runtime-security
Safeguard articles tagged "runtime-security" — guides, analysis, and best practices for software supply chain and application security.
56 articles
Falco vs. Tetragon vs. Tracee: choosing a Kubernetes runtime security tool
Falco graduated CNCF in February 2024, Tetragon enforces in-kernel, and Tracee ships 330+ prebuilt eBPF detections — here's when each one actually wins.
Reverse shell attack mechanics and detection
Reverse shells flip the direction of the connection so outbound firewall rules never fire — here is how they work and the signals that catch them anyway.
Container Runtime Security Monitoring: Catching the Breach in Progress
Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.
eBPF Runtime Security for Kubernetes
eBPF lets you observe and enforce security at the kernel level — every syscall, network connection, and process exec — without kernel modules or instrumenting your apps. Here is how tools like Falco, Tetragon, and Cilium use it to catch what image scanning cannot.
The security case for Node.js's newer runtime features
Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.
Governing AI agents inside the execution loop
Snyk's Evo Agentic Development Security, in open preview since June 23, 2026, hooks directly into an agent's tool calls — proof that pre-deployment review can't govern a decision made mid-session.
Container Escape Vulnerabilities: How They Work and How to Stop Them
A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.
Best Kubernetes Security Tools in 2026: A Buyer's Guide
A balanced buyer's guide to the best Kubernetes security tools in 2026 — Aqua, Sysdig, Falco, Kubescape, Trivy, and Wiz — covering image scanning, admission control, runtime detection, and KSPM, plus where Safeguard fits.
Bun Security Best Practices (2026)
Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.
Deno Security Best Practices (2026)
Deno is secure by default, but its permission model only protects you if you use it deliberately. Here is how to run Deno with least privilege and keep its dependency graph clean.
Docker Security Pro Tips: Hardening Beyond the Basics
You already use a non-root user and a slim base. These are the pro-level Docker hardening tips — read-only filesystems, dropped capabilities, and the docker.sock trap — that actually stop breakouts.
Container configuration drift detection at runtime
Container images pass CI clean, but running containers drift within hours via exec sessions, sidecars, and webhooks. Here's how to detect it at runtime.