Technical writing on Kubernetes runtime security from the Kubesentry team. We cover eBPF detection internals, container escape analysis, MITRE ATT&CK for Containers, RBAC hardening, and real incident patterns from mid-size SaaS environments. Written for DevSecOps engineers who own Kubernetes security outcomes without a dedicated threat analyst.
eBPF gives you kernel-level visibility into every container on every node without sidecar injection or image changes. This post explains how it works at the syscall level, what CO-RE probes are, and why the observability model is fundamentally different from traditional container log collection for mid-size Kubernetes teams.
Read more →
Container escapes — when a process breaks out of its cgroup namespace and gains host access — are invisible to CSPM scanners. This guide covers the specific syscall sequences that signal a container escape attempt on EKS and GKE, and how behavioral baseline detection catches them before privilege escalation completes.
Read more →
MITRE ATT&CK for Containers defines 13 tactics and over 30 techniques specific to container runtime threats. This post maps each tactic to the specific Kubernetes behavioral signals that indicate it — from Initial Access through Exfiltration — and explains how inline tactic classification changes triage workflows for small security teams.
Read more →
Service account tokens are mounted in every pod by default, and most teams never audit how they’re actually used at runtime. This post covers how attackers exploit overpermissioned service accounts, what a detection pattern looks like at the API audit and syscall layers, and how to catch token misuse without running a full RBAC audit on a weekly schedule.
Read more →
A cryptomining workload ran in a misconfigured Kubernetes namespace for 11 days before a billing spike surfaced it. This post walks through the exact detection gap — what CSPM tools saw, what they missed, and what the syscall and network telemetry would have shown a runtime detection system within the first hour of deployment.
Read more →
A runtime threat alert without vulnerability context forces analysts to pivot between four tools before they can assess severity. This post explains how pulling Wiz Security Graph data and CrowdStrike Falcon posture into the alert payload at detection time reduces mean investigation time and avoids the “this alert could be serious or nothing” triage dead end.
Read more →
Falco generates useful signals, but raw Falco output requires a dedicated analyst to write, tune, and maintain rules continuously. This post looks at where Falco’s rules-first model breaks down for teams with one or two DevSecOps engineers, and what behavioral baselining adds to cover the detection gaps that hand-written rules miss by design.
Read more →
CSPM tools tell you what your cluster looks like at configuration audit time. Runtime detection tells you what is actually executing inside your containers right now. These are different problems with different tooling requirements — this post explains why posture management and runtime detection are complementary, not interchangeable, for mid-size Kubernetes teams.
Read more →
Least privilege RBAC is easy to spec and hard to maintain in production as deployments grow and service account permissions accumulate. This post covers the practical steps for auditing existing ClusterRoleBindings, reducing ServiceAccount permissions without breaking workloads, and setting up audit log alerting to catch permission creep before it becomes an incident.
Read more →
eBPF has a reputation for high overhead that predates modern CO-RE probes and per-pod filtering. This post presents benchmark results for eBPF sensor overhead across different node sizes and workload intensities — CPU, memory, and syscall collection latency — and explains what the numbers mean for teams evaluating runtime security on production clusters.
Read more →