Blog
Research
October 30, 2025

Unused Secrets: The loaded guns in your infrastructure

Yuval Lazar
Head of Security Research

Picture an armory of weapons left loaded and unattended. They aren’t being watched, they aren’t being maintained, and no one intends to use them - but every one of them is ready to go off the moment someone picks them up. That’s what unused secrets represent in modern infrastructure: live credentials sitting like loaded guns, one careless moment or malicious hand away from pulling the trigger and starting the fire.

Our latest analysis reveals:

These aren’t harmless leftovers. They’re live rounds scattered across your environment. Each one expands the attack surface, each one drains resources, and each one invites the possibility of a breach.


The data shows Kubernetes sits at the center of the problem. Workloads overwhelmingly lean on environment variables, while vaults and secret managers are layered on top. Instead of solving the problem, this combination multiplies it: more systems, more secrets, more risk.

*The numbers do not complete to 100% since there is duplication between the sources

The Hidden Cost of Unused Secrets

Every unused secret is an active liability - not a passive risk. They quietly expand your attack surface, drain resources, and erode trust in your security posture. The longer they linger, the more they cost you - in exposure, inefficiency, and credibility.

  • Expanded Attack Surface - Unused credentials are open invitations. Attackers actively harvest and replay stale tokens to move laterally, escalate privileges, and bypass controls. The breach doesn’t start with malware anymore - it starts with a forgotten key.
  • Operational Drag - Every secret you store has to be tracked, rotated, and audited. When 40-60% of those credentials are never used, your team is wasting cycles managing ghosts. That’s lost productivity, slower response times, and less focus on the real risks.
  • Visibility Gaps - Teams rarely know which secrets are actually needed and actively in use. Secret inventories grow, but context doesn’t. Without visibility into runtime usage, it’s impossible to separate critical credentials from dead ones - so everything gets treated as high risk, wasting both time and attention.
  • Compliance Risk - Dormant secrets don’t just fail audits - they destroy audit confidence. Regulators and auditors see stale credentials as evidence of weak control maturity. When “everything is in use,” accountability disappears.
  • Financial Overhead - Secrets sprawl scales faster than your business. Each stored credential adds incremental cost - in vault usage, management overhead, and engineering effort. Multiply that across thousands of keys, and you’re bleeding six figures a year in operational waste.

Leaving secrets loaded but unused is like leaving weapons armed and unattended - a predictable failure point waiting for the wrong moment. The question isn’t if they’ll be misused - it’s when.

Why Vaults Aren’t Enough

Vaults were designed to centralize storage, not solve usage. They give organizations a sense of control while secrets continue to multiply underneath. The problem isn’t where secrets live. The problem is that they exist at all.

As automation accelerates and workloads become more ephemeral, vault-based models simply cannot keep pace. Secret sprawl isn’t contained - it’s just relocated.

The Alternative: Secretless Access

At Hush, we believe the strongest protection is eliminating static secrets entirely. Our platform replaces them with dynamic, policy-driven access that delivers:

  • Just-in-time, least-privilege access - nothing over-provisioned, nothing idle.

  • No static secrets to steal, leak, or rotate.

  • Real-time visibility into actual workload-to-service interactions.

  • Adaptive IAM policies enforced at runtime, derived from observed behavior.

This isn’t incremental improvement. It’s a new foundation: secretless, identity-driven, and built for Zero Trust.

Closing the Gap

Secrets should enable, not endanger. Yet nearly half of them do nothing but weigh down security teams and expose organizations to risk.

With Hush, you can finally turn the page. Instead of managing more and more secrets, you can remove them from the equation altogether. The result: leaner, safer infrastructure where access is precise, dynamic, and invisible to attackers.

Because the only secure secret is the one that doesn’t exist.

Still Using Secrets?
Let's Fix That.
Get a Demo

Sign up for our newsletter

Subscribe to Our Machine Identity Newsletter

By clicking Sign Up you're confirming that you agree with our Privacy Policy and Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related posts

Why Runtime Insight Is the Missing Piece in Certificate Management
Machine identities are central to security, but certificate sprawl creates hidden risk. Move beyond static inventory to real-time visibility, control, and automated remediation for your machine identity landscape.
Shmulik Ladkani
CTO and Co-Founder
October 20, 2025
Breaches
Vaults Are Done. This Train Has Left the Station.
Managing secrets is broken — risky, complex, and outdated. Hush Security offers a new approach: secretless, policy-driven access for every machine and AI agent, built for scale and simplicity.
Micha Rave
CEO and Co-Founder
August 17, 2025

Still Using Secrets?
Let's Fix That.

Get a Demo