Enable and use Container Runtime Security

Container Runtime Security requires Kubernetes Security Guardrails. For detailed instructions, review Enable and use Kubernetes Security Guardrails.

Container Runtime Security uses sensors to detect Kubernetes cluster events at runtime. For detailed instructions on deploying a sensor, review Deploy and manage Kubernetes cluster sensors.

After deployment, runtime events are streamed to Rapid7 and correlated with:

• Cloud provider misconfigurations
• Kubernetes incidents
• Other Kubernetes workload resources

After sensors are deployed:

1. Log in to the Command Platform .
2. Go to Findings > Detection Findings.
3. Confirm that container runtime detections appear alongside cloud findings.
4. Validate that runtime detections are associated with Kubernetes assets or newly created ephemeral asset records.

If detections appear in the unified findings view, Container Runtime Security is successfully enabled.

Container Runtime Security differentiates between:

• Static risk findings (for example, misconfigurations or vulnerabilities)
• Active runtime detections (live threat activity in running containers)

Runtime detections are clearly distinguished to convey urgency and real-time threat activity.

Dynamic prioritization considers:

• Detection severity
• Attack patterns (for example, privilege escalation sequences, suspicious process chains)
• Container properties (privileged mode, capability sets)
• Frequency of security events
• Tactics and stages of attack (when available)

This allows security teams to prioritize active threats over theoretical risk.

When investigating a runtime detection, you can view:

• Full Kubernetes asset hierarchy (Cluster → Workload → Pod → Container)
• Related workload types:
  • Deployment
  • ReplicaSet
  • StatefulSet
  • DaemonSet
  • CronJob
  • Job
  • Pod
• Underlying cloud infrastructure context (for example, EC2 instance or EKS cluster)
• Detection-asset relationships for ephemeral containers that may have already terminated

Container Runtime Security supports:

Unified asset inventory

Build a comprehensive inventory combining:

• CSPM snapshot data
• Runtime-discovered ephemeral container assets

Short-lived containers are tracked with basic properties, including:

• Image
• Namespace
• Cluster

Detection-first asset creation

If a runtime detection occurs on a container not captured in CSPM inventory scans, Container Runtime Security creates an asset record triggered by the detection. This ensures every runtime security event has asset context for investigation.

Cross-layer asset mapping

Runtime detections are linked to:

• Kubernetes resources
• Underlying cloud infrastructure (when available)

If cloud context is unavailable, detection records are maintained for orphaned containers.

For each runtime finding, you can:

• Understand the attack behavior
• Review related workload context
• Assess potential blast radius
• Evaluate exposed attack paths

When runtime incidents activate exploitable attack paths, impacted assets and downstream relationships are highlighted to support rapid containment decisions.

Container Runtime Security allows you to:

• Deploy sensors to clusters
• Configure and monitor detection rules
• Tune runtime policies
• Monitor rule activity
• Adjust prioritization based on observed behavior patterns

From a runtime finding, you can:

• Triage and classify the incident
• Assess lateral movement risk
• Prioritize affected workloads
• Initiate containment workflows (when integrated)
• Track detection frequency and recurrence