The Container Protection Settings tab in the Security Center console lets you enable container runtime security features, including threat detection on Kubernetes containers and container escape prevention.
Threat detection on Kubernetes containers
Threat detection on Kubernetes containers monitors the security status of running container clusters in real time, detecting attacks and abnormal behavior as they happen. When a threat is identified, Security Center automatically generates an alert of the K8s Abnormal Behavior type, giving your team early warning to investigate and respond before damage spreads.
For example, a compromise can start with a single vulnerable container — an attacker exploits it to execute malicious commands, moves laterally among service accounts, and eventually escapes to the host or exfiltrates data. The threat detection feature monitors the entire chain: from suspicious API server instructions and malicious image startup to reverse shells and privilege escalation in containers.
Limitations
Subscription service:
Available for the Enterprise or Ultimate edition. To upgrade, see Purchase Security Center.
Servers must be configured for the Enterprise or Ultimate protection edition. For instructions, see Manage host and container security quotas.
Pay-as-you-go service:
The Host and Container Security service must be enabled. To enable it, see Purchase Security Center.
Servers must be set to the Host Protection or Host and Container Protection level. For instructions, see Pay-as-you-go instances.
Enable threat detection on Kubernetes containers
Log on to the Security Center consoleSecurity Center console. In the top navigation bar, select the region of the asset you want to manage: China or Outside China.
In the left-side navigation pane, choose System Settings > Feature Settings.
On the Container Protection Settings tab of the Settings tab, go to the Threat Detection on Kubernetes Containers section and turn on Threat Detection.
After you turn on the switch, detected threats appear as alerts on the Detection and Response > Alert page. View and handle alerts promptly. For details, see Evaluate and handle security alerts.
If the Agentic SOC feature is enabled, the entry point to Alert changes. For details, see Agentic SOC overview.
Detectable threats
The feature detects threats across five categories:
| Category | Detectable items |
|---|---|
| K8s abnormal behavior | Suspicious instruction run on a Kubernetes API server; mounting of suspicious directories to a pod; lateral movement among Kubernetes service accounts; startup of a pod that contains a malicious image |
| Unusual network connection | Outbound connection of reverse shells; suspicious outbound network connection; suspicious lateral movement in internal networks |
| Malware | DDoS trojