• YouTube playlist
• YouTube playlist

Detection

• Keynote: Detecting Threats in GitHub with Falco
• Threat Hunting at Scale: Auditing Thousands of Clusters With Falco
• Security Kill Chain Stages in a 100k+ Daily Container Environment with Falco
• Falco to Pluginfinity and Beyond
• Uncovering a Sophisticated Kubernetes Attack in Real Time Part II.
• Keeping your cluster safe from attacks with eBPF
• Threat Modeling Kubernetes: A Lightspeed Introduction
• Threat Hunting at Scale: Auditing Thousands of Clusters With Falco
• Falco to Pluginfinity and Beyond
• Threat Modeling Kubernetes: A Lightspeed Introduction
• Purple Teaming Like Sky’s the Limit – Adversary Emulation in the Cloud

Hardening

• Securing Kubernetes Applications by Crafting Custom Seccomp Profiles
• The Hitchhiker's Guide to Pod Security
• You and Your Security Profiles; Generating Security Policies with the Help of eBPF
• Using the EBPF Superpowers To Generate Kubernetes Security Policies
• Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for
• Securing Kubernetes Applications by Crafting Custom Seccomp Profiles
• The Hitchhiker's Guide to Pod Security
• Using the EBPF Superpowers To Generate Kubernetes Security Policies
• Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for

Attacks

• Advanced Persistence Threats: The Future of Kubernetes Attacks
• Bypassing Falco: How to Compromise a Cluster without Tripping the SOC
• A Treasure Map of Hacking (and Defending) Kubernetes
• How Attackers Use Exposed Prometheus Server to Exploit
• Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat
• Three Surprising K8s Networking “Features” and How to Defend Against Them
• A Compendium of Container Escapes
• The Path Less Traveled: Abusing Kubernetes Defaults
• Bypassing Falco: How to Compromise a Cluster without Tripping the SOC
• A Treasure Map of Hacking (and Defending) Kubernetes
• How Attackers Use Exposed Prometheus Server to Exploit
• Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat
• Three Surprising K8s Networking “Features” and How to Defend Against Them
• The Path Less Traveled: Abusing Kubernetes Defaults
• Advanced Persistence Threats: The Future of Kubernetes Attacks

Supply Chain

• Securing Your Container Native Supply Chain with SLSA, Github and Te
• Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify
• Securing Your Container Native Supply Chain with SLSA, Github and Te
• Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify

Networking

• Kubernetes Networking 101 (1h26m)
• A Guided Tour of Cilium Service Mesh
• Cilium: Welcome, Vision and Updates
• Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m)
• Kubernetes Networking 101 (1h26m)
• A Guided Tour of Cilium Service Mesh
• Cilium: Welcome, Vision and Updates
• Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m)

Detection

• Detecting a Container Escape with Cilium and eBPF
• Detecting and Blocking log4shell with Isovalent Cilium Enterprise
• Threat Hunting with Kubernetes Audit Logs
• Threat Hunting with Kubernetes Audit Logs - Part 2
• Dive into BPF: a list of reading material
• Deep Dive into Real-World Kubernetes Threats
• Understanding Docker container escapes
• K8 Audit Logs
• Kubernetes Hunting & Visibility
• SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
• Detecting Cryptomining Attacks in the wild
• Threat Alert: Kinsing Malware Attacks Targeting Container Environments
• TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
• TeamTNT Targeting AWS, Alibaba
• Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
• Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments
• CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes
• Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover
• Lateral movement risks in the cloud and how to prevent them – Part 3: from compromised cloud resource to Kubernetes cluster takeover
• Consider All Microservices Vulnerable — And Monitor Their Behavior

Hardening

• NSA Kubernetes Hardening Guide
• Securing Kubernetes Clusters by Eliminating Risky Permissions
• Container security fundamentals: Exploring containers as processes
• Container security fundamentals part 2: Isolation & namespaces
• Kubernetes Security Checklist
• Under-documented Kubernetes Security Tips

Attacks

• Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
• Tetragone: A Lesson in Security Fundamentals
• How I Hacked Play-with-Docker and Remotely Ran Code on the Host
• The Route to Root: Container Escape Using Kernel Exploitation
• (twitter thread)Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature.
• Bad Pods: Kubernetes Pod Privilege Escalation
• Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
• GKE Kubelet TLS Bootstrap Privilege Escalation

Attacks

• MITRE ATT&CK Containers Matrix
• Secure containerized environments with updated threat matrix for Kubernetes
• OWASP Kubernetes Top 10
• OWASP Kubernetes Top 10 (Sysdig)
• AVOLENS Kubernetes Threat Matrix
• Threat matrix for Kubernetes

Hardening

• seccomp - "can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel."
• AppArmor - "AppArmor is a Linux kernel security module that supplements the standard Linux user and group based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense."
• Kubernetes Network Policy Recipes
• OPA Gatekeeper - "A customizable cloud native policy controller that helps enforce policies and strengthen governance"

Simulation / Experimentation

• Kubernetes Attacks
• Sock Shop: A Microservices Demo Application
• Stratus Red Team - Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
• falcosecurity/event-generator
• minikube - minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.
• controlplaneio/simulator
• kubernetes-goat

Attack

• kubernetes-info.nse script
• kubesploit
• Falco-bypasses
• go-pillage-registries
• ConMachi
• peirates
• botb
• kube-hunter
• MTKPI

Platforms

• anchore - "Software Composition Analysis from Code to Cloud: Enables security teams to find every piece of software in cloud native applications. Block and fix security issues in minutes rather than days."
• Prisma Cloud Compute Edition (formerly Twistlock) - "Prisma Cloud secures applications from code to cloud, enabling security and DevOps teams to effectively collaborate to accelerate secure cloud-native application development and deployment."
• sysdig - "Sysdig is a universal system visibility tool with native support for containers"
• Aqua Security - "Unified Cloud Security: Accelerate secure innovation and protect your entire development lifecycle from code to cloud and back."
• m9sweeper - "m9sweeper is a free and easy kubernetes security platform. It integrates industry-standard open source utilities into a one-stop-shop kubernetes security tool that can walk most kubernetes adminstrators through securing a kubernetes cluster as well as the apps running on the cluster."

Detection

• falco
• kube-bench
• kubesec
• security-guard
• sysdig
• tetragon
• tracee
• trivy

Misc

• inspektor-gadget
• kube-iptables-tailer

Misc

• Panther Labs gcp_k8s_rules
• Sigma cloud/azure/kube*.yml
• Sigma cloud/gcp/kube*.yml
• Splunk Analytic Story: Kubernetes Scanning Activity
• Splunk Analytic Story: Kubernetes Sensitive Object Access Activity
• Tracee Signatures
• technologies/kubernetes
• exposed-panels/kube*.yaml
• misconfiguration/kubernetes
• exposures/configs/kube*.yaml
• Falco Rules
• Elastic kubernetes detection rules

Misc

• awesome-k8-threat-detect
• @_fel1x
• @Antonlovesdnb
• @bibryam
• @bradgeesaman
• @christophetd
• @g3rzi
• @htejeda
• @iancoldwater
• @jrfastab
• @LachlanEvenson
• @lizrice
• @mhausenblas
• @mosesrenegade
• @nataliaivanko
• @raesene
• @ramesh-ramani
• @randyabernethy
• @saschagrunert
• @sethsec
• @shaul-ben-hai
• @sshaybbc
• @Steph3nSims
• @sublimino
• @sussurro
• @sys_call
• @tgraf__
• @tixxdz
• @tpapagian
• @willfindlay
• @yuvalavra
• @jimmesta
• @ramesh-ramani
• @shaul-ben-hai