Skip to main content

Module 10: Runtime Security & Threat Detection Slides

Slide walkthrough for Module 10 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Falco, Tetragon, eBPF —...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Runtime Security & Threat Detection - Falco, Tetragon, eBPF — detecting container escapes, unauthorized access, and runtime threats
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - All the identity, encryption, and policy controls in earlier modules prevent unauthorized access. But what about an auth
  4. Falco: Syscall-Based Detection - Lesson section from the full module
  5. Tetragon: eBPF Runtime Enforcement - Lesson section from the full module
  6. eBPF: The Foundation - Lesson section from the full module
  7. Incident Response - Lesson section from the full module
  8. Real-World Use Cases - Detecting cryptominers in production containers, Container escape attempt alerting
  9. Common Mistakes to Avoid - 4 mistakes covered
  10. Hands-On Labs - 2 hands-on labs
  11. Key Takeaways - 5 points to remember

Learning Objectives

  • Understand runtime threat categories in Kubernetes
  • Deploy Falco for syscall-based threat detection
  • Use Tetragon for eBPF-based enforcement
  • Build incident response procedures for runtime events

Why This Module Matters

All the identity, encryption, and policy controls in earlier modules prevent unauthorized access. But what about an authorized workload that gets compromised? Runtime security is the last line of defense — it detects and responds to threats that bypass all other controls.

Common Mistakes

  • Running Falco without custom rules (defaults miss many threats)
  • Not integrating alerts with incident response workflows
  • Using Tetragon enforcement rules without thorough testing (can block legitimate operations)
  • Not preserving forensic evidence when responding to incidents

Key Takeaways

  • Runtime security detects threats INSIDE authorized workloads — the last line of defense
  • Falco monitors syscalls and alerts on suspicious behavior (CNCF graduated)
  • Tetragon uses eBPF to BLOCK malicious actions, not just detect
  • eBPF enables kernel-level observability with near-zero overhead
  • Detection without response is just monitoring — build the full incident pipeline

Hands-On Labs

  1. Detect Container Escape Attempts with Falco

    Deploy Falco and trigger security alerts.

    30 min - Intermediate

    • Install Falco as a DaemonSet
    • Spawn a shell inside a container
    • Read /etc/shadow from inside a container
    • Observe Falco alerts for both events

    View lab files on GitHub

  2. Runtime Enforcement with Tetragon

    Block malicious actions at the kernel level.

    30 min - Advanced

    • Install Tetragon
    • Create a TracingPolicy that blocks shell execution
    • Attempt to spawn a shell — observe block
    • View Tetragon event logs

    View lab files on GitHub

Read the full module | Back to course curriculum