You move fast in the cloud. So do attackers. Shipping code to production workloads—containers, VMs, serverless functions—can surface pre‑existing misconfigurations, exposed secrets, and overprivileged identities that attackers exploit within minutes.
The combination of eBPF-based sensors with cloud/SaaS log analytics enables businesses to achieve desired outcomes while upholding regulatory requirements.
2025 Gartner® Market Guide for Cloud-Native Application Protection Platforms
Download the report to explore where cloud security is headed and what to prioritize in your strategy.
What is runtime cloud security?
Cloud infrastructure security during runtime enables organizations to identify and mitigate security threats and malicious activities while their cloud systems are operational. Protection should cover compute resources across Linux and Windows hosts, Kubernetes data plane workloads (pods, containers, nodes), and managed services. For Windows workloads, runtime security relies on OS-native telemetry sources like Event Tracing for Windows (ETW) and Sysmon alongside cloud audit logs, while Linux workloads leverage eBPF sensors.
Runtime cloud security combines:
Kernel-level sensors through eBPF to monitor system calls, processes, and network activities in real time
Near-real-time audit logs from cloud and SaaS systems: AWS CloudTrail (management and data events), Azure Activity Logs and Azure Entra ID sign-in/audit logs, GCP Audit Logs (admin activity, data access, system events), and Kubernetes API server audit logs.
Identity behavior through role assumption chains, token usage, and workload identity management
A connected graph to show cloud assets, misconfigurations, vulnerabilities, and attack paths with blast radius analysis for determining which targets attackers can realistically exploit.
The following table gives a quick comparison between runtime security and other security frameworks:
| Capability | Primary question | Data sources | Time horizon | Owners | SLAs | Representative tools/signals |
|---|---|---|---|---|---|---|
| Posture (CSPM/CNAPP) | What’s misconfigured or vulnerable? | Cloud config, IaC templates, container images/registries, SBOMs | Continuous, non‑urgent | Security + platform | Days to weeks | CSPM platforms, CNAPP suites, IaC scanners, image/SBOM analyzers |
| Runtime | What are the current security threats that are risky or malicious? | eBPF, cloud/SaaS logs, identity signals | Real‑time to minutes | Security operations + SRE | Minutes to hours | eBPF sensors, CWPP/CDR platforms, cloud/SaaS log analytics, UEBA/identity analytics |
| Incident response | What steps are needed to eliminate the threat, restore operations, and learn from the incident? | Forensics, snapshots, timelines | Hours to weeks | Security + IR + App Owners | Hours to days | DFIR tooling, SIEM/SOAR platforms, snapshot/backup systems, case management/ticketing systems |
Why is runtime cloud security essential for modern organizations?
Runtime coverage is essential because cloud speed can quickly turn small gaps into real incidents. Let’s review some real‑world examples:
Cryptomining after container compromise: A vulnerable image becomes compromised when attackers exploit it to run malicious binaries, which then establish connections to mining pools.
Key exfiltration via metadata service: The attacker uses SSRF to attack a service with default metadata access to obtain credentials, which enable them to list buckets and copy keys.
CI/CD token abuse: A stolen pipeline token (from a compromised developer workstation, exposed GitHub secret, or leaked environment variable) enables attackers to authenticate to container registries and swap legitimate images with backdoored versions.
The most dangerous situation occurs with toxic combinations: for example, a system misconfiguration with an existing vulnerability, plus a high-privileged identity and accessible sensitive data.
Emerging threats unique to cloud runtime environments
Identity‑driven lateral movement
Identity‑driven lateral movement through assume-role chains and OIDC token exchanges often evades endpoint-only detections unless security teams correlate identity logs with cloud audit trails and workload context.
Kubernetes control‑plane abuse and persistence
Cloud providers manage EKS/AKS/GKE cluster control planes, but cluster-wide damage remains possible through compromised credentials, RBAC misconfigurations, and admission controller abuse. Self-managed Kubernetes clusters introduce additional risk if etcd or control-plane nodes are misconfigured—for example, etcd exposed without TLS encryption, or control-plane API servers accessible from the public internet without proper authentication.
