CatsCrdl

Daniel's thoughts on infosec

Container Escape Telemetry, Part 6: TeamPCP and What the Lab Predicted

A real threat actor is doing exactly what our lab scenarios simulate. Mapping TeamPCP's container escape kill chain against Tetragon, Falco, and Tracee telemetry to answer: would these tools have caught it?

March 31, 2026

Daniel Wyleczuk-Stern

12-Minute Read

This is Part 6 of the container escape telemetry series (overview). Parts 1-5 covered isolation primitives, methodology, per-scenario telemetry, production considerations, and tuning. This post takes the lab findings and pressure-tests them against a real threat actor operating in the wild right now.

CatsCrdl

Container Escape Telemetry, Part 6: TeamPCP and What the Lab Predicted

Recent Posts

Container Escape Telemetry, Part 1: Isolation Primitives and the eBPF Observability Model

Container Escape Telemetry, Part 2: Methodology and Tool Architecture

Container Escape Telemetry, Part 3: What Each Tool Actually Captured

Container Escape Telemetry, Part 4: Volume, Signal-to-Noise, and Choosing a Tool

Container Escape Telemetry, Part 5: Tuning eBPF Tools From Defaults to Detection

Categories

About