RemOps and CADR: A pattern for Runtime Security

The Incident

A changedetection instance reported that a shell was opened on your EKS cluster. Crap.

The Signal Landscape

Each layer of detection sees it own scope, meaning you get a lot of noise. You need to connect the dots on all levels to get the full picture, and come to the conclusion it’s a real attack.

Every workload has a predictable pattern of behavior. If you know what the baseline looks like, you can improve your anomaly detection. It can be derived from kubernetes events, eBPF events, or application logs.

We can store those baselines somewhere, and use the data to detect anomalies. Ideally we configure this in a Kubernetes CR.

The Attack

A request came in with a crafted payload. The payload injection triggers remote code execution.

Using the trace here, we can see that the interactions of the workload are executing behavior that is not expected.

A single deviation is not a signal of an attack, and can sometimes be dismissed as a false positive.

CADR

CADR is cross-layer correlation of exiting open signals.

  • Application signal
  • eBPF runtime telemetry
  • Kubernetes context
  • Cloud API trail

Uniting all of them is not a new signal, you’re just connecting signals.

If you know all the deviations, you know the attack story.

What we want to have

A Kuberntes CRD that captures baseline workload behaviour.

Baseline + Deviation + Correlation = High confidence attack detection.

RemOps: Declarative Remediation

Teams don’t automate this because:

  • Fear of false positives
  • No confidence in detection accuracy
  • Remediation requires human judgement

Why CADR can help:

  • Detection is contextual
  • Baseline violations are high-confidence
  • Response uses Kubernetes native APIs

With CADR and RemOps we can:

  • Patch NetworkPolicy to block malicious traffic
  • Rotate the ServiceAccount token
  • Rollback to a known-good state
  • Update the Seccomp profile to block the attack vector by restricting syscalls

The full pattern

  • Observe: Baseline workload behavior
  • Profile: CRD with behavior envelope
  • Correlate: CADR to connect the dots and detail the attack story
  • Respond: RemOps to automate response actions

Cloud-native systems are declarative, so detection and remediation should be too.

This is not a product, it’s a pattern.