PT Container Security

Main article: Security Information and Event Management (SIEM)

2026

3.5x increase in throughput

Positive Technologies on January 30, 2026 introduced an updated version of the product for protecting container environments PT Container Security - 0.9. The update made it possible to increase performance by 3.5 times, make the presentation of information more visual, and also expand the possibilities of customization by flexibly managing the sources of runtime events.

In this version of PT Container Security, runtime event verification is optimized by changing the event handling algorithm. According to the results of internal tests, the product processes 3.5 times more events per second, while maintaining resource consumption at the same level. Advanced functionality allows the solution to withstand a large load, while maintaining stable operation at peak events.

The PT Container Security package includes a licensed set of sources that allow you to track events at the level of individual container environments. For the most accurate operation of the product, PT Container Security 0.9 administrators can change existing sources or add new ones specific to a specific IT infrastructure. The option is available when a special expert mode is activated.

2025

PT Container Security 0.8 with Public Product Management API

Positive Technologies introduced an updated version of PT Container Security 0.8 on December 9, 2025. The main thing in the release is a public API for product management, expansion of parameters in response rules, automatic generation of certificates for inter-service interaction, as well as uninterrupted detection of runtime threats even when an error occurs.

Version 0.8 of PT Container Security implements the ability to manage a product not only through a web interface, but also using a public API. To do this, it is enough for a user with an access token to send requests to the API via the protocol HTTPS through a script or utilities. The operator SOC can now handle runtime monitoring events with related tools, including the class system. SIEM The upgrade also automated rule creation for protected clusters throughout the company's infrastructure.

To improve the manageability of PT Container Security, we implemented a wide range of parameters for each token. Information security service employees can specify the required token validity period and a list of privileges. They can be limited as much as possible, for example, by giving the user only the right to read the events of the story, "said Nikita Ladoshkin, head of development at PT Container Security at Positive Technologies. - Security allows the administrator to recall all tokens at a time.

This version of PT Container Security supports queries for handling response rules and viewing runtime events.

𝓲

Фото: PT

PT Container Security 0.8 received additional parameters of response rules for checking through the admission controller and monitoring events in runtime. Parameters such as pods, containers, images from specified repositories, repositories, and nodes for runtime events were added. Updated rules allow you to take into account the specifics of the tested resources and more accurately respond to incidents, reducing the load on the system.

Now the check of the runtime event in PT Container Security continues even if an error occurs on one of the detectors in the chain. The SOC operator can further examine the errors encountered and the list of detectors through which the check could not be completed. The continuity of the analysis saves the information security specialist time, freeing him from the need to manually search for the reason for the stop and restart the check with all detectors.

Working with certificates to ensure TLS connection between components is implemented by Helm tools, certificates are generated automatically, which simplifies the user's work. By default, they are written to the configuration file of the Helm chart values.yaml, but information security employees can create a separate file for storing certificates.

This PT Container Security functionality will become available to users after upgrading the product to the latest version.

Compatibility with the Botsman platform

Bootsman.tech experts (part of the Astra Group) have confirmed the correct operation of the Botsman containerization platform in conjunction with PT Container Security, a high-tech solution from Positive Technologies to comprehensively protect the hybrid cloud infrastructure. The compatibility of the products has been confirmed by seven thorough checks, which is marked by a certificate under the Ready for Astra technology partnership program of IT vendors. Astra Group announced this on September 12, 2025. Read more here.

PT Container Security 0.7 with a separate runtime event page

Positive Technologies on June 10, 2025 released an updated version of the product for protecting container environments - PT Container Security 0.7. The main thing in the release is multiclustering, support for protecting all clusters in the infrastructure from a single management point.

PT Container Security now allows you to deploy all security agents - runtime monitoring, image scanning, admission controller, configuration scanning - to protected clusters throughout your client infrastructure. This makes it possible to centralize container security control, reduce the response time to container security incidents, and significantly improve the ease of investigation and post-analysis of incidents by SOC and IT monitoring departments.

PT Container Security's multiclustering architecture allows SOC engineers and analysts to:

• connect only the necessary security sensors in each child cluster and thus save computing resources;
• Use external queue managers, configuration DBMSs, and event storage, reducing resource consumption and network infrastructure costs for collecting and processing large event streams.
• use a common authentication mechanism for all clusters to control access to sensitive information processed in the system.

Our approach to organizing the process of processing data from sensors and microservice architecture allow us to build an optimal security infrastructure for multicluster containerization environments, in which the user will receive the best ratio of consumed resources to the amount of processed flow of security events, "said Mikhail Bessarab, Product Manager of PT Container Security.

As part of version 0.7, PT Container Security received a number of functions.

1. Opportunities have emerged to make it easier for SOC analysts to investigate runtime incidents. A separate page of the runtime event has been added, which displays all information about the parent and brothers of the process.
2. The functionality of transmitting a link to an event registered by sensors in notification for prompt notification of response commands is implemented.
3. The engine for finding anomalies has been optimized, which has improved the performance of processing large streams of events: in case of an error in one of the rules, the threat detection pipeline does not stop, but continues for all other rules.

In addition, for the convenience of deployment engineers, this release has a graphical step-by-step installer that allows you to conveniently configure the PT Container Security installation script to connect additional clusters in minutes.

2024: Opportunities to search for runtime events and conduct incident investigations

Positive Technologies has released an updated version of PT Container Security, a product to protect container environments. The main thing in the release is the ability to search for runtime events and investigate incidents, improve performance by updating the WebAssembly (Wazero) runtime, runtime detectors developed based on tests on the Standoff cyber polygone, as well as an updated version of Tetragon, containing a number of improvements to the runtime monitoring engine. The company announced this on September 30, 2024.

According to field tests, PT Container Security is capable of processing a stream of tens of thousands of events per second or higher. The product supports large high-load production clusters without losing speed, that is, it can ensure the security of infrastructure of any size. As the load increases, PT Container Security can scale horizontally, increasing the number of replicas, or vertically, adding computing resources. Additional performance improvements have been achieved with the latest versions of WebAssembly and Tetragon.

WebAssembly technology allows you to develop detection modules in general-purpose programming languages ​ ​ and implement any arbitrarily complex detection logic in the form of a portable and cross-platform byte code. Using the latest versions of the Wazero runtime, which since release 1.7 has implemented an optimizing compiler, has accelerated each individual detector by 30-35% without changing the source code. Tetragon is used in PT CS to detect threats in runtime starting with the first commercial version of the product.

PT Container Security is based on the most current technologies. With the help of scaling, our development team is guaranteed to ensure stable operation of the solution under high loads and with the maximum possible speed, - said Nikita Ladoshkin, Development Manager of PT Container Security at Positive Technologies.

As part of the update, PT Container Security received new capabilities that make it easier for analysts to investigate incidents in runtime:

• Context filters. Allow you to quickly find events related to the operation of child and parent processes, for example, an attacker runs malicious utilities in a compromised container. Built on observations and analysis of real investigations, help to build a chain of actions of attackers.
• Conventional filters. Help focus on important events, such as events related to a particular pod Kubernetes in or related to specific executables. files
• Presets for frequent checks, raw event formatting and fast filters help information security specialists investigate cyber incidents in containers faster. Allow you not to lose information and quickly return to any point of investigation.
• Detectors developed with the PT Expert Security Center. Due to maximum flexibility, detectors do not require additional tuning, combine signature and behavioral approaches to detecting threats in runtime, offering a hybrid option that combines the strengths of detection methods. The set of detectors is constantly replenished.