Runtime Security
Falco, Tetragon, AppArmor, SELinux — detecting and stopping bad behavior live.
Static scanning catches known issues; runtime security catches what's actually happening on the box. eBPF made this category much better.
eBPF runtime security
- ★ Falco (CNCF) — runtime security; alerts on syscalls / k8s audit events. Hundreds of pre-built rules. Default in 2026.
- ★ Tetragon (Cilium) — runtime security observation + enforcement; eBPF-based. Can block, not just detect.
- Tracee (Aqua) — runtime detection; YAML detection rules.
- Inspektor Gadget (Microsoft) — eBPF-based k8s detection.
Mandatory access control
- ★ AppArmor — Ubuntu / SUSE default; profile-based; per-binary.
- ★ SELinux — RHEL / Fedora default; label-based; powerful.
- seccomp / seccomp-bpf — restrict syscalls per-container; Docker / Podman / k8s use this.
- Landlock (Linux ≥ 5.13) — unprivileged sandboxing.
- Capabilities — drop unneeded Linux capabilities (CAP_SYS_ADMIN, etc.).
Kubernetes-specific
- PodSecurity admission — built into k8s; enforce restricted / baseline / privileged levels.
- Kyverno / OPA Gatekeeper — see Policy as Code.
- Kube-bench (Aqua) — CIS Kubernetes Benchmark scanner.
Container runtime hardening
- gVisor — sandboxed runtime; runs containers in a user-space kernel.
- Kata Containers — VM-isolated containers.
- Firecracker — micro-VMs (used by Fly, AWS Lambda).
- Cosign signature verification at admission — see Image Supply Chain.
Anti-malware / EDR
- ClamAV — open-source virus scanner; mostly used for shared file servers / mail servers.
- Wazuh — open-source EDR; HIDS + log correlation + alerting.
- Sysmon for Linux — Microsoft's syscall-event tooling.
- Crowdstrike / SentinelOne / Defender for Linux — commercial EDR.
Network runtime security
- Cilium NetworkPolicy — eBPF-enforced k8s policy.
- Suricata / Snort — IDS / IPS; signature-based + anomaly.
- Zeek (formerly Bro) — protocol-aware network monitoring.
What runtime security typically catches
- Shell spawned inside an unexpected container.
- Reverse shell connecting outbound.
- File integrity violations (
/etc/passwdmodified). - Kernel module loaded unexpectedly.
- Privileged escalation attempts.
- Crypto miners (CPU patterns + outbound to known pools).
- Unexpected listening ports.
Patterns to adopt
- ★ Falco on every k8s cluster. It's free; ruleset is broad; alerts go to Slack.
- AppArmor / SELinux on, not permissive. Enforce mode unless you can't.
- PodSecurity restricted for new namespaces; baseline at minimum.
- seccomp profiles per container. Docker's
defaultis a good start. - Drop all capabilities, add back only what's needed.
- Read-only root FS + writable volumes for data dirs.
- Don't run as root. USER instruction in Dockerfile; PodSecurity blocks it.
Pick this if…
- Default k8s runtime detection: Falco.
- Need enforcement, not just alerts: Tetragon.
- Stronger isolation: gVisor or Kata Containers.
- Deep host EDR / SIEM: Wazuh.
- Container hardening basics: seccomp + capabilities + non-root + read-only FS + AppArmor profile.