K8s attack-path evidence for regulated teams
Find the attack path before it becomes an incident.
KubeDefence maps ingress, workload, image, identity, node, backup, and compliance evidence into one operational trail for Kubernetes security reviews. Teams can see what is reachable, what is exploitable, and what proves the fix.
Ingress-to-workload path
RBAC blast radius
Image CVE evidence
S3 cluster backup
CIS/NIST audit reports
Case KD-042
Internet exposure to secrets path
Critical
PathIngress, service, pod, image, identity, impact
5 hrScheduled scans plus on-demand investigation
AgentHeartbeat, workload evidence, and drift signals
S3Recoverable full cluster backup snapshots
Evidence workflow
A security review flow built around proof, not noise.
KubeDefence is built around the questions that come up in real reviews: what is exposed, which workload is reachable, what identity can do damage, and which evidence proves the fix.
Enroll customer clusters
Install a lightweight, low-overhead DaemonSet-based agent to collect node, workload, image, RBAC, exposure, and compliance signals from shared K8s clusters.
Correlate real exposure
Move beyond flat severity by correlating public access, privileged containers, service accounts, image risk, namespace policy, and runtime context.
Prove every remediation
Track evidence from detection to remediation with affected resources, scan history, agent heartbeat, and compliance-ready reporting.
Retain operational evidence
Add image scanning and full cluster backup-to-S3 workflows so teams can assess running workloads and retain recoverable cluster state. Restore actions stay gated behind RBAC and explicit approval workflows.
Security pain points
Kubernetes risk is no longer one isolated misconfiguration.
Modern cluster risk is a chain: exposed entry point, vulnerable image, broad service account, privileged pod, weak network policy, and missing evidence.
Exposure without context
Before: public service alertAfter: exposed workload path
A public LoadBalancer or ingress only matters when you can see the workload, image, service account, namespace controls, and blast radius behind it.
Flat findings overload
Before: duplicate alertsAfter: grouped fix priority
Teams lose time when every misconfig looks equal. KubeDefence shows why a finding matters and which resources are actually affected.
Manual audit evidence
Before: screenshots and sheetsAfter: retained evidence trail
Audit preparation is painful when cluster inventory, CIS checks, image evidence, backups, and remediation status live in separate tools.
KubeDefence capabilities
From posture checks to evidence-backed attack paths.
We are building KubeDefence around the workflows security teams actually need: collect agent telemetry, correlate exposure, prioritize exploitable paths, fix, prove, and retain evidence.
Attack Path Sequencing
Connect cloud account or environment, K8s cluster, namespace, workload, pod, container, image, service account, RBAC, exposure, and findings into a readable risk path.
Exposure Detection
Identify public LoadBalancers, risky ingress, missing NetworkPolicy, hostNetwork, hostPort, weak TLS, and sensitive namespace exposure.
Risk-Based Prioritization
Rank issues by severity plus exploitability signals like internet exposure, privileged execution, secrets access, broad RBAC, and running workload status.
Image Scanning
Scan running pod images, cache by image digest, surface critical and high CVEs, and tie image risk back to exposed workloads.
Cluster Backup to S3
Create full Kubernetes cluster backups in your S3 bucket for audit, review, and operational evidence. Restore workflows stay gated through product RBAC, approval chains, and controlled testing to avoid accidental overwrite risk.
Evidence Timeline
Show when an issue appeared, which scan detected it, which resources are affected, whether runtime behavior was observed, and when it was fixed.
Why agent based KSPM matters
Explain the attack sequence, not just the finding.
Security teams need to understand how a real attacker could move. KubeDefence uses agent telemetry and posture evidence to connect exposure, service routing, workload identity, image risk, and secrets access into one readable attack path.
Attack sequence
6 signals
01
Public ingress
internet exposed
→
02
Service route
traffic reaches pod
→
03
Running pod
live workload
04
Image CVE
critical exploit path
→
05
Broad RBAC
identity blast radius
→
06
Secrets access
data impact
Selected signal
Public ingress
- Source
- ALB, Service, Ingress
- Evidence
- Internet listener routes to a production namespace.
- KubeDefence action
- Show exact exposed workload path.
Hover or tap a signal to see how KubeDefence explains that layer of the attack sequence.
Security demo
See the KubeDefence workflow in action.
Preview the real product flow across dashboard posture, security center, findings, inventory, image scanning, and cluster backup workflows.
Open Evidence Console
Evidence console
One evidence layer for every Kubernetes security decision.
Correlate inventory, CIS checks, exposure paths, image scans, runtime direction, backup evidence, and remediation status so platform, security, and audit teams can explain risk from the same live source of truth.
Paths
sequence for every priority
Evidence
for scans and fixes
S3
full cluster backups
LIVE EVIDENCE STREAM
87%
"The useful part is not another scanner. It is seeing the exposure path, the affected resources, and the evidence that proves the fix worked."
Cloud Security Lead, Fortune 500 FinTech Company
Multi-cluster platform team
Attack path visible
Image risk attached
Cluster backup retained
Roadmap and goals
Where KubeDefence is heading.
Our goal is to become the Kubernetes defense layer that combines posture, cloud context, runtime signals, evidence, and remediation into a product teams can trust every day.
KSPM foundation
K8s onboarding, agent telemetry, cluster inventory, grouped findings, attack paths, severity-based triage, remediation, reports, integrations, image scanning, and full cluster backup-to-S3 requests.
Cloud and exposure correlation
Cloud provider context for worker pools, IAM or service roles, security groups, public endpoints, load balancers, network exposure, audit change signals, and drift detection.
Falco/eBPF runtime defense
Falco and eBPF-based runtime detections for reverse shells, suspicious process execution, container escape indicators, sensitive file tampering, and unexpected egress.
Reduce alert fatigue
Prove compliance faster
Prioritize exploitable risk
Protect shared K8s clusters
Pricing direction
Designed around clusters, nodes, and evidence retention.
Pricing should scale with how much Kubernetes surface area we protect and how much evidence customers need to retain.
Starter
For teams validating KSPM on a small K8s footprint
$499/month- Up to 3 clusters
- Automatic posture scans every 5 hours
- CIS and workload findings
- Inventory and grouped resources
- 30-day evidence retention
- Email support
Professional
For shared K8s fleets that need attack-path context and evidence
$1,499/month- Up to 15 clusters
- Agent telemetry and attack paths
- Image scanning for running workloads
- Bring-your-own S3 bucket backup workflows
- Integrations and alert rules
- 90-day evidence retention
- Priority support
Enterprise
For regulated teams and large Kubernetes platforms
Custom- Unlimited clusters
- Custom retention and reporting
- Private customer-cloud deployment option
- SSO and product RBAC roadmap
- Falco/eBPF runtime sensor design partnership
- Dedicated onboarding support
- Custom evidence exports
Ready to defend your Kubernetes fleet?
Use KubeDefence to find exposed workloads, prioritize exploitable risk, prove remediation, and build a stronger Kubernetes security operating model.
Pilot-ready • K8s-focused • Built for posture, attack paths, evidence, and runtime direction