Sysdig

Sysdig Sysdig secures cloud innovation with the power of Runtime Insights.

06/05/2026

Real security investigations don't stay in one place. πŸ”

An alert fires in PagerDuty. The investigation moves through runtime events, collaboration channels, and ticketing systems. By the time you've pieced it together, the response window has narrowed.

Sysdig's new Runtime Investigation Skill brings runtime data and intelligence directly into AI-native workflows like Claude, so investigation context moves with your team instead of staying locked in a separate console.

πŸ”Ή Surface prioritized findings, related activity, and attack flow context in one place
πŸ”Ή Get a structured report with incident summary, timeline, and recommended next steps
πŸ”Ή Flow investigation context directly into operational systems like Jira

The teams that investigate threats fastest are often the teams that contain them fastest.

Read the full blog. πŸ‘‡
https://okt.to/MPokqi

06/04/2026

🚨 The Sysdig TRT has observed a first: an AI agent driving container escape and Kubernetes credential replay, with no human in the loop. 🚨

Last month we documented an LLM-driven operator pivoting through AWS credentials. This one goes further. Same CVE, different destination. This agent dove into the container and orchestration plane.

πŸ‘€ What happened:
➝ Exploited CVE-2026-39987 in a marimo notebook to establish a shell
➝ Enumerated the full escape surface in one pass: Docker socket, kernel LPE paths (probed but unavailable), Kubernetes service account token, cloud metadata
➝ Used a mounted Docker socket to spin up privileged containers and break out to the host; fell back to nsenter namespace breakout when bind-mount paths were unavailable
➝ Replayed a mounted Kubernetes service account token to dump the entire cluster Secret store

πŸ’₯ Why this matters:
➝ A mounted Docker socket is no longer a slow, human-paced escalation risk. An agent turns it into a one-step host takeover at machine speed
➝ Escape primitives were selected based on live results, not a pre-built playbook
➝ Application-layer RCE collapsed into cluster-wide credential disclosure in a single token replay

πŸ›‘οΈ What to do now:
➝ Update marimo to 0.23.0 or later immediately
➝ Never mount /var/run/docker.sock into an application container
➝ Run containers unprivileged with dropped capabilities and a restrictive seccomp profile
➝ Scope Kubernetes service account tokens tightly and disable automounting where not required
➝ Rotate any credential reachable from a compromised marimo process or its host

🎯 Takeaway:
An internet-reachable notebook with a host socket mount is a one-step host-and-cluster takeover for an agent attacker. The techniques are not new. The attacker driving them autonomously is.

↳ Full research from the Sysdig Threat Research Team: https://okt.to/kGxm7M

Security teams are told to enforce least privilege everywhere. Then they create exceptions for the tools meant to protec...
06/03/2026

Security teams are told to enforce least privilege everywhere. Then they create exceptions for the tools meant to protect the environment. πŸ”’

That contradiction has become one of the biggest blockers to deploying runtime security in Kubernetes. Compliance frameworks like SOC 2, PCI DSS, and NIST all reinforce least privilege. The CIS Kubernetes Benchmark restricts privileged containers. And yet most runtime security tools still require broad host access to operate.

The industry normalized a tradeoff that never should have existed: break least privilege to deploy security.

Sysdig Host Shield Least Privilege Mode removes that tradeoff entirely.

πŸ”Ή Runs with host.privileged: false
πŸ”Ή Only the minimal Linux capabilities required for runtime security monitoring
πŸ”Ή Full runtime visibility and detection coverage, no elevated permissions required
πŸ”Ή No exceptions, no audit friction, no approval bottlenecks

Security teams get the runtime protection they need. Platform teams keep their controls intact. Compliance teams don't have to explain why the security stack is exempt from the standards it's supposed to enforce.
Read the full blog. πŸ‘‡

https://okt.to/e7LcAH

The problem with agentic security workflows isn't access to data. It's making that data callable from the agent.The Sysd...
06/01/2026

The problem with agentic security workflows isn't access to data. It's making that data callable from the agent.

The Sysdig MCP server, now on Web Services (AWS) Marketplace, closes that gap by exposing runtime detections, identity analysis, vulnerability context, and DSPM findings as discrete, queryable tools inside Amazon Bedrock AgentCore.

What that looks like in practice:

πŸ”Ή Query publicly exposed S3 buckets containing classified PII, financial data, or PHI in seconds
πŸ”Ή Map data classifications to regulatory frameworks like HIPAA and PCI DSS automatically
πŸ”Ή Surface non-obvious risks like Terraform state files containing login credentials as lateral movement vectors
πŸ”Ή Draft scoped IAM policy changes with human approval before anything executes

Every tool call is traceable. Every finding maps to a specific data source. No hallucinated summaries.

The result: investigations that used to require navigating between multiple tools now happen through a single conversational interface, entirely within your AWS account boundary.

Read the full blog to see the workflows in action. πŸ‘‡

https://okt.to/0Bmgbl

05/27/2026

πŸ†G2 Spring 2026 results are in, and Sysdig earned Leader recognition across multiple categories. Here are our favorite three:

πŸ”Ή CNAPP Leader
πŸ”Ή Cloud Security Leader
πŸ”Ή Customers Love Us

See the stories behind the recognition. πŸ‘‡
https://okt.to/HFLuv5

05/26/2026

Vulnerability remediation doesn't break down at identification. It breaks down at the handoff. πŸ”’

Security teams find the risk. Developers get a ticket. And somewhere between those two things, remediation stalls, gets deprioritized, or gets ignored entirely.

