CWPP for Containers and Serverless: A Practitioner's Guide

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Kubernetes hardening guides cover the configuration plane: pod security standards, network policies, RBAC, admission controllers, secrets management. All necessary, none sufficient. A perfectly configured cluster does not stop a compromised container from spawning a reverse shell, exfiltrating data, or pivoting to the cluster API if the application code is exploited. The runtime plane is a separate problem and requires separate tooling.
Cloud Workload Protection Platforms address that runtime plane. The category covers behavioral monitoring of running workloads, drift detection from declared baselines, vulnerability scanning across the supply chain, and increasingly active prevention rather than detection only. The architectural choices, eBPF versus sidecar versus kernel module, are not interchangeable; each has real tradeoffs that affect overhead, coverage, and operational complexity.
This guide walks through CWPP for container and serverless workloads with the specificity a senior cloud security engineer needs to make decisions. The recommendations are opinionated. The tradeoffs are honest.
What CWPP Adds That Hardening Does Not
Kubernetes hardening defines the allowed state. CWPP detects deviations from it in real time. Consider a container that follows every best practice: non-root user, read-only root filesystem, dropped capabilities, restricted seccomp profile, network policy limiting egress. The application running inside it is still a piece of software with a vulnerable dependency. An exploit triggers, the attacker now has the application's privileges within the container, and they begin doing things the developer never authorized: spawning a shell, reading the service account token, calling out to a C2. None of this violates the pod security configuration; the pod is doing exactly what it is configured to allow. CWPP catches this because it monitors behavior against a baseline of expected activity. The category combines three capabilities. First, runtime behavioral monitoring at the syscall level, looking for shell execution, unexpected network connections, sensitive file reads, privilege escalation attempts. Second, drift detection: new binaries written to the filesystem after container startup, configuration changes, namespace modifications. Third, vulnerability and compliance scanning across the supply chain. The mature implementations pair these with response capability, ranging from alerting only to active prevention via syscall denial or pod termination.
Architecture Tradeoffs: eBPF, Sidecar, Kernel Module
Three architectures dominate the runtime monitoring space, each with distinct properties. eBPF-based agents, the approach taken by modern Falco deployments, Cilium Tetragon, and most cloud-native vendors, run probes attached to kernel events without requiring a custom kernel module or sidecar container. Overhead is low, typically 1 to 3 percent CPU at default rulesets, visibility extends across all containers on the host from a single agent per node, and updates do not require workload changes. The constraint is kernel version; production eBPF support requires kernel 4.18 or newer for full functionality, and some advanced features require 5.4 or newer. Sidecar injection, the Istio model extended to security, places a proxy container next to each application container. This works well for network policy enforcement and L7 visibility but does not see syscalls inside the application container, which means it misses most runtime behavioral detections. Use sidecars for service mesh and identity, not as your primary runtime detection layer. Kernel module agents, the older approach still used by some commercial vendors, run as loadable kernel modules with deep visibility but higher overhead, kernel compatibility risk, and vendor lock-in to specific kernel versions. The recommendation for new builds is eBPF, with sidecars layered for service mesh capabilities and kernel modules avoided unless a specific vendor capability requires them.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Writing Effective Falco Rules
Falco rules combine a condition expression with output formatting and a priority level. The default ruleset is a starting point, not production-ready; expect to tune extensively. High-value rules to validate first include shell spawned in container, which catches a large fraction of post-exploitation behavior; unexpected network connection from container, particularly egress to non-allowlisted destinations; sensitive file read, covering /etc/shadow, service account tokens, and cloud metadata endpoints; container drift, defined as a new executable written and then executed after the container has started; and privilege escalation attempts via setuid binaries or capability changes. Rule authoring discipline matters. Start the condition with the most selective predicate to short-circuit evaluation; Falco evaluates left to right and a poorly ordered condition can multiply CPU cost. Use lists and macros to keep rules maintainable; redefining the same allowlist in 20 rules creates a tuning nightmare. Test every rule against the Falco event generator before deploying to production; the generator produces synthetic triggers for documented techniques and validates that your rules fire as expected. Tag rules with MITRE ATT&CK techniques in the output for downstream correlation. Treat the rule set as code: source control, code review, CI validation, staged rollout. Rules deployed by ad-hoc edit on a node will diverge and fail silently.
Tetragon and the Move from Detection to Prevention
Falco detects; it alerts and surfaces but does not block by default. Tetragon, the Cilium project's runtime security component, adds enforcement. Its TracingPolicy CRD lets you define syscall-level policies that can not only detect but also kill the offending process or return an error to the syscall, effectively preventing the action. This is meaningful because detection time, even at seconds, is often longer than the attacker needs to complete an objective such as exfiltrating a token or writing a backdoor. Tetragon hooks at the kernel level via eBPF, with policies expressed declaratively and applied per-namespace or cluster-wide. Use cases that benefit from prevention rather than detection include blocking shell execution in production application containers, blocking writes to the container filesystem outside declared mount paths, blocking outbound connections to non-allowlisted destinations, and blocking specific syscalls like ptrace or process_vm_readv that have no legitimate use in most application containers. Prevention introduces operational risk; a poorly scoped policy can break legitimate workloads. Roll out in detection-only mode first, observe for at least two weeks, then enable enforcement for specific policies one at a time with explicit rollback procedures. The combination of Falco for broad detection and Tetragon for targeted prevention is increasingly the standard pattern.
