Sign up for our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn more


In the past year, 89% of organizations have experienced at least one container or Kubernetes security incident, making security a high priority for DevOps and security teams.

Despite the belief among many DevOps teams that Kubernetes is not secure, it still controls 92% of the container market. Gartner predicts that 95% of enterprises will have containerized applications in production by 2029, a significant jump from less than 50% last year.

While misconfigurations account for 40% of incidents and 26% reported their organizations failed audits, the underlying weaknesses of Kubernetes security have not been fully addressed. One of the most pressing issues is deciphering the sheer volume of alerts produced and finding those that reflect a credible threat.

Kubernetes attacks on the rise

Attackers find Kubernetes environments an easy target due to the growing number of misconfigurations and vulnerabilities that the enterprises that use them are slow to fix, if at all. Red Hat’s latest State of Kubernetes Security report found that 45% of DevOps teams experience security incidents during the runtime phase, with attackers exploiting vulnerabilities live.

The Cloud Native Computing Foundations Kubernetes Report found that 28% of organizations are running more than 90% of workloads in insecure Kubernetes configurations. More than 71% of workloads are running with root access, increasing the risk of system compromise.

Traditional approaches to defending against attacks can’t keep up. Attackers know they can move faster than organizations once a misconfiguration, vulnerability, or exposed service is discovered. Known for taking minutes from initial compromise to taking control of a container, attackers are exploiting weaknesses and holes in Kubernetes security in minutes. Traditional security tools and platforms can take days to detect, remediate, and close critical holes.

As attackers continue to sharpen their skills and arsenal of tools, organizations need more real-time data to stand a chance against Kubernetes attacks.

Why Alert-Based Systems Are Not Enough

Nearly all organizations that have standardized on Kubernetes as part of their DevOps process rely on alert-based systems as their first line of defense against container attacks. Aqua Security, Twistlock (now part of Palo Alto Networks), Sysdig, and StackRox (Red Hat) offer Kubernetes solutions that provide threat detection, visibility, and vulnerability scanning. Each offers container security solutions and has announced or is shipping AI-based automation and analytics tools to improve threat detection and response times in complex cloud-native environments.

Each generates an exceptionally high volume of alerts that often require manual intervention, wasting valuable time for Security Operations Center (SOC) analysts. It typically leads to alert fatigue among security teams, as over 50% of security professionals report being overwhelmed by the flood of notifications from such systems.

As Laurent Gil, co-founder and chief product officer at CAST AI, told VentureBeat, “If you use traditional methods, you spend time responding to hundreds of alerts, many of which could be false positives. It’s not scalable. Automation is key: real-time detection and immediate remediation make the difference.”

The goal: Secure Kubernetes containers with real-time threat detection

Attackers are relentless in pursuing the weakest threat surface of an attack vector, and with Kubernetes containers, runtime becomes a favorite target. That’s because containers are live and processing workloads during the runtime phase, making it possible to exploit misconfigurations, privilege escalations, or unpatched vulnerabilities. This phase is particularly attractive for crypto mining operations, where attackers hijack compute resources to mine cryptocurrency. “One of our customers saw 42 attempts to start crypto mining in their Kubernetes environment. Our system identified and blocked all of them immediately,” Gil told VentureBeat.

Additionally, large-scale attacks such as identity theft and data breaches often begin once attackers gain unauthorized access during runtime, leveraging sensitive information and thus making it more vulnerable.

Based on the threats and attack attempts CAST AI saw in the wild and across their customer base, they launched their Kubernetes Security Posture Management (KSPM) solution this week.

What stands out about their approach is how it enables DevOps operations to detect and automatically remediate security threats in real time. While competitor platforms offer strong visibility and threat detection, CAST AI has designed real-time remediation that automatically resolves issues before they escalate.

Hugging Face, known for its Transformers library and contributions to AI research, faced significant challenges managing runtime security across large and complex Kubernetes environments. Adrien Carreira, Head of Infrastructure at Hugging Face, notes, “CAST AI’s KSPM product identifies and blocks 20x more runtime threats than any other security tool we’ve used.”

Mitigating the threat of compromised Kubernetes containers must also include scanning clusters for misconfigurations, image vulnerabilities, and runtime anomalies. CAST AI has made this a design goal in their KSPM solution by making automated remediation, independent of human intervention, a core part of their solution. Ivan Gusev, principal cloud architect at OpenX, noted, “This product was incredibly easy to use and delivered security insights in a much more usable format than our previous vendor. Continuous monitoring for runtime threats is now core to our environment.”​

Why Real-Time Threat Detection is Essential

The real-time nature of any KSPM solution is essential for combating Kubernetes attacks, especially during runtime. Jérémy Fridman, Head of Information Security at PlayPlay, emphasized: “Since we implemented CAST AI for Kubernetes management, our security posture has become significantly more robust. The automation features, both for cost optimization and security, embody the spirit of DevOps, making our work more efficient and secure.”

The CAST AI Security Dashboard below illustrates how their system provides continuous scanning and real-time remediation. The dashboard monitors nodes, workloads, and image repositories for vulnerabilities, surfaces critical insights, and provides immediate remediation.

Source: CAST AI

Another benefit of integrating real-time detection into the core of any KSPM solution is the ability to patch containers in real time. “Automation means your system is always running on the latest, most secure versions. We don’t just alert you to threats; we fix them, even before your security team gets involved,” Gil said.

Improving Kubernetes security is a must in 20205

The bottom line is that Kubernetes containers are increasingly under attack, especially at runtime, putting entire enterprises at risk.

Runtime attacks are approaching epidemic proportions as the value of cryptocurrencies soars in response to global economic and political uncertainty. Any organization using Kubernetes containers needs to be extra vigilant against crypto mining. Illicit crypto mining on AWS, for example, can quickly rack up huge bills as attackers exploit vulnerabilities to perform high-demand mining operations on EC2 instances, which consumes significant computing power. This underscores the need for real-time monitoring and robust security controls to prevent such costly breaches.