Tooling

Runtime Security

Falco, Tetragon, AppArmor, SELinux — detecting and stopping bad behavior live.

Static scanning catches known issues; runtime security catches what's actually happening on the box. eBPF made this category much better.

eBPF runtime security

  • Falco (CNCF) — runtime security; alerts on syscalls / k8s audit events. Hundreds of pre-built rules. Default in 2026.
  • Tetragon (Cilium) — runtime security observation + enforcement; eBPF-based. Can block, not just detect.
  • Tracee (Aqua) — runtime detection; YAML detection rules.
  • Inspektor Gadget (Microsoft) — eBPF-based k8s detection.

Mandatory access control

  • AppArmor — Ubuntu / SUSE default; profile-based; per-binary.
  • SELinux — RHEL / Fedora default; label-based; powerful.
  • seccomp / seccomp-bpf — restrict syscalls per-container; Docker / Podman / k8s use this.
  • Landlock (Linux ≥ 5.13) — unprivileged sandboxing.
  • Capabilities — drop unneeded Linux capabilities (CAP_SYS_ADMIN, etc.).

Kubernetes-specific

  • PodSecurity admission — built into k8s; enforce restricted / baseline / privileged levels.
  • Kyverno / OPA Gatekeeper — see Policy as Code.
  • Kube-bench (Aqua) — CIS Kubernetes Benchmark scanner.

Container runtime hardening

  • gVisor — sandboxed runtime; runs containers in a user-space kernel.
  • Kata Containers — VM-isolated containers.
  • Firecracker — micro-VMs (used by Fly, AWS Lambda).
  • Cosign signature verification at admission — see Image Supply Chain.

Anti-malware / EDR

  • ClamAV — open-source virus scanner; mostly used for shared file servers / mail servers.
  • Wazuh — open-source EDR; HIDS + log correlation + alerting.
  • Sysmon for Linux — Microsoft's syscall-event tooling.
  • Crowdstrike / SentinelOne / Defender for Linux — commercial EDR.

Network runtime security

  • Cilium NetworkPolicy — eBPF-enforced k8s policy.
  • Suricata / Snort — IDS / IPS; signature-based + anomaly.
  • Zeek (formerly Bro) — protocol-aware network monitoring.

What runtime security typically catches

  • Shell spawned inside an unexpected container.
  • Reverse shell connecting outbound.
  • File integrity violations (/etc/passwd modified).
  • Kernel module loaded unexpectedly.
  • Privileged escalation attempts.
  • Crypto miners (CPU patterns + outbound to known pools).
  • Unexpected listening ports.

Patterns to adopt

  • Falco on every k8s cluster. It's free; ruleset is broad; alerts go to Slack.
  • AppArmor / SELinux on, not permissive. Enforce mode unless you can't.
  • PodSecurity restricted for new namespaces; baseline at minimum.
  • seccomp profiles per container. Docker's default is a good start.
  • Drop all capabilities, add back only what's needed.
  • Read-only root FS + writable volumes for data dirs.
  • Don't run as root. USER instruction in Dockerfile; PodSecurity blocks it.

Pick this if…

  • Default k8s runtime detection: Falco.
  • Need enforcement, not just alerts: Tetragon.
  • Stronger isolation: gVisor or Kata Containers.
  • Deep host EDR / SIEM: Wazuh.
  • Container hardening basics: seccomp + capabilities + non-root + read-only FS + AppArmor profile.

On this page