from doing their jobs, or they’re given wide privileges tokens that violate the Zero Trust approach. Neither is acceptable. And with AI agents exploding in number, along with the number of exposed and abused secrets, the status quo isn’t acceptable, either.

It’s time for something new.

The Shift: From Vaults to Secretless Access

Managing secrets better isn’t enough, nor creating “better” vaults. We need to stop chasing static secrets altogether and rethink this access model.

If you think about it, this challenge has already been solved in a closely related domain: the human workforce identity. Vendors have spent decades refining solutions for managing human access. Just look at SSO, IGA, and PAM. These technologies proved that structured, scalable identity management can work. The question is, why not apply the same proven approach to an even bigger problem, machine access?

At Hush Security, we built a secretless, policy-based access model, in this model, a service or AI agent proves its identity and gets exactly the access it needs, for exactly the time it needs it,  it otherwise has no key or token to save, use, rotate and leak.

The Future of Machine-to-Machine Communication

This is the next phase of zero trust for machines. Instead of static secrets, machines will authenticate with cryptographic identity and dynamic trust, using modern concepts like:

  • Zero Trust & Least Privilege Access – machines only get the minimum access they need to perform their tasks. This limits the blast radius if an account is compromised.
  • SPIFFE/SPIRE – Industry-backed workload identity frameworks for dynamic, crypto-based authentication.
  • Workload Identity Federation – Policy-driven trust relationships cross clouds, SaaS and hybrid environments.

Analysts are already pointing in this direction. Close to half of companies will soon adopt a secretless approach according to Gartner. The CNCF, NIST, and other frameworks advocate for identity-first, passwordless machine authentication.

It’s the same evolution humans went through, from memorizing passwords to passwordless authentication, now applied to machines.

Why We Built Hush Security

Before Hush, I’d spent years chasing down API keys, untangling sprawl, and firefighting secret exposures. Every rotation was a stressful, error-prone and labor-intensive event. One incident, a leaked key that caused an emergency response, made me realize: secrets aren’t the endgame.

We don’t need better vaulting. We need no vaulting at all.

That’s the vision behind Hush: eliminate management of static secrets, end the vault era, and replace them with real-time, policy-driven identity for every machine, service, and AI agent. The payoff is massive:

  • Security – Eliminate the risk, remove static keys from an attacker’s reach
  • Simplicity – Eliminate the burden-intensive and risk-prone process of secret provisioning, storage, usage and rotation.

Oh, and everything is transparent and happening behind the scenes – no unnecessary code changes and lengthy years of implementation time.

The Bottom Line

Static secrets are a relic of a slower, simpler era. Vaults served their purpose, but they can’t keep up with cloud-native scale, AI-driven automation, and modern security expectations.

The future of machine-to-machine communication is secretless, policy-based, and identity-first. The technology exists. The standards are here. The industry is moving in this direction.

At Hush Security, we’re building the platform to make it happen, so you can innovate at full speed without worrying that the keys to the kingdom will end up in the wrong hands. We also made the technology nearly transparent to use, so adopting it would not slow your teams and your business.

So how about eliminating risk, reducing burden, and scaling your NHI security?

Still Using Secrets?

Let's Fix That.

Get a Demo