Your identity tools and your pipeline tools never talk
The security market is organized by where the data comes from, not by how attacks actually move. The space between the categories isn't a product gap — it's a market-structure gap. And that's exactly where the attacks live.
Defense is sorted by telemetry, not by attack
Look at how the tools in your stack are categorized. They're grouped by the kind of signal they ingest:
Identity / ITDR
Browser, IdP, and session signals. Sees a stolen session, an impossible-travel login, an AiTM phish.
CI/CD & ASPM
Runner, SCM, and process signals. Sees a workflow change, a runner's egress, an unpinned action.
NHI / secrets
Machine-credential signals. Sees a leaked token, a key used from somewhere new.
Each of these is genuinely excellent at its slice. None of them is wrong. The problem is that an attack isn't a slice — it's a sequence that runs across all three.
A stolen session (identity) → a workflow changed with no review (pipeline) → secrets leaving for a host you've never seen (egress / NHI).
That chain doesn't respect your vendor categories. It starts in one, acts in the next, and cashes out in the third.
So attacks cross out of view at the boundary
Here's the failure mode, stated plainly: each tool watches its own segment and quietly assumes the adjacent segments are someone else's job.
- The identity tool sees the anomalous admin login — but has no idea what that session went on to do in the pipeline.
- The pipeline tool sees a workflow file change — but assumes the account that made it is trustworthy, because verifying the human is the identity tool's department.
- The egress monitor sees the runner phone home to a new IP — but in isolation that's just one more outbound connection.
Three tools, three true-but-partial observations, zero correlation. The attack crosses cleanly out of each tool's field of view at exactly the hand-off between them. That's not a hypothetical — it's why the median software-supply-chain breach runs for 267 days before anyone connects the pieces.
Why no one just bolts it together
The obvious question: if everyone can see this, why hasn't an incumbent stitched the domains together? Because it's structural, not an oversight. Two forces hold the seam open:
Different telemetry. Identity tools are built to ingest browser and IdP events. Pipeline tools are built to ingest runner, SCM, and process events. Bridging the two means ingesting both heterogeneous signal types and reasoning across them — which is a different engine, not a new dashboard tab.
Different buyers. Identity telemetry is sold to IT and identity teams. Pipeline telemetry is sold to AppSec and platform teams. Different budgets, different champions, different procurement. An incumbent anchored to one signal source and one buyer can't simply annex the other — it's a different product and a different sale.
So everyone rationally optimizes their own half. The result is a market full of excellent tools and a seam that no one owns.
The seam is the product
Closing it isn't a feature you bolt onto a scanner — it's a different shape: a correlation layer that ingests identity, pipeline, and egress signals into one timeline and fires when they line up into the known kill-chain shape, inside one window. One incident, in the same hour — instead of three blind tools and a quarter-year head start.
That's the only thing Sentinel does. See how it lines up against the rest of the market →
Become a design partner