Container runtime security.

Runtime security for cloud-native apps + Kubernetes with Sysdig Secure

insight icon

Comprehensive runtime visibility.

Enable developers and security ops to gain granular visibility into their container and Kubernetes telemetry data, improving their cloud-native security posture.

Machine based learning icon

Detect runtime anomalous behavior.

Leverage machine-learning based runtime security profiles to automate anomaly detection and incident response. Comprehensive, standard-based runtime policy library out of the box.

security icon

Block threats + enforce container runtime security.

Prevent threats in Kubernetes and remediate attacks by deploying security playbooks and third party SIEM and SOAR integrations (Splunk, Demisto, Phantom, etc).

Runtime combine monitor and secure

Comprehensive visibility, combining monitoring + security data.

Gaining visibility across both monitoring and security data turns out to be the biggest challenge for a successful cloud-native transformation journey. For example, the security team needs to know if a cryptomining or DOS attack can be further explained by an abnormal CPU metric spike. Similarly, the application performance team needs to be aware of the risk posture and potential vulnerabilities of their software applications.

Audit runtime drift.

Poor runtime security controls or devops misconfigurations increases configuration drift, diverging from the original image approved during CI/CD. Several security threats, by their very nature, only manifest during runtime:

  • 0-day vulnerabilities
  • Software bugs causing erratic behaviour or resource leaking
  • Internal privilege escalation attempts 

Runtime configuration drift
Runtime visibility

Full container runtime visibility.

Runtime visibility is key for runtime defense, incident response and forensics. Sysdig’s kernel-level inspection provides full runtime visibility into what’s happening inside your virtual machines, cloud instances and containers: File system activity, application protocols, container orchestration events and every single system call.

Taking advantage of the latest eBPF kernel technology, our agent is able to instrument your nodes without tampering with container images.

Kubernetes audit log + events.

Sysdig taps into the Kubernetes audit log API and events to detect suspicious activity coming from users or ServiceAccounts, such as:

  • Leaking private credentials into a configmap
  • Attempt to create privileged ServiceAccounts or roles
  • Tampering with the Kubernetes control plane pods
Kubernetes runtime security

Detect runtime anomalous behavior.

Security profiling machine learning

Auto-generated profiles.

Sysdig uses machine learning approach to automatically build a model of every containerized application in your environment. Models are built based on analyzing container behavior such as:

  • Process activity – which binaries are running?
  • Networking behavior – what TCP/UDP ports does this application communicate on?
  • File system activity – what files are being read or written?

Out-of-the-box security policies.

Sysdig Secure provides out of the box runtime defense with more than 60 default runtime security policies:

  • Container runtime security policies for regulatory container compliance standards: NIST SP 800-180, PCI 
  • Runtime detection of the most pervasive container attacks: cryptomining, secrets exfiltration, container isolation breaches and lateral movements
  • Kubernetes runtime security best practices 


Out of the box security policies
Customize falco rules

Build and expand your Falco Library.

Runtime security policies leverage the same rule description language used by the Falco open source project. With Sysdig Secure, you can browse and manage an extensive library of default Falco rules, customize them and create new rules through an easy to use visual interface. 

Using Falco Rule Library, security ops teams can download and implement community-driven policies from the Rules Library (such as FIM, cryptojacking, MITRE , etc)

Enforce container runtime security + block threats.

Runtime incident response

security icon

Fast + effective incident response.

Sysdig Secure event feed allows you to explore security events and active threats across your entire infrastructure. You can leverage Kubernetes metadata to focus on the events from a specific namespace, deployment or pod.

Sysdig will automatically correlate different runtime security policy violations, with other security events and executed commands including user activity, that allows you to easily analyze, understand and evaluate your security posture and response. What happened, where, when, why?


Remediate runtime security threats.

Using Sysdig runtime defense capabilities, you can automatically respond to any policy violation, triggering the bundled response actions or building your own security playbook:

  • Killing or pausing the container to stop the attack
  • Pushing the event to your SIEM or notifications to Slack, email, PagerDuty, etc
  • Capturing a detailed forensic report of the incident for later analysis
  • Implementing your own security playbook to execute advanced actions like isolating the affected components from the network


Remediate runtime security
Runtime security alert

Continuous vulnerability awareness.

Scanning your containers once during the CI/CD process is not enough. New CVEs and vulnerabilities can be discovered after the container image was deployed in production. Sysdig will keep updating its vulnerability database and matching it against the list of containers in your cluster.

As soon as any new vulnerability that affects your running containers is published you will be notified without having to periodically rescan your container registry.

Enterprise-oriented workflows for runtime security events.

Sysdig integrates with SIEM platforms like Splunk or Google Cloud SCC to allow SOC analysts gain visibility into container and Kubernetes based services.

Teams can also push alerts to downstream notification channels like SNS, email, Slack, escalation tools like PagerDuty or leverage webhooks to forward the event into a Pub/Sub message broker.


runtime security SIEM integration
Andy Vansickle-Ward

Sysdig is the only one who has unified performance monitoring and security, and done it in a low-resource and cost effective way.

Andy Vansickle-Ward, Principal DevOps Engineer. SunRun

Are you ready to begin?

We're excited to talk with you.

Sysdig Monitor

On-Demand Webinar

Running Containers in Production for Dummies.

Given by the authors of the new book - Running Containers in Production for Dummies. Are you new to containers?…

- Hosted by Jorge Salamero Sanz, Eric Carter, Knox Anderson

Watch webinar on-demand
Sysdig Monitor

Find out the Latest

29 Docker security tools compared.

There are quite a few Docker security tools in the ecosystem, how do they compare? We have gathered a list…