For the past six years, I’ve had the unique privilege of contributing to and witnessing the evolution of Sysdig Agent. As a Technical Writer, I create educational content that helps Sysdig customers get the most value out of it.
The Sysdig Agent, which began as a simple sniffer probing system calls, has transformed into a powerful defender of cyber threats and vulnerabilities, safeguarding workloads across regions—and even underwater in submarines! How cool is that? Being part of this transformation has been an amazing journey, and I’m grateful to have had a front-row seat.
My journey at Sysdig
I joined Sysdig in March 2019, six years after the creation of the open-source monitoring tool, Sysdig, which was designed to provide deep system visibility. Building on this foundation, Sysdig introduced Falco in 2016, an open-source project focused on runtime security, detecting abnormal behaviors in cloud-native environments.
I started my journey at Sysdig working on the Sysdig Agent documentation. At the time, the agent was mainly responsible for collecting and reporting metrics, labels, and events to help teams monitor the health and performance of Linux hosts, containers, and orchestration platforms. As a technical writer, I followed a similar process — gathering essential information through testing product features, understanding usage, and incorporating customer feedback, all in pursuit of uncovering and distilling what truly matters.
By 2020, the Sysdig Agent had evolved significantly, achieving full Prometheus compatibility and gathering insights from various exporters in cloud-native applications. The agent’s role expanded from simple monitoring to deep data collection—gathering metrics, sniffing syscalls, and detecting critical security events.
Leveraging deep system visibility for comprehensive security
Meanwhile, Sysdig shifted from a monitoring and observability platform to a comprehensive security platform with runtime threat detection at its core. This was a pivotal moment. Falco and Sysdig Secure emerged as the natural progression of our monitoring capabilities, showing how deep system-call visibility could be leveraged for security.
Initially, runtime detection was sufficient for addressing security concerns. But as cyber threats became more sophisticated, customers demanded proactive security measures. This led to the development of:
- Container image scanning: Identifying vulnerabilities before they could be exploited.
- Kubernetes security posture management (KSPM): Detecting misconfigurations before attackers could exploit them.
As the industry evolved, so did customer expectations. Companies no longer wanted fragmented security tools — they sought an integrated security approach. This shift led to the rise of the Cloud-Native Application Protection Platform (CNAPP) — a unified solution combining runtime security, vulnerability scanning, and posture management. Sysdig’s strength in runtime detection became a key part of CNAPP, using real-time insights to prioritize security risks based on active usage.
Simplifying the Sysdig experience
As the agent’s components and capabilities grew, so did the complexity of the documentation. We faced several challenges, such as where to place security-specific configurations — should they go in the agent documentation or the Sysdig Secure Guide? And how could we simplify the installation journey for customers who bought both Sysdig Secure and Sysdig Monitor, or those purchasing only specific capabilities?
Our goals became clear:
- Minimize complexity in installation.
- Reduce configuration overhead.
- Simplify the overall User and Information experience.
To achieve this, we streamlined our security offering into two primary components:
- Host Shield: Components that run on the host, directly securing workloads
- Cluster Shield: Components that leverage cloud environment data without running on the host
With Cluster and Host Shield, we’ve made it easier for customers to install and manage Sysdig components. Cluster Scanner, KSPM Collector, Secure Admission Controller, and K8s Audit Logging have been consolidated into the Cluster Shield. Similarly, Runtime Threat Detection, Host Vulnerability Scanning, KSPM for the Host, and Rapid Response have been consolidated into the Host Shield. This approach simplifies installations, upgrades, and configurations, making life easier for customers – including the documentation!
Reflecting on six years at Sysdig and the future ahead
Reflecting on my time at Sysdig, I see a transformation that mirrors the evolution of our technology. As a technical writer, I’ve moved beyond simply documenting individual features. I now analyze the product’s behavior from a user perspective, much like how Sysdig tools observe syscalls in real-time. Understanding the ‘why’ behind each feature has enabled me to highlight user stories that demonstrate how each function fits into a broader security strategy.
Seeing the Host Shield and Cluster Shield evolve into the backbone of Sysdig’s CNAPP strategy has been incredibly fulfilling. It’s been an honor to work alongside such a talented team, creating documentation that makes cloud security simpler and more effective. I’m more excited than ever for what’s ahead. Whether you’re a prospective customer seeking best-in-class cloud security or an engineer looking to build cutting-edge technology, Sysdig is the place to be.