Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More
Over the last year 89% of organizations experienced at least one container or Kubernetes security incident, making security a high priority for DevOps and security teams.
Despite many DevOps teams’ opinions of Kubernetes not being secure, it commands 92% of the container market. Gartner predicts that 95% of enterprises will be running containerized applications in production by 2029, a significant jump from less than 50% last year.
While misconfigurations are responsible for 40% of incidents and 26% reported their organizations failed audits, the underlying weaknesses of Kubernetes security haven’t yet been fully addressed. One of the most urgent issues is deciphering the massive number of alerts produced and finding the ones that reflect a credible threat.
Kubernetes attacks are growing
Attackers are finding Kubernetes environments to be an easy target due to the growing number of misconfigurations and vulnerabilities enterprises using them are not resolving quickly – if at all. Red Hat’s latest state of Kubernetes security report found that 45% of DevOps teams are experiencing security incidents during the runtime phase, where attackers exploit live vulnerabilities.
The Cloud Native Computing Foundations’ Kubernetes report found that 28% of organizations have over 90% of workloads running in insecure Kubernetes configurations. More than 71% of workloads are running with root access, increasing the probability of system compromises.
Traditional approaches to defending against attacks are failing to keep up. Attackers know they can move faster than organizations once a misconfiguration, vulnerability or exposed service is discovered. Known for taking minutes from initial intrusion to taking control of a container, attackers exploit weaknesses and gaps in Kubernetes security in minutes. Traditional security tools and platforms can take days to detect, remediate and close critical gaps.
As attackers sharpen their tradecraft and arsenal of tools, organizations need more real-time data to stand a chance against Kubernetes attacks.
Why alert-based systems aren’t enough
Nearly all organizations that have standardized Kubernetes as part of their DevOps process rely on alert-based systems as their first line of defense against container attacks. Aqua Security, Twistlock (now part of Palo Alto Networks), Sysdig, and StackRox (Red Hat) offer Kubernetes solutions that provide threat detection, visibility and vulnerability scanning. Each offers container security solutions and has either announced or is shipping AI-based automation and analytics tools to enhance threat detection and improve response times in complex cloud-native environments.
Each generates an exceptionally high volume of alerts that often require manual intervention, which wastes valuable time for security operations center (SOC) analysts. It usually leads to alert fatigue for security teams, as more than 50% of security professionals report being overwhelmed by the flood of notifications from such systems.
As Laurent Gil, co-founder and chief product officer at CAST AI, told VentureBeat: “If you’re using traditional methods, you are spending time reacting to hundreds of alerts, many of which might be false positives. It’s not scalable. Automation is key—real-time detection and immediate remediation make the difference.”
The goal: secure Kubernetes containers with real-time threat detection
Attackers are ruthless in pursuing the weakest threat surface of an attack vector, and with Kubernetes containers runtime is becoming a favorite target. That’s because containers are live and processing workloads during the runtime phase, making it possible to exploit misconfigurations, privilege escalations or unpatched vulnerabilities. This phase is particularly attractive for crypto-mining operations where attackers hijack computing resources to mine cryptocurrency. “One of our customers saw 42 attempts to initiate crypto-mining in their Kubernetes environment. Our system identified and blocked all of them instantly,” Gil told VentureBeat.
Additionally, large-scale attacks, such as identity theft and data breaches, often begin once attackers gain unauthorized access during runtime where sensitive information is used and thus more exposed.
Based on the threats and attack attempts CAST AI saw in the wild and across their customer base, they launched their Kubernetes Security Posture Management (KSPM) solution this week.
What is noteworthy about their approach is how it enables DevOps operations to detect and automatically remediate security threats in real-time. While competitors’ platforms offer strong visibility and threat detection CAST AI has designed real-time remediation that automatically fixes issues before they escalate.
Hugging Face, known for its Transformers library and contributions to AI research, faced significant challenges in managing runtime security across vast and complex Kubernetes environments. Adrien Carreira, head of infrastructure at Hugging Face, notes, “CAST AI’s KSPM product identifies and blocks 20 times more runtime threats than any other security tool we’ve used.”
Alleviating the threat of compromised Kubernetes containers also needs to include scans of clusters for misconfigurations, image vulnerabilities and runtime anomalies. CAST AI set this as a design goal in their KSPM solution by making automated remediation, independent of human intervention, a core part of their solution. Ivan Gusev, principal cloud architect at OpenX, noted, “This product was incredibly user-friendly, delivering security insights in a much more actionable format than our previous vendor. Continuous monitoring for runtime threats is now core to our environment.”
Why Real-Time Threat Detection Is Essential
The real-time nature of any KSPM solution is essential for battling Kubernetes attacks, especially during runtime. Jérémy Fridman, head of information security at PlayPlay, emphasized, “Since adopting CAST AI for Kubernetes management, our security posture has become significantly more robust. The automation features—both for cost optimization and security—embody the spirit of DevOps, making our work more efficient and secure.”
The CAST AI Security Dashboard below illustrates how their system provides continuous scanning and real-time remediation. The dashboard monitors nodes, workloads, and image repositories for vulnerabilities, displaying critical insights and offering immediate fixes.
Source: CAST AIAnother advantage of integrating real-time detection into the core of any KSPM solution is the ability to patch containers in real time. “Automation means your system is always running on the latest, most secure versions. We don’t just alert you to threats; we fix them, even before your security team gets involved,” Gil said.
Stepping up Kubernetes security is a must-have in 2025
The bottom line is that Kubernetes containers are under increasing attack, especially at runtime, putting entire enterprises at risk.
Runtime attacks are approaching an epidemic as cryptocurrency values soar in response to global economic and political uncertainty. Every organization using Kubernetes containers must be especially on guard against crypto mining. For example, illegal crypto mining on AWS can quickly generate enormous bills as attackers exploit vulnerabilities to run high-demand mining operations on EC2 instances, consuming vast computing power. This underscores the need for real-time monitoring and robust security controls to prevent such costly breaches.