Runtime: Stopping real threats in real time
Overview
Runtime detection isn’t just a reactive defensive layer, it’s a strategic advantage. In the cloud, workloads are ephemeral, the attack surface is dynamic, and defenders don’t get a second chance after a breach materializes. Runtime security provides real-time visibility and context-rich detection, enabling security teams to thwart attackers before the damage is done. The 2025 cloud threat landscape so far has shown that attackers are targeting continuous integration and continuous delivery (CI/CD) workflows, AI, and open source software. While runtime isn’t the last line of defense, it is sometimes the first and only signal to shine a light on a threat.
Gone in 60 seconds, runtime required
Container ephemerality has been a long-standing appeal for developers, but it’s often a double-edged sword for security teams. Short-lived containers once reduced persistence and an attacker’s opportunity to move laterally, but they also reduced visibility. If logs weren’t captured, incident investigations were difficult.
With 60% of containers living one minute or less, and more than half of AI and ML workloads built on Kubernetes, runtime detection is no longer optional – it’s foundational. While the attack window has narrowed, attackers have adapted. They understand ephemeral infrastructures and how cloud environments operate, and they’re using AI to automate lateral movement before the process is killed. Put simply, they can move in and out of containers in the blink of an eye.
of containers live for one minute or less
Don’t blink; they won’t
Attackers don’t follow the same playbooks in the cloud. Once the perimeter is breached, security teams only have minutes to respond. In 2023, the Sysdig TRT was the first to report that cloud attacks were unfolding in an average of 10 minutes. Between the speed of attacks, container ephemerality, and malicious AI use, traditional response models simply weren’t holding up.
Sysdig developed the 555 Cloud Detection and Response Benchmark in partnership with our customers, industry analysts, and the Sysdig TRT to help security teams meet this tempo. It recognizes that rapid detection alone won’t get you there; that organizations have 5 seconds to detect threats, 5 minutes to investigate them, and 5 minutes to respond. In the cloud, speed is the difference between control or consequence. A security team reducing manual bottlenecks is better positioned to handle real-world threats in real time, not after they’ve become breaches.
Sysdig customer story
During routine maintenance, a fast-growing e-commerce SaaS provider for major online retailers was concerned about potential downtime and chose to disable their runtime defenses at the worst moment – the post-holiday returns rush. After an attacker took advantage of a Kubernetes misconfiguration and deployed cryptomining rootkits, the Sysdig Threat Research Team reached out immediately to make sure the customer saw the critical alert buzzing shortly after midnight. Within approximately 20 minutes, the company’s engineers moved from detection to containment, saving their company from downtime and reputational damage. A static scan or anything less than real-time detection had the potential to lead to a massive breach, reputational damage, and downtime.
Runtime context reshaped vulnerability prioritization
While it won’t come as a surprise to say that the volume of vulnerabilities under which security teams are buried remains high, it is interesting to note just how few of those vulnerabilities pose an immediate risk. Less than 6% of critical and high vulnerabilities are running in production, and this number has continued to decrease since 2023. This indicates that when teams shift from theoretical risks to real runtime vulnerabilities, they’re reducing noise and actually reducing risk. When they make the shift, organizations are seeing anywhere from a 75% to 99% reduction in vulnerabilities. Security teams can stop chasing ghosts and fix what truly matters: doing security the right way.
Runtime insights, or real-time visibility into what is active at runtime, do not just help organizations detect risk in real time; they also help them make better-informed decisions across the entire software development life cycle. When it comes to vulnerability management, runtime-powered context empowers organizations to deprioritize theoretical risks and focus remediation efforts on vulnerable packages being loaded by running containers. By shifting from a patch checklist to evidence-based prioritization, security teams can improve collaboration and credibility with their engineering peers and reduce vulnerability alert noise.
Runtime prioritization is only part of the vulnerability story. With assistance from Sysdig Sage, security teams can automatically generate reports, create tickets, and flag exactly what needs to be fixed to improve security at the base image level – all with developer-friendly context attached. This reduces confusion and going back and forth between the teams, and fosters collaborative, signal-rich relationships. Runtime-powered vulnerability management reduces friction and builds trust while focusing on what truly matters and saving precious time.
Critical and high vulnerabilities
Organizations see a 75%-99% reduction in vulnerabilities by looking at real runtime vulnerabilities instead of theoretical risk.
Emerging threats (so far)
The first half of 2025 has delivered a series of open source vulnerabilities and CI/CD-related mishaps. Open innovation in security is becoming increasingly popular, and AI tools also live in the open. As automated workflows become commonplace and more interconnected, the attack surface will inevitably grow. But rather than be discouraged, each issue is a lesson in evolving security practices. Let’s review a few of the year’s most interesting vulnerabilities thus far, each of which underscores the complexity and interconnectedness of developer automation workflows.
- Gluestack-ui repository vulnerability: A critical vulnerability in the gluestack GitHub repository allowed secret exfiltration, unauthorized changes to repository contents, and the compromise of related NPM packages.
- Pull_request_target abuse: Insecure use of pull_request_target resulted in exposed secrets and allowed full repository takeovers. Runtime is required to detect and contain weaponized builds.
- Harden-Runner bypass: A method was discovered to sidestep a security layer meant for CI/CD hardening.
- IngressNightmare: Multiple misconfigurations in Kubernetes infrastructure exposed services and bypassed controls. After deployment, runtime observability is the only defense.
- tj-actions/changed-files: A malicious commit was introduced into a widely used GitHub Action. This is reminiscent of the XZ Utils story from 2024. Runtime can detect unexpected process behavior before it propagates.
CI/CD pipelines have been a prime target for 2025 because they are privileged, dynamic, and often overlooked by traditional security tools. They are an important part of cloud infrastructures and integral to developer workflows, but their default security controls are proving to be insufficient.
At the heart of runtime visibility is Falco, a CNCF graduated project and the de facto standard for threat detection across hosts, containers, Kubernetes, and cloud environments. By using Falco Actions, security teams gain runtime visibility and detection capabilities at the CI/CD workflow level to defend against software supply-chain attacks. We dig into Falco more in the open source section!
Runtime security recommendations
1.
Summarize and expedite investigations
Use AI solutions to summarize alerts and correlate data to expedite investigation timelines.
2.
Automate response
Establish automated response policies to contain or stop threats as soon as they’re detected.
3.
Focus on what matters
Deprioritize hypothetical vulnerabilities and share developer-ready remediation guidance for better collaboration.
4.
