Threat patterns
What is Out of Scope Loophole?
The pattern where credential exposure is not covered by bug bounty scope or secret manager inventory, so the problem persists despite having security programs in place. Common for SaaS credentials pasted into Notion, Jira, or Slack.
Go deeper
More terms in Threat patterns
- NHI Kill ChainA taxonomy of recurring failure patterns that turn non-human identities into exploitable attack paths. Includes Ghost (orphaned), Shadow (undocumented), Aged (unrotated), Over-shared, Zombie (still valid after deletion), Drifted, Over-privileged, Public, and Unattributed keys.
- Shadow ITAny tool, service, or integration that employees adopt without the security team's knowledge. In the NHI world, shadow IT creates shadow service accounts, shadow API keys, and shadow OAuth grants that never enter the inventory.
- Ghost KeyAn API key or credential that still authenticates, but whose owner has left the company or can no longer be identified. Part of the NHI Kill Chain.
- Over-shared KeyA single credential pasted into multiple projects, environments, CI systems, and developer machines. Rotating it in one place leaves the others exposed. The most expensive NHI failure mode to fix during an incident.
- Aged KeyA long-lived credential that has not been rotated in months or years. Time multiplies the damage: the value has had plenty of opportunity to leak, and attackers can plan around its predictable continued validity.
- Zombie KeyA credential that still authenticates even though the service or integration it was meant for has been deleted or decommissioned. The key is alive; the system expects it to be dead.