Resource abuse telemetry is the combined signal from identity activity, workload behaviour, and spend patterns that shows when infrastructure is being used outside normal purpose. It is more useful than a single alert because cryptojacking often looks benign in isolation.
Expanded Definition
Resource abuse telemetry is the combined evidence trail that reveals when an NHI, workload, or agent is consuming compute, network, or cloud services in a way that no longer matches its approved purpose. It sits at the intersection of identity telemetry, workload behaviour, and financial signals, so it can surface misuse that a single alert would miss. In practice, this includes unusual token use, unexpected API call bursts, a sudden rise in outbound traffic, or spending that drifts far beyond baseline. Guidance varies across vendors on how much of this should be treated as security telemetry versus FinOps telemetry, but in NHI governance the distinction matters less than whether the signal supports containment and investigation. The NIST Cybersecurity Framework 2.0 helps frame this as detection and response data that should be actionable, not merely descriptive. The most common misapplication is treating cost spikes as a purely financial issue, which occurs when teams ignore identity context and workload behaviour.
NHIMG research shows how often weak NHI controls create the conditions for this signal: only 5.7% of organisations have full visibility into their service accounts, while 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Examples and Use Cases
Implementing resource abuse telemetry rigorously often introduces monitoring overhead and alert tuning effort, requiring organisations to weigh earlier detection against additional instrumentation and response complexity.
- A cloud workload begins mining cryptocurrency after an exposed API key is reused from an unusual region, and the telemetry combines identity anomalies, CPU saturation, and bill shock.
- An AI agent starts making far more tool calls than expected because its prompt chain has been hijacked, which shows up as an execution pattern change before a service outage occurs.
- A service account that normally reads a narrow data set suddenly begins enumerating storage buckets and transferring large volumes externally, matching the kind of behaviour discussed in the ASP.NET machine keys RCE attack analysis.
- A CI/CD runner starts spawning short-lived containers and outbound connections outside its approved pipeline window, indicating possible credential abuse or automation misuse.
- FinOps sees a spend spike, but security confirms it is tied to abnormal secret use and privilege escalation, not simply seasonal usage growth.
For teams building a detection model, NIST Cybersecurity Framework 2.0 is useful because it reinforces that telemetry should support identification, detection, and response together rather than as isolated workstreams. Related NHIMG guidance on the ASP.NET machine keys RCE attack shows how identity misuse and workload abuse can become visible only when multiple signals are correlated.
Why It Matters in NHI Security
Resource abuse telemetry matters because NHI compromise rarely presents as a clean authentication failure. Attackers often preserve valid access and then exploit trusted automation to run compute, move data, or hide activity inside normal cloud operations. That makes identity-only monitoring insufficient. When telemetry is joined across authentication events, workload execution, and spend anomalies, practitioners can spot cryptojacking, proxy abuse, over-permissioned service accounts, and agent misuse before the blast radius grows. This is especially important in environments where NHIs outnumber human identities by 25x to 50x and where 97% of NHIs carry excessive privileges, conditions that make unnoticed abuse much easier to sustain. The same visibility problem appears in real-world compromise patterns described across NHIMG research and in broader identity governance guidance from the NIST Cybersecurity Framework 2.0. Organisations typically encounter the operational need for this term only after a workload is already draining budget, degrading performance, or exfiltrating data, at which point resource abuse telemetry becomes unavoidable to contain the incident.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Resource abuse often starts with improper secret handling and exposed NHI credentials. |
| NIST CSF 2.0 | DE.CM-8 | Continuous monitoring should surface anomalous resource use and hostile workload behavior. |
| NIST CSF 2.0 | RS.AN-1 | Telemetry supports rapid analysis of misuse, including cryptojacking and agent abuse. |
Use correlated telemetry to determine whether anomalous spend reflects compromise or misconfiguration.
