Safeguard
Container Security

What is Container Runtime Security

Container runtime security monitors running containers for malicious behavior that image scanning can't catch — here's how it works and why it matters.

Michael
Cloud Security Architect
7 min read

Container runtime security is the practice of monitoring and protecting containers while they are actually running in production, rather than only checking their images before deployment. A container can pass every build-time scan with zero known CVEs and still get compromised an hour after it starts — through a malicious process spawned by an exploited application, a reverse shell dropped via a vulnerable dependency, or a container escape that reaches the host kernel. Sysdig's 2023 Global Threat Report found that attackers can go from initial access to a fully deployed cryptominer inside a container in under 5 minutes, and that around 10% of advanced attacks now use evasion techniques designed specifically to defeat static scanning. Runtime security closes that gap: it watches system calls, process trees, network connections, and file activity inside every running container, and it's the layer that catches what image scans, by design, cannot see.

What Is Container Runtime Security?

Container runtime security is the set of tools and practices that detect and block malicious or anomalous behavior inside containers after they've been deployed and started executing. Instead of asking "does this image contain a known vulnerability," it asks "is this running container doing something it shouldn't" — spawning an unexpected shell, writing to /etc/passwd, opening a raw socket, or attempting to mount the host filesystem. Runtime security tools typically hook into the Linux kernel via eBPF or ptrace, capture syscalls in real time, and compare observed behavior against a baseline or a rules engine like Falco (originally built by Sysdig and now a CNCF graduated project as of March 2023). Because it operates on live process and syscall data, it can detect zero-day exploitation and fileless attacks that never touch a scanned artifact.

How Does Runtime Security Differ From Image Scanning?

Image scanning checks a container image's contents before deployment; runtime security checks the container's behavior after deployment, and the two catch fundamentally different problems. A scanner like Trivy or Grype reads package manifests and matches them against CVE databases such as the NVD — useful for finding, say, a vulnerable OpenSSL version baked into a base image. But a clean scan result says nothing about what happens once that image is running: whether an attacker exploits an application-layer bug (like the Log4Shell vulnerability, CVE-2021-44228, disclosed December 9, 2021) to spawn curl | bash inside the pod, or whether a compromised CI/CD credential is used to inject a cryptominer at deploy time. Industry guidance from firms like Gartner has long recommended pairing pre-deployment scanning with runtime detection precisely because a substantial share of container risk only manifests after the container starts. Teams that rely solely on image scanning are, in effect, checking IDs at the door and then leaving the building unguarded.

What Attack Techniques Does Runtime Security Need to Catch?

Runtime security tools are built to catch container escapes, in-memory exploitation, and credential theft — three attack classes that image scanning structurally cannot detect. Container escapes exploit flaws in the container runtime or kernel itself: CVE-2019-5736, disclosed February 11, 2019, let a malicious container overwrite the host's runc binary and execute code as root on the host; CVE-2022-0185, patched in January 2022, was a Linux kernel filesystem-context heap overflow used in real exploits to break out of containers with only a single unprivileged capability. "Dirty Pipe" (CVE-2022-0847, disclosed March 7, 2022) allowed overwriting supposedly read-only files, including SUID binaries, and was quickly weaponized for container-to-host escapes. None of these require a vulnerable package to be present in the image — they exploit the runtime environment itself, which is why detection has to happen at the syscall level, in real time, while the container is running.

What Do Real-World Runtime Attacks on Containers Look Like?

Real-world runtime attacks overwhelmingly target exposed container APIs and misconfigured daemons to deploy cryptominers and steal cloud credentials. In 2018, Kromtech Security discovered 17 malicious images on Docker Hub that had been collectively pulled more than 5 million times, netting operators over $90,000 in illicit Monero mining revenue before Docker removed them — none of that activity was visible in the image manifest, only in what the containers did once running. TeamTNT, a cryptojacking group first tracked in mid-2020, scanned the internet for exposed Docker APIs on port 2375 and Kubernetes kubelets, then used running containers to harvest AWS IAM credentials from the instance metadata service. Kinsing malware, active since 2020 and still observed in Aqua Security's honeypot telemetry as of 2023, follows a similar pattern: it exploits misconfigured or internet-facing Docker daemons, deploys a container, and immediately begins cryptomining and lateral movement — behavior a build-time scan of the base image would never surface, because the malicious image is pulled and run only after the initial compromise.

What Technology Actually Powers Container Runtime Security?

Modern container runtime security is built on eBPF-based kernel instrumentation, syscall auditing, and policy engines like Falco, seccomp, and AppArmor, layered together rather than used in isolation. eBPF (extended Berkeley Packet Filter) lets a monitoring agent run sandboxed programs directly in the Linux kernel to observe every process, file, and network event with low overhead, which is why it replaced older ptrace- and kernel-module-based agents starting around 2019-2020. Falco evaluates that stream of events against declarative rules (for example, "alert if a shell is spawned inside a container" or "alert on writes to /etc/shadow") and became a CNCF graduated project in March 2023, putting it in the same governance tier as Kubernetes and Prometheus. Seccomp profiles restrict which syscalls a container can make at all — Docker's default seccomp profile blocks around 44 of the roughly 300-plus Linux syscalls — while AppArmor and SELinux add mandatory access control on top. None of these tools alone is sufficient; runtime security products correlate signals across all of them to cut false positives and reconstruct full attack chains.

How Should Teams Implement Container Runtime Security in Production?

Teams should implement container runtime security by deploying kernel-level sensors as a DaemonSet across every node, defining behavioral baselines per workload, and connecting alerts to automated response — not by treating it as a standalone dashboard. In Kubernetes, that typically means running an eBPF-based agent on each node (rather than a sidecar per pod, which doesn't scale past a few hundred pods without meaningful CPU overhead), enforcing least-privilege Pod Security Standards, and setting resource-and-capability-restricted securityContext fields as a first line of defense before runtime detection ever fires. Detection rules should be tuned against a 1-2 week baseline of normal process and network behavior per deployment, since a payments service and a batch ETL job have very different "normal." Finally, runtime alerts are only as useful as the response attached to them — automatically killing the pod, isolating the node, or rotating an exposed credential — because a 2 a.m. Slack alert about a cryptominer that isn't acted on for six hours has already cost the mining fees and, potentially, the underlying cloud credentials.

How Safeguard Helps

Safeguard extends container runtime security upstream, so teams aren't only reacting to what's already executing in production. Safeguard's reachability analysis determines which vulnerabilities in a running container's dependencies are actually exploitable given the application's real call paths, cutting through the noise of CVEs that a runtime sensor would otherwise flag as equally urgent. Griffin AI correlates runtime alerts, SBOM data, and code-level context to distinguish an active container escape attempt from routine background noise, and to explain the finding in plain language for on-call engineers. Safeguard generates and ingests SBOMs at build time so the vulnerability data behind every runtime alert is accurate and current, and where a fix exists, Safeguard opens an auto-fix pull request that patches the vulnerable dependency directly — closing the loop from runtime detection back to a shipped fix without a manual triage cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.