Use real-time threat detection to stop Kubernetes attacks

The past year 89% of organizations have experienced at least one container or Kubernetes security incident, making security a high priority for DevOps and security teams.

Despite the opinion of many DevOps teams that Kubernetes is not secure, it is recommended 92% of the container market. Gartner predicts that 95% of enterprises will have containerized applications in production by 2029, a significant increase from less than 50% last year.

While wrong configurations are responsible for this 40% of incidents and 26% reported that their organization failed audits, the underlying weaknesses of Kubernetes security have not yet been fully addressed. One of the most pressing issues is deciphering the vast number of alerts being produced and finding those that reflect a credible threat.

Kubernetes attacks are on the rise

Attackers find Kubernetes environments an easy target due to the growing number of misconfigurations and vulnerabilities that companies using them are not fixing quickly – if at all. Red Hat’s latest state of Kubernetes Security Report thought that 45% of DevOps teams experience security incidents during the runtime phase, with attackers exploiting live vulnerabilities.

The Cloud Native Computing Foundations Kubernetes report found that 28% of organizations are running more than 90% of workloads in insecure Kubernetes configurations. More than 71% of workloads run with root access, increasing the potential for system compromise.

Traditional approaches to defending against attacks are failing to keep pace. Attackers know they can move faster than organizations once a misconfiguration, vulnerability or exposed service is discovered. Attackers are known to take minutes from initial intrusion to taking control of a container. Attackers can exploit weaknesses and holes in Kubernetes security in minutes. Traditional security tools and platforms can take days to detect, remediate, and close critical holes.

As attackers hone their craft and arsenal of tools, organizations need more real-time data to stand a chance against Kubernetes attacks.

Why alert-based systems are not enough

Nearly all organizations that have standardized Kubernetes as part of their DevOps process rely on alert-based systems as their first line of defense against container attacks. Aqua Security, Twistlock (now part of Palo Alto Networks), Sysdig and StackRox (Red Hat) offer Kubernetes solutions that provide threat detection, visibility and vulnerability scanning. Each of them offers container security solutions and has announced or is shipping AI-based automation and analytics tools to improve threat detection and improve response times in complex cloud-native environments.

Each generates an exceptionally high number of alerts that often require manual intervention, wasting valuable time for Security Operations Center (SOC) analysts. It usually leads to alert fatigue among security teams, like more than 50% of security professionals say they are overwhelmed by the flood of notifications from such systems.

Like Laurent Gil, co-founder and Chief Product Officer at CAST AItold VentureBeat: “If you use traditional methods, you spend time responding to hundreds of alerts, many of which could be false positives. It is not scalable. Automation is crucial: real-time detection and immediate resolution make the difference.”

The goal: Securing Kubernetes containers with real-time threat detection

Attackers are relentless in pursuing an attack vector’s weakest threat surface, and with Kubernetes containers, runtime becomes a favorite target. That’s because containers are live and process workloads during the runtime phase, making it possible to exploit misconfigurations, privilege escalations, or unpatched vulnerabilities. This phase is especially attractive for crypto mining activities where attackers hijack computer resources to mine cryptocurrency. “One of our customers saw 42 attempts to initiate crypto mining in their Kubernetes environment. Our system immediately identified and blocked them all,” Gil told VentureBeat.

Furthermore, large-scale attacks such as identity theft and data breaches often begin once attackers gain unauthorized access at runtime where sensitive information is used and thus more exposed.

Based on the threats and attack attempts that CAST AI saw in the wild and among their customer base, they launched their Kubernetes Security Posture Management (KSPM) solution this week.

What’s notable about their approach is how DevOps operations can detect and automatically remediate security threats in real time. While competitor platforms offer strong threat visibility and detection, CAST AI has designed real-time remediation that automatically resolves issues before they escalate.

Hugging faceknown for its Transformers library and contributions to AI research, faced significant challenges in managing runtime security in large and complex Kubernetes environments. Adrien Carreira, head of infrastructure at Hugging Face, notes: “CAST AI’s KSPM product identifies and blocks 20 times more runtime threats than any other security tool we’ve used.”

Mitigating the threat of compromised Kubernetes containers should also include scanning of clusters for misconfigurations, image vulnerabilities, and runtime anomalies. CAST AI has made this a design goal in their KSPM solution by making automated recovery, independent of human intervention, a core part of their solution. Ivan Gusev, chief cloud architect at OpenXcommented: “This product was incredibly easy to use and delivered security insights in a much more actionable format than our previous vendor. Continuous monitoring for runtime threats is now the core of our environment.”

Why real-time threat detection is essential

The real-time nature of any KSPM solution is essential for combating Kubernetes attacks, especially at runtime. Jérémy Fridman, head of information security at PlayPlayemphasizes: “Since adopting CAST AI for Kubernetes management, our security posture has become significantly more robust. The automation features – both for cost optimization and security – embody the spirit of DevOps, making our work more efficient and secure.”

The CAST AI Security Dashboard below illustrates how their system provides continuous scanning and real-time remediation. The dashboard monitors nodes, workloads, and image repositories for vulnerabilities, providing critical insights and providing immediate solutions.

Another benefit of integrating real-time detection into the core of any KSPM solution is the ability to patch containers in real-time. “Automation means that your system always runs on the latest, most secure versions. We don’t just warn you about threats; we fix them even before your security team gets involved,” Gil said

Ramping up Kubernetes security is a must-have in 2025

The bottom line is that Kubernetes containers are increasingly under attack, especially at runtime, putting entire enterprises at risk.

Runtime attacks are approaching an epidemic as the value of cryptocurrency soars in response to global economic and political uncertainty. Any organization using Kubernetes containers should be especially wary of crypto mining. For example, illegal crypto mining on AWS can quickly rack up huge bills as attackers exploit vulnerabilities to perform demanding mining operations on EC2 instances, consuming enormous computing power. This underlines the need for real-time monitoring and robust security controls to prevent such costly breaches.