Stay up to date
Introducing Runtime-based Vulnerability Management – turning vulnerability data into actionable intelligence 

Introducing Runtime-based Vulnerability Management – turning vulnerability data into actionable intelligence 

Feb 20, 2024

Yossi Ben Naim
Head of Product

Struggling to manage vulnerabilities in your Kubernetes environment? You’re not alone. Traditional vulnerability management tools often leave security teams feeling overwhelmed and unsure of where to focus their efforts. Traditional scanners churn out an endless stream of alerts, many irrelevant, making it difficult to prioritize and address the most critical issues. Sound familiar?

As a security professional, to reach the goal of achieving and maintaining a strong Kubernetes security posture, you need to streamline resource allocation for maximum impact on security. To achieve this you must efficiently prioritize vulnerabilities based on their potential exploitability. 

This could mean a lot of manual work and hours of research, or you can use ARMO Platform’s new risk-based approach to vulnerability management in Kubernetes.

Feature Highlights

ARMO Platform helps streamline vulnerability management, ensuring your systems remain secure and resilient. Here’s a look at some of the key improvements:

Gain Insightful Prioritization:

ARMO Platform enables precise vulnerability prioritization by considering workload context, exploitability, severity, runtime analysis, and fixability. This comprehensive approach ensures that you address the most critical vulnerabilities first, minimizing potential risks to your infrastructure.

Real-Time Threat Intelligence Integration:

Stay ahead of emerging threats with real-time insights gathered from multiple threat intelligence sources, including CISA KEV and EPSS, as well as the Common Vulnerability Scoring System (CVSS).  By combining this data with specific vulnerable components, you can quickly spot actively exploitable vulnerabilities and take proactive steps to address them.

ARMO Platform empowers you to assess your risk posture effectively by answering crucial questions such as:

  • Which workloads are most at risk?
  • What is the vulnerability status of my workloads, namespaces, or clusters?
  • Is there a downward trend in the number of CVEs detected?
  • What are the most vulnerable packages within my workload?
  • Which CVEs pose an exploitable threat to my infrastructure?

With these advanced capabilities, you can make informed decisions and strengthen your organization’s security posture, safeguarding your assets against potential threats.

How it works

ARMO Platform automatically analyzes and scans the container image of your workloads. It gives you a list of vulnerable workloads, and a Risk Spotlight, so you can concentrate on addressing the current, critical, and exploitable vulnerabilities.

Workload Scan Results Overview

The workloads page lists the workloads scanned by ARMO Platform ordered by the most vulnerable. 

Workload Scan Results Overview
Source: ARMO Platform

It allows users to filter results according to risk factors such as:

  • External facing – reachable from external networks, such as the internet or other networks outside the Kubernetes cluster.
  • Privileged – has all the capabilities of the host machine, and is not subject to the limitations regular containers have. Practically, this means that privileged containers can perform almost every action that can be performed directly on the host. 
  • Secret access – can access and use sensitive information stored as secrets.
  • Data access – can interact with, manipulate, or store data with various resources, such as Persistent Volumes (PVs) and Persistent Volume Claims (PVCs), to facilitate the storage and access to data by workloads.
  • Host access – identifies all pods using hostPID or hostIPC privileges. The hostPID and hostIPC fields in a deployment YAML may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions.

Additionally, turning data into information, the Smart vulnerabilities filter helps users focus on workloads that have vulnerabilities that fall under the following criteria:

  • In Use – the vulnerable package is loaded into the memory
  • Exploitable – the vulnerability can be effectively used by an attacker to compromise the integrity, confidentiality, or availability of a system or its data
  • Severity – indicated by the Common Vulnerability Scoring System (CVSS), assesses the potential impact of a security vulnerability on a scale, helping prioritize and address the level of threat it poses.
  • Fixable – The vulnerability can be remediated by applying a patch 

Risk Spotlight

Risk spotlight prioritizes vulnerabilities that pose a real risk to your organization using workload configuration, runtime context, exploitability, severity, and fixability. Thus, reducing the noise of your CVE scanning results by >90% and helping you focus on the alerts that actually matter.

For any organization, there could be a large number of vulnerabilities, considering the number of workloads and images. To make fixing them more manageable, Risk Spotlight adds a new way of prioritizing vulnerabilities based on runtime behavior. It significantly reduces the number of vulnerabilities that you initially think need immediate attention, making the vulnerability management process more effective.

Risk spotlight vulnerabilities
Source: ARMO Platform

It does this by combining the following information:

  1. External facing Workloads
  2. Workloads that have vulnerabilities that:
    • are loaded into the memory
    • are exploitable according to CISA KEV or likely to be exploited according to EPSS
    • are fixable
    • Have a CVSS score falling into the category High or Critical 

This approach guides users to prioritize workloads at the highest risk and minimizes the noise generated by traditional CVE scanners, reducing it by over 90%. As a result, it helps you concentrate on alerts that are truly significant.