Container escapes and kernel‑level rootkits
Attackers use kernel vulnerabilities together with dangerous capabilities (e.g., CAP_SYS_ADMIN) to break out of containers and gain access to the kernel space.
Watch 12-minute demo
Learn about the full power of the Wiz cloud security platform. Built to protect your cloud environment from code to runtime.
Watch now
How runtime cloud security works: Technical approaches
Below are the core components of runtime cloud security and the recommended order to deploy them in production:
Deploy agentless inventory and graph context to track resources, identities, misconfigurations, exposures, and data sensitivity without requiring agent deployment; this enables you to determine the extent of a security breach.
Add an optional eBPF sensor for depth to provide measurement through its lightweight kernel-level sensor, which monitors process, syscall, and network activities for critical workloads.
Enable cloud and SaaS log ingestion from AWS CloudTrail (management and data events), Azure Activity Logs and Azure Entra ID logs (sign-in, audit, provisioning), GCP Audit Logs (admin activity, data access, system events), and Kubernetes API server audit logs. Add network flow telemetry from AWS VPC Flow Logs, Azure NSG Flow Logs, or CNI-based flows (Calico, Cilium).
Correlate signals and automate response with graph context to eliminate known development systems and focus on exploitable attack vectors while performing automatic containment and token revocation actions.
eBPF‑based kernel instrumentation
The near-real-time monitoring of Linux node activities through eBPF shows syscalls, process execs, file changes, DNS lookups, and socket operations without requiring agents in each container. The kernel-level monitoring capability of eBPF meets the requirements of Kubernetes environments that utilize containerized workloads, as pods exist temporarily and images should remain immutable.
Here's a quick list of the signals you'll capture in production:
Calls and process execution functions (execve and parent/child tree operations)
DNS and socket tracks with all incoming and outgoing network traffic patterns
File write operations that deviate from the original image content
Any unusual behavior in capability usage and isolation mechanisms
Using eBPF in Kubernetes: A security overview
eBPF provides deep visibility into network traffic and application performance while maintaining safety and efficiency by executing custom code in response to the kernel at runtime.
もっと読む
How do you ensure safe deployment and performance of eBPF‑based kernel instrumentation?
Use these quick guidelines to roll out eBPF‑based kernel instrumentation safely and keep overhead predictable:
Use modern Linux kernels with eBPF enabled and images that support your cluster's runtime (containerd/CRI‑O/Docker on older nodes).
Sensors require privileged access to function properly, so you should deploy them only on nodes that you manage, while relying on cloud/K8s audit logs for other systems.
Start with a DaemonSet on essential nodes (production, internet-exposed, data-adjacent), then validate namespace latency and measure cluster performance impact before expanding coverage.
Behavioral analytics and anomaly detection
Signals only matter when you know what "normal" looks like and can tie anomalies to context. Baseline identities and workloads correlate outliers across sources; they also map detections to MITRE ATT&CK, so the next steps are clear:
Baselines: Establish baselines for identity paths (assume‑role/OIDC) and typical service usage, as well as steady workload behavior (process trees, ports, DNS).
Correlation: Combine cloud/SaaS logs, eBPF telemetry, vulnerability/misconfig data, and data sensitivity to rank exploitability—not just oddity.
ATT&CK mapping: Align detections to MITRE ATT&CK for Cloud (AWS, Azure, GCP techniques), Containers, and Kubernetes matrices to standardize triage workflows and response playbooks across security operations teams.
What is the deployment blueprint?
Start broadly with logs, add depth where it matters, validate signal quality, and then automate actions. Use this simple sequence to land quick wins without heavy change management:
Enable log sources: Turn on CloudTrail, Azure Activity Logs, GCP Audit Logs, Kubernetes Audit Logs, and VPC/NSG/flow logs.
