They should rely on real-time telemetry, not only post-infection host artefacts. If evidence can be wiped from the machine, then login audit logs, token-use records, and workload identity telemetry must already be in central storage. Containment depends on knowing which identities were used before the host was cleaned.
Why This Matters for Security Teams
When malware is designed to remove local evidence, the incident stops being a simple host-forensics problem and becomes an identity and telemetry problem. Attackers often clear shell history, delete files, tamper with logs, or wipe temporary artefacts before defenders arrive. If the only evidence lives on the endpoint, containment happens too late. Current guidance from NIST Cybersecurity Framework 2.0 emphasises detection and response across centralised data sources, not just host inspection.
For NHI and agentic environments, the critical question is which identities, tokens, and workload sessions were active before the device was cleaned. NHI Mgmt Group notes that 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how long attackers can keep using stolen credentials even after the original machine is gone. That makes centralised login audit logs, token-use records, and workload identity telemetry essential for reconstructing the attack path.
In practice, many security teams discover the real blast radius only after the host has already been wiped, rather than through intentional telemetry-first containment.
How It Works in Practice
The response should begin with central evidence preservation, not endpoint cleanup. Security teams need authentication logs, API gateway records, token issuance events, EDR telemetry, and workload identity traces already flowing to immutable storage. That matters because malware can destroy local artefacts, but it cannot retroactively erase records that were shipped off the machine before compromise. For identity-heavy environments, the most useful artefacts are often the ones tied to who or what authenticated, not just what file changed.
Operationally, teams should correlate:
- Login and session logs from identity providers
- Token minting, refresh, and revocation events
- Service account and API key usage records
- Cloud control-plane audit logs
- Workload identity telemetry from systems such as SPIFFE-based attestations
This is especially important when the malware targets non-human identities. NHI Mgmt Group’s research on Shai Hulud npm malware campaign and JetBrains GitHub plugin token exposure shows how quickly stolen secrets can be abused across developer and CI/CD environments. That is why response playbooks should treat token lineage as evidence: which identity requested access, from where, with what privilege, and for how long.
Real-time monitoring should also flag anomalies such as impossible travel, unusual token reuse, abnormal privilege escalation, or a service account suddenly acting like an operator. These controls tend to break down when telemetry is not centrally collected before compromise, because local logs can be deleted faster than responders can preserve the host.
Common Variations and Edge Cases
Tighter evidence collection often increases storage, tuning, and privacy overhead, requiring organisations to balance forensic depth against operational cost. In highly distributed environments, there is no universal standard for this yet, so current guidance suggests prioritising the identities and control planes that can make privileged changes first.
One common edge case is encrypted or ephemeral hosts. If the machine is rebuilt automatically, defenders may lose the endpoint almost immediately, so cloud audit logs and identity provider records become the primary evidence source. Another is agentic or autonomous workloads, where the main risk is not a human user but a workload that chains tools, requests fresh credentials, and moves laterally under valid identity. In those cases, static host artefacts tell only part of the story.
Response teams should also be cautious about treating “log deletion” as proof of a successful wipe. Absence of local evidence is not absence of compromise. The practical standard is to verify what the identity did before the cleanup, revoke exposed tokens, and preserve central telemetry for reconstruction. When systems rely on short-lived sessions and workload identity, investigators can often recover enough context to scope the incident even after the endpoint is gone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Centralised identity telemetry is vital when local artefacts are destroyed. |
| OWASP Agentic AI Top 10 | A-03 | Autonomous agents can chain tools and hide activity beyond the host. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring supports detection when malware erases local evidence. |
Track agent actions with runtime identity and tool-use telemetry, not endpoint artefacts alone.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org