Safeguard
Tag

runtime-security

Safeguard articles tagged "runtime-security" — guides, analysis, and best practices for software supply chain and application security.

56 articles

Kubernetes Security

Falco vs. Tetragon vs. Tracee: choosing a Kubernetes runtime security tool

Falco graduated CNCF in February 2024, Tetragon enforces in-kernel, and Tracee ships 330+ prebuilt eBPF detections — here's when each one actually wins.

Jul 11, 20267 min read
Application Security

Reverse shell attack mechanics and detection

Reverse shells flip the direction of the connection so outbound firewall rules never fire — here is how they work and the signals that catch them anyway.

Jul 11, 20266 min read
Container Security

Container Runtime Security Monitoring: Catching the Breach in Progress

Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.

Jul 8, 20265 min read
Container Security

eBPF Runtime Security for Kubernetes

eBPF lets you observe and enforce security at the kernel level — every syscall, network connection, and process exec — without kernel modules or instrumenting your apps. Here is how tools like Falco, Tetragon, and Cilium use it to catch what image scanning cannot.

Jul 8, 20266 min read
Application Security

The security case for Node.js's newer runtime features

Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.

Jul 8, 20267 min read
AI Security

Governing AI agents inside the execution loop

Snyk's Evo Agentic Development Security, in open preview since June 23, 2026, hooks directly into an agent's tool calls — proof that pre-deployment review can't govern a decision made mid-session.

Jul 7, 20268 min read
Container Security

Container Escape Vulnerabilities: How They Work and How to Stop Them

A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.

Jul 5, 20265 min read
Buyer's Guides

Best Kubernetes Security Tools in 2026: A Buyer's Guide

A balanced buyer's guide to the best Kubernetes security tools in 2026 — Aqua, Sysdig, Falco, Kubescape, Trivy, and Wiz — covering image scanning, admission control, runtime detection, and KSPM, plus where Safeguard fits.

Jul 2, 20266 min read
Security Guides

Bun Security Best Practices (2026)

Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.

Jul 2, 20265 min read
Security Guides

Deno Security Best Practices (2026)

Deno is secure by default, but its permission model only protects you if you use it deliberately. Here is how to run Deno with least privilege and keep its dependency graph clean.

Jul 2, 20265 min read
Container Security

Docker Security Pro Tips: Hardening Beyond the Basics

You already use a non-root user and a slim base. These are the pro-level Docker hardening tips — read-only filesystems, dropped capabilities, and the docker.sock trap — that actually stop breakouts.

Jul 2, 20265 min read
Container Security

Container configuration drift detection at runtime

Container images pass CI clean, but running containers drift within hours via exec sessions, sidecars, and webhooks. Here's how to detect it at runtime.

Jun 24, 20267 min read
runtime-security — Safeguard Blog