The Challenge
As Alter Domus migrated to a Kubernetes-first infrastructure across AWS and Azure, its security team faced challenges traditional tools couldn’t solve:
- CVE Noise & Alert Fatigue: Static scanners generated 200+ daily alerts per container – most pointing to theoretical risks never loaded at runtime.
- Runtime Blindness: Containers were invisible once running. What processes are executed? What syscalls were made? Static security tools had no answers.
- The Security-DevOps Gap: Security and platform engineering operated in parallel, not partnership — creating misconfiguration risks at scale.
- Invisible Lateral Movement: East-west pod traffic was completely opaque. Network policies existed on paper; enforcement was unknown.
- Identity & Privilege Sprawl: Over-privileged identities accumulated with no way to audit runtime behavior.
Operating across 23 jurisdictions under DORA, GDPR, and CSSF — with clients demanding audit-ready reports on demand — the team needed continuous compliance, not point-in-time snapshots.
The Solution: Kubernetes-Native Runtime Security
ARMO came through a practitioner recommendation at KubeCon — the platform team already trusted Kubescape. Evaluating against Upwind Security, the answer was clear: solve the specific gap – runtime visibility within Kubernetes – not consolidate into another generic cloud platform.
Why ARMO Won
- Kubernetes is the product, not a feature. The entire platform is built natively on the cluster.
- Early eBPF leadership. Kernel-level visibility, no sidecars, minimal operational footprint.
- Clean, focused product. Fast time-to-signal, no noise. “They’re not wasting my time.”
Key Capabilities
| Runtime-Reachability-Based Vulnerability Prioritization (Risk Spotlight)
ARMO’s eBPF sensors observe what packages are actually loaded at runtime – reducing Alter Domus’s vulnerability backlog by ~90%. |
| Behavioral Baseline & Anomaly Detection
Per-workload profiles (syscalls, network, file access, processes) turn deviations into high-signal alerts. Alter Domus surfaced “Drifted Process Executions” – containers running setcap, curl, ldconfig — signals of defence evasion and potential privilege escalation. |
| Continuous Compliance Validation
Continuous monitoring against CIS benchmarks, SOC 2, and other frameworks — audit-ready snapshots on demand. |
The Impact
~90% Reduction in Vulnerability Backlog
Acting only on what’s truly reachable and exploitable
200 → 20 Daily Alerts
Signal, not noise
Audit-Ready Compliance On Demand
Client audits answered immediately
Full East-West Visibility
Lateral movement detection now standard
Security & Platform Engineering Unified
A permanent operational model
Continue as a guest