Serverless CWPP: Lambda and Cloud Run
Serverless functions are not containers in the runtime monitoring sense; you cannot install an agent. The protection model shifts to configuration controls, identity, and behavioral analytics on the platform's own telemetry. For AWS Lambda, the baseline includes function URLs with IAM auth or API Gateway in front, never public, VPC integration where the function needs access to private resources, execution roles scoped to the absolute minimum required actions, environment variables encrypted with KMS keys not the default AWS-owned key, and code signing via AWS Signer to prevent deployment of unsigned code. Behavioral monitoring relies on CloudTrail for API activity, GuardDuty for anomaly detection on function behavior, and Lambda extensions for in-runtime instrumentation if needed. Look for unusual invocation patterns, unexpected egress to public IPs, and execution role privilege expansion as the primary signals. For Google Cloud Run, binary authorization is the equivalent control to enforce that only signed and attested images deploy, VPC Service Controls constrain the network perimeter, and Cloud Audit Logs provide the equivalent of CloudTrail. The serverless gap relative to container CWPP is real; you have less runtime visibility and must compensate with stricter configuration and identity controls. Treat the function as a least-privilege component, not a flexible compute primitive, and most of the runtime risk reduces.
Image Scanning Strategy: Where, When, and How to Avoid Fatigue
Image vulnerability scanning is a solved capability and an unsolved operational problem. Trivy, Grype, and commercial alternatives all produce accurate CVE inventories from container images; the question is what to do with the results. The strategic placement of scans matters. Scan in the developer's local environment via pre-commit or IDE plugins for fast feedback, in the CI pipeline as a gate before image push with policy enforcement on critical and high severity findings, in the registry continuously as new CVEs are disclosed against existing images, and at runtime via the CWPP agent to correlate detected behavior with known vulnerable packages. The fatigue problem is real: a typical base image will produce hundreds of findings, most of which are not exploitable in the application's actual usage. Prioritize by exploitability, not severity alone. The KEV catalog from CISA, the EPSS scoring system, and reachability analysis tools that determine whether vulnerable code paths are actually invoked all reduce the noise floor dramatically. A finding for a vulnerable function that the application never calls is informational at best; a finding for an internet-facing service with a published exploit is an incident. Integrate this prioritization into the scanner output so engineers see fix-this-first rather than a list of 400 CVEs sorted alphabetically.
The bottom line
CWPP is the runtime layer that hardening cannot replace. The architectural choice between eBPF, sidecar, and kernel module agents has real performance and coverage consequences; eBPF is the right default for new builds. Detection alone is insufficient against fast-moving exploitation; pair Falco for broad coverage with Tetragon or equivalent for targeted prevention on the highest-risk syscalls.
For serverless, accept the visibility gap and compensate with strict configuration, identity, and platform telemetry. Across both models, image scanning is necessary but useless without exploitability-based prioritization. Deploy the full stack with the same discipline you apply to production application code, and the runtime layer becomes a reliable detection and prevention surface rather than another alert source nobody triages.
Frequently asked questions
Do I need both Falco and Tetragon?
Not strictly. Tetragon can perform detection-only roles that overlap with Falco, and some teams standardize on Tetragon alone. The case for running both is that Falco has a larger community ruleset and Sigma compatibility for detection content, while Tetragon has stronger prevention semantics and tighter Cilium integration for network policy. If you already run Cilium, Tetragon alone is a reasonable choice. If not, Falco for detection plus a targeted prevention layer is the more common pattern.
What is the actual overhead of eBPF-based CWPP agents?
At default rulesets on a typical workload, 1 to 3 percent CPU and a few hundred megabytes of memory per node. Overhead scales with rule complexity and event volume; a node running highly chatty workloads with broad rules can see 5 to 8 percent. Measure on representative workloads before standardizing, and prune low-value rules that produce high event volume. Avoid kprobes on extremely hot syscalls like read and write without filtering at the probe level.
How do I handle image scanning for third-party images we cannot rebuild?
Scan them on ingestion to your registry, document findings, and apply runtime compensating controls for the unfixable ones: network policy restricting egress, seccomp profiles dropping unneeded syscalls, runtime detection rules tuned to the image's expected behavior. Where possible, replace third-party images with distroless or minimal alternatives that ship the same software with a smaller attack surface. The unmaintainable image is a vendor risk conversation, not just a security one.
Can CWPP replace my SIEM for cloud workloads?
No. CWPP produces high-fidelity runtime signals for workloads but does not cover identity events, control plane activity, or correlation across workloads and users. Send CWPP events to your SIEM for correlation with CloudTrail, Entra audit logs, and other telemetry; the combined view is where investigations happen. Treating CWPP as a standalone console creates a parallel investigation workflow that nobody owns end to end.
How do I prove CWPP value to leadership?
Track three numbers. First, the count and severity of runtime behaviors detected that hardening alone would have missed; a shell spawn in a production container is a concrete example. Second, time from detection to containment, especially where prevention rules blocked the action outright. Third, the reduction in exploitable findings in production through scan-and-block pipelines. Present these alongside a deliberate purple team exercise that demonstrates detection of a realistic post-exploitation chain; abstract metrics persuade less than a demonstrated catch.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
