Beyond Access Logs: Using Kubernetes Audit Events for Runtime Anomaly Detection
K8s audit logs capture API server events — but correlating them with container-level process activity reveals threat patterns that neither source alone can catch.
Blog
Runtime security, eBPF, and K8s engineering.
Engineering-first writing from the Kubesentry team. Detection mechanics, architecture decisions, and the operational realities of running Kubernetes in production.
Runtime Detection Isn't a Replacement for Shift-Left — It's What Comes After
Image scanning and SAST are table stakes. But the threat surface after your container starts running is where shift-left tools go silent.
Why SREs Are Becoming the First Line of Security Response
Security teams write policies. SREs get paged at 2 AM when something breaks. The convergence of those two roles is reshaping how runtime incidents get detected and resolved.
The Three-Layer K8s Security Model: Build, Deploy, Runtime
Most teams nail the build layer. Some get the deploy layer. Almost nobody has full runtime coverage. This guide maps all three and shows where the gaps live.
Cryptomining Attacks in K8s: How Attackers Get In and How You Catch Them
A compromised deployment can become a mining rig within minutes. The tell-tale signs are detectable at the kernel level if you're watching for them.
Falco OSS vs Kubesentry: When to Use Which (And How to Migrate Rules)
Falco is exceptional for teams who want to own their detection pipeline end-to-end. Kubesentry builds on top of that with managed policy engine and routing. An honest comparison.
Detecting Container Escapes Before the Attacker Reaches Your Host
Container escapes are among the highest-severity K8s runtime threats. eBPF lets you catch the syscall patterns that signal escape attempts in real time.
How eBPF Makes Runtime Security Practical for K8s Teams
Before eBPF, runtime security meant kernel modules (fragile) or sidecar agents (overhead). eBPF changed the equation: full syscall visibility, zero overhead to your application.
Get new posts in your inbox.
Detection engineering deep-dives, K8s security guides, and changelog announcements. No marketing.