What's changed in Kubesentry.

Major release introducing Kubernetes API server audit log ingestion and cross-correlation with container-level eBPF events.

• New: K8s Audit Log Analysis detection — correlates API server events with runtime syscall patterns
• New: Multi-signal alert consolidation — escape attempts now combine syscall + audit events into a single alert
• Enhancement: Detection latency reduced from 40s to under 30s P99 across all detection categories
• Enhancement: Process tree context now includes K8s metadata (pod label selectors, deployment name)
• Fix: False positive reduction for Java applications that use CLONE_NEWPID in JVM sandbox

Introduces adaptive behavioral baselining — Kubesentry learns the normal syscall profile of each workload over 72 hours and alerts on deviation.

• New: Syscall anomaly baseline detection — per-workload learning mode for 72-hour windows
• New: Baseline override API — programmatically reset baseline for known-safe deployments
• Enhancement: Splunk HEC forwarding for alert events (replaces file-based export)
• Enhancement: Helm chart now supports node selector and toleration configuration
• Fix: Memory leak in eBPF ring buffer reader on high-event-rate nodes (>8k events/s)

Adds lateral movement detection and introduces the Falco rule import tool for migrating existing OSS Falco rules.

• New: Lateral movement detection — service account token file access + cross-namespace connection anomalies
• New: ks import-falco rules.yaml CLI command for one-command Falco rule migration
• New: OpsGenie alert routing integration
• Fix: Privilege escalation detector false-positives on Node.js applications using worker_threads
• Fix: DaemonSet startup crash on kernel versions <5.10 (graceful degradation, not hard crash)

Adds privilege escalation detection covering setuid/setgid, capset(), and sensitive file write monitoring.

• New: Privilege escalation detection — setuid, setgid, capset() syscall coverage
• New: Sensitive file write monitoring — /etc/passwd, /etc/shadow, /etc/sudoers
• New: Dashboard webhook for custom integrations (REST + webhook format)
• Enhancement: Alert payload now includes MITRE ATT&CK technique reference for each detection category

First GA release. Core detection (container escape, cryptomining) stable. Helm chart available in public registry.

• GA: Container escape detection (unshare, chroot, mount abuse)
• GA: Cryptomining detection (process name, CPU anomaly, mining pool connections)
• GA: Slack and PagerDuty alert routing
• GA: Helm chart at charts.kubesentry.com
• GA: 7-day and 30-day retention plans