In a recent episode of the Risky Business “Snake Oilers” podcast, Alex Lawrence, Director of Cloud Security Strategy at Sysdig, sat down with host Patrick Gray to discuss the growing need for real-time runtime security in modern cloud-native environments — and how Sysdig is stepping up to meet that challenge.
From the evolution of runtime security to Sysdig’s latest innovations with AI, the conversation covered a lot of ground. Here’s a recap of the key takeaways.
Built for real-time detection in ephemeral environments
Traditional security tools often focus on preventative and detective controls — but in dynamic, ephemeral cloud environments, it’s the real-time detection that matters most. “Things appear and disappear within seconds. So, you need to monitor and secure them in real time,” says Alex.
Sysdig was purpose-built for Kubernetes, containers, and the cloud-native stack. Instead of relying on traditional network instrumentation (which doesn’t exist in the cloud), Sysdig monitors system calls—the most fundamental layer of Linux interaction — to deliver visibility and security.
Why system calls are the new packets
In the pre-cloud era, visibility meant capturing packets. Tools like Wireshark and Snort were the gold standard. But in cloud-native environments, that layer has disappeared.
“In the cloud, the system call is the new packet. It’s the most reliable source of truth.”
Alex Lawrence
Sysdig uses eBPF to capture these system calls in a modern, performant way. Whether it’s detecting a shell opening, a suspicious file access, or a rogue process, Sysdig provides the low-level visibility needed for robust runtime security.
Agent-based detection delivers deep visibility
Sysdig deploys as an agent — commonly via a Kubernetes DaemonSet—and integrates into existing DevOps pipelines. Once in place, it captures a full range of telemetry, giving security teams visibility into everything from container escapes to privilege escalation attempts.
EDR for Linux? Yes, and more
Sysdig often draws comparisons to EDR for Linux, and rightly so. It brings endpoint-level insights to a world that’s often overlooked by traditional security tools. Alex says, “Linux runs the internet—and yes, it also runs a lot of coin miners. Real-time detection is essential.”
Sysdig is popular with financial services and other enterprises running critical cloud-native applications.
AI-powered insights with Sysdig
As with many security platforms, Sysdig is embracing AI to help customers deal with the flood of telemetry. But rather than just bolt on an LLM, Sysdig built Sysdig Sage™ — an AI assistant trained on its own APIs and telemetry structure. “AI is solving the data lake problem. We’re using it to surface the most important events in seconds,” Alex says.
With Sysdig Sage, security teams can ask natural language questions like:
- “What are the top events on this host?”
- “What’s the root cause of this incident?”
- “What related alerts should I be aware of?”
This helps reduce time-to-detection and accelerates response in environments where containers often live less than 60 seconds.
Why Sysdig matters in a CNAPP world
Sysdig’s capabilities fit within the broader Cloud-Native Application Protection Platform (CNAPP) space. Its real-time runtime detection, combined with AI-assisted analysis, makes it a powerful tool for securing modern infrastructure.
Whether you’re running Kubernetes, investigating odd behavior on Linux hosts, or looking to augment your SOC’s capabilities with AI, Sysdig is worth a serious look.
Listen to the full interview
Want to hear the full conversation? Check out the episode or search for “Risky Business” wherever you get your podcasts.