Sysdig Headless Cloud Security automates that entire workflow.
Here's what that looks like in practice:

πŸ”Ή Identify the highest risk container images based on runtime context, exposure, and whether vulnerable packages are actually in use
πŸ”Ή Trace each image back to its source Dockerfile automatically, no manual investigation required
πŸ”Ή Generate a developer-ready pull request with the required patches already applied
πŸ”Ή Developer reviews, merges, and remediation is done

From prioritized finding to mergeable fix, in minutes. Security reduces risk faster. Developers stay focused on building.

Read the full blog. πŸ‘‡

https://okt.to/yE5X90

The hustle hard era of cloud security is over.More tooling. More headcount. And still, about 5.5% of production workload...
05/22/2026

The hustle hard era of cloud security is over.

More tooling. More headcount. And still, about 5.5% of production workloads running critical or high vulnerabilities, flat year over year. Meanwhile attackers are exploiting fresh CVEs in under 20 hours.

The human ceiling is real. And the 2026 Sysdig Cloud-Native Security and Usage Report shows it everywhere you look.

Sysdig's Morin joined the Signal Podcast to break down what the data actually says, and what an honest path past that ceiling looks like. Some of the highlights:

πŸ”Ή Attackers exploited a LangChain CVE in 20 hours and a Python notebook CVE in under 10. No manual SOC reaches those windows.
πŸ”Ή Human identities are 2.8% of cloud accounts but carry a 67% risk profile. Machines outnumber humans 35 to 1.
πŸ”Ή Kill-9 usage is up 140% year over year. Organizations are starting to trust autonomous responses.
πŸ”Ή EMEA leads cloud AI/ML adoption at 52%, suggesting the EU AI Act is functioning as a permission structure to build, not a brake.
The conclusion isn't "try harder." It's time to rethink who, and what, is doing the work.

Full conversation on Zero Signal. πŸ‘‡
https://okt.to/ujhBRI

05/21/2026

Enterprise AI introduces a new runtime security challenge.

After exploring NVIDIA's AI stack through hands-on experimentation and conversations with AI specialists and NVIDIA architects, one thing stood out: once AI workloads reach production, security becomes an infrastructure and runtime problem, not just a model protection challenge.

Our latest blog covers how NVIDIA's AI security capabilities and Sysdig's runtime security approach work together to help secure real-world AI deployments.

Here's what it breaks down:

πŸ”Ή Where runtime risks emerge in NVIDIA AI environments
πŸ”Ή Why cloud native security principles remain critical for AI workloads
πŸ”Ή How Sysdig complements NVIDIA environments with runtime visibility, posture management, and threat detection

A practical look at securing enterprise AI in the real world. πŸ‘‡

https://okt.to/2zHtQj

🚨 Sysdig TRT found a detection gap in Azure VM password resets. Microsoft says it’s β€œnot a vulnerability.” 🚨Azure VM ext...
05/20/2026

🚨 Sysdig TRT found a detection gap in Azure VM password resets. Microsoft says it’s β€œnot a vulnerability.” 🚨

Azure VM extensions can reset passwords, SSH keys, and maintain persistence. Many detections rely on matching known extension names in activity logs.

The issue: Azure allows extension resource names to be user-defined, and activity logs don’t include the actual extension publisher or type. During testing, Microsoft’s documented detection event also failed to fire.

πŸ’₯ Why it matters:
➝ Attackers with extension write permissions can evade detections that rely on extension resource names
➝ A malicious extension can appear as something innocuous like β€œcompliance-check” in logs
➝ This maps closely to MITRE ATT&CK T1036: Masquerading

πŸ›‘οΈ Recommendations:
➝ Don’t rely solely on extension names for detection
➝ Monitor Microsoft.Compute/virtualMachines/extensions/write activity
➝ Correlate with Azure Resource Graph or Extensions API to identify the real extension type
➝ Investigate extension deployments on sensitive VMs

🎯 Bottom line: If your rules only match on enablevmaccess or VMAccessAgent, changing the extension name may bypass the alert.

↳ Full research from the Sysdig Threat Research Team: https://okt.to/vGnay9

05/19/2026

For most security teams, the bottleneck isn't identifying risk. It's turning requirements into enforceable policy fast enough to matter. πŸ”’

Custom controls are where that pain lives. Manual policy creation. Rego expertise bottlenecks. Disconnected workflows. Each step slows you down and gets harder to scale.

Headless cloud security brings custom control creation into the workflows and automation pipelines teams already use. Describe what a control should detect in plain language, Sysdig translates it into validated, deployable policy.

πŸ”Ή Less dependency on deep Rego expertise
πŸ”Ή Faster movement from requirement to enforcement
πŸ”Ή Consistent controls across environments at scale
πŸ”Ή Policy deployed automatically through Terraform workflows

Security requirements shouldn't sit in a backlog waiting for the one person who knows Rego to have time.

Read the full blog. πŸ‘‡

https://okt.to/WQtwPU

Address

35 Main Street, 21st Floor
San Francisco, CA
94105

Telephone

(415) 278-0444

Website

Alerts

Be the first to know and let us send you an email when Sysdig posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category