Prioritize sensor rollout: Start with crown-jewel workloads/nodes—production, internet-exposed, and data-adjacent.
Validate detections: Simulate benign drift and test‑domain DNS; tune allowlists with env/owner context.
Automate response: Trigger containment and token revocation via SOAR/runbooks and route with Security Graph context.
Business benefits and compliance alignment
Runtime does more than just lock down your stack—it drives business results and makes audits run smoother.
| Framework | Control families | Runtime evidence |
|---|---|---|
| PCI DSS | 10.x (logging/monitoring), 11.x (testing) | Detection timestamps, audit logs, intrusion detection alerts, file integrity monitoring |
| ISO 27001 | A.12.4 (logging), A.16.1 (incident mgmt), A.9.4 (access control) | Continuous monitoring logs, incident response timelines, identity analytics, access reviews |
| SOC 2 | CC7 (monitoring), CC6 (access), CC5 (change mgmt) | Real-time detection alerts, identity behavior baselines, change tracking, containment logs |
| NIST SP 800-53 | AU- (audit), IR- (incident response), SI- (system integrity), AC- (access control) | Audit log retention, MTTD/MTTR metrics, integrity monitoring, least-privilege analytics |
| NIS2 | Article 21 (incident handling), Article 23 (reporting) | Detection timestamps, incident timelines, 24-hour reporting evidence, containment actions |
Demonstrable ROI and risk reduction
The integration of runtime signals with cloud context enables you to remove false positives and reduce MTTR while stopping measurable critical attack paths.
Track progress with four simple KPIs: MTTD/MTTR (median and p90), high‑fidelity detection rate for P1/P2, attack‑path closure rate, and audit‑evidence cycle time.
Regulatory compliance and audit readiness
The integration of continuous monitoring with runtime evidence helps organizations fulfill PCI DSS, ISO 27001, and SOC 2 requirements more efficiently. The runtime monitoring system tracks ongoing control operations 24/7, producing timestamps for detection, triage, and containment procedures. It also demonstrates least privilege through identity analytics that detect unused roles and suspicious authorization patterns.
Our guide to fast-tracking your cloud compliance provides a framework that connects runtime evidence to PCI, DSS, ISO 27001, and SOC 2 standards. Plus, Wiz’s cloud security best practices cheat sheet puts you in control with auditor-approved documentation.
How Wiz enables comprehensive runtime cloud security
Using a single platform maintains context integrity and reduces context switching. It also reduces manual investigation and cross‑tool log hunting. Wiz pairs agentless discovery and attack‑path analysis with optional runtime depth so you operate from one source of truth.
Unified platform
Wiz Defend combines cloud and SaaS log analytics with optional eBPF sensors for real-time threat detection, automated investigation, and response. Start with agentless log-based detections for broad coverage, then add sensors to critical workloads where kernel-level visibility adds value.
Security Graph for context
Wiz Security Graph analyzes runtime events together with misconfigurations, identities, and data to identify exploitable paths, showing both blast radius and ownership information.
Runtime specifics
Protect Linux VMs and self-managed Kubernetes nodes with Wiz's eBPF‑based runtime protection, capturing process execution, syscalls, file changes, and network activity. For managed serverless container platforms (AWS Fargate, Azure Container Apps, Google Cloud Run), Wiz provides runtime security through cloud-native log analytics, function execution monitoring, and behavioral detections—no kernel access required.
Integrations and processes
Wiz lets you link detection alerts to your existing SIEM/SOAR platform, initiate incident-response runbooks, and generate tickets through your current team tools. Teams can also minimize alert fatigue via Wiz’s contextual risk assessment, which shows only the most critical signals affecting active attack paths.
See context-aware runtime detection and automated response in action—on your actual cloud environment. Request a Wiz demo!
See Wiz in action
Learn what makes Wiz the platform to enable your cloud security operation
