Identity and network policies prevent unauthorized access. But what about threats that happen inside an authorized workload? A compromised container attempting privilege escalation, an attacker running a cryptominer, or malware modifying system files — these are runtime threats.
Runtime Security Tools
- Falco: CNCF graduated project that detects abnormal behavior by monitoring Linux syscalls. Detects: shell spawned in container, sensitive file read, unexpected network connections.
- Tetragon: Cilium-based runtime enforcement using eBPF. Goes beyond detection — can block malicious actions in real-time at the kernel level.
- eBPF: The underlying technology that makes modern runtime security possible. Runs sandboxed programs in the Linux kernel without kernel modules.
Learn Runtime Security — Free
Module 10 of our free Cloud Native Security Engineering course covers Falco, Tetragon, and eBPF with hands-on detection and response labs.