Workload details

This screen provides an overview of all the workload details such as cluster, namespace, risk factors, labels, and vulnerabilities by severity.

Workload details
Source: ARMO Platform

Understanding the workload risk

To get more information, you can activate the risk spotlight toggle and select a vulnerability tile on the results screen that is associated with a specific vulnerability. This will provide a deeper understanding of the potential risks to their workload and offer guidance on how to mitigate them.

By accessing the Vulnerability details page, users can explore various risk spotlight filters and access recommendations for resolving any exploitable vulnerabilities.

workload risk
Source: ARMO Platform

Get comprehensive CVE details – CVSS, EPSS, CISA KEV, Runtime Analysis

Selecting an exploitable CVE will trigger a side window to appear, which encompasses comprehensive details, such as:

CVSS Breakdown – Is the detailed analysis and categorization of a security vulnerability based on Common Vulnerability Scoring System (CVSS). It assesses factors like severity, exploitability, and impact to provide a comprehensive understanding of the vulnerability’s characteristics. This process helps users gauge the potential risks associated with the vulnerability more effectively.

CVSS Breakdown
Source: ARMO Platform

Runtime Analysis – Shows the affected image and indicates whether the vulnerable package is In Use (loaded to the memory)

Runtime Analysis
Source: ARMO Platform

Threat Intelligence – Shows exploitability information from

  • EPSS – Exploit Prediction Scoring System, which indicates the probability of exploitation activity in the next 30 days.
  • CISA KEV – Known Exploited Vulnerability list provided by the Cybersecurity & Infrastructure Security Agency
Threat Intelligence
Source: ARMO Platform

Generating workload SBOMs

During vulnerability scanning, ARMO Platform checks the active workloads and hosts. It then creates a runtime list of software components for each target called SBOM (Software Bill of Materials). This SBOM is sent to the workload components view for matching vulnerabilities.

Why generate SBOMs at runtime?

  1. Dynamic Environment Tracking: In rapidly changing environments, where workloads and their dependencies may change frequently, generating SBOMs at runtime allows for an up-to-date and accurate representation of the software components in use.
  2. Real-time Vulnerability Assessment: By having a runtime SBOM, security systems can perform real-time vulnerability assessments, identifying and addressing security issues as they emerge.
  3. Incident Response: In the event of a security incident, having a runtime SBOM aids in the rapid identification of affected components, helping security teams respond promptly and effectively.
  4. Compliance and Auditing: Generating SBOMs at runtime supports compliance efforts by providing a detailed and current inventory of software components, aiding in auditing processes, and ensuring adherence to security policies.

When examining the details of a workload there is the possibility to view the components in it, effectively giving a view of the SBOM.

SBOM view
Source: ARMO Platform

Future plans

ARMO Platform helps you secure your Kubernetes environments with runtime-based vulnerability management. In this post, you learned about how this is implemented in workloads. Using ARMO Platform, you can see the security status of each workload, including the number and severity of vulnerabilities, the exploitability, and the recommended actions.

However, this is just the beginning. We are working hard to provide you with a comprehensive and user-friendly solution that covers all aspects of Kubernetes vulnerability management. Here is a sneak preview of what is coming soon:

  • CVEs view – You will be able to see all the CVEs across all your environments. You will also be able to filter and sort them by various criteria, such as severity, exploitability, patch availability, and more.
  • Images view – You will be able to see all the images across all your environments, and the vulnerabilities that they contain. You will also be able to see the CVEs in each image layer, such as the application layer and the base layer.
  • Components view –  You will be able to see all the components across all your environments. You will also be able to see the CVEs that affect each component, which of them are ‘In Use’, and the impact that they have on your assets.
  • Centralized vulnerability dashboard – You will be able to see a holistic overview of your Kubernetes security posture, with metrics, charts, and insights that help you prioritize and remediate the most critical vulnerabilities.

So, stay tuned for our upcoming features.


Implementing Runtime-based vulnerability management and focusing on the most exploitable vulnerabilities hardens Kubernetes environments, preempting potential threats. ARMO Platform’s risk-based vulnerability management simplifies the identification and resolution of critical vulnerabilities. Thus, fostering seamless collaboration between security and development teams. This approach enhances the efficiency and effectiveness of Kubernetes security tasks. Try ARMO Platform today!

Actionable, contextual, end-to-end
{Kubernetes-native security}

From code to cluster, helm to node, we’ve got your Kubernetes covered:

Cut the CVE noise by significantly reducing CVE-related work by over 90%

Automatic Kubernetes compliance for CIS, NSA, Mitre, SOC2, PCI, and more

Manage Kubernetes role-based-access control (RBAC) visually