Chapter 9
1 min read
The Shadow with Red Eyes
Runtime Threat Detection
The CVE in the forest behaves like a real-world runtime threat:
The CVE in the forest behaves like a real-world runtime threat:
- It hides in the dark (low visibility processes).
- It moves only when the system weakens (a lantern breaks).
- It becomes “solid” when illuminated — when observability reveals its behavior.
Modern workloads need the same protection:
Use runtime detection tools
- eBPF-based monitors (Tetragon, Falco)
- anomaly detection in Kubernetes
- syscalls tracing
- real-time policy enforcement
Example: Falco detecting unexpected shell execution
- rule: Unexpected Shell
desc: Container launched a shell unexpectedly
condition: >
spawned_process and container and
proc.name in (bash, sh, zsh)
output: >
Unexpected shell in container (user=%user.name command=%proc.cmdline)
priority: WARNING
Like Gord exposing the shadow with a lantern, runtime detection exposes malicious behavior that hides in normal logs.
Illuminate the threat → enforce policies → eliminate the danger.
Exercise
- Kill CVEs in your Docker images.