Container Escape Telemetry: Series Overview
I ran 15 container escape scenarios against Tetragon, Falco, and Tracee to answer a question most detection engineers can't: what kernel-level telemetry does each tool actually produce when a container escape happens? This is the series overview and key findings.
As a detection engineer, container escapes have always fascinated me. Detections focused on control bypasses can be both extremely difficult to make and extremely valuable when they fire. The challenge is that most discussions about container runtime security focus on whether a tool detected an escape – a binary yes/no that doesn’t tell you much about the underlying telemetry that makes detection possible in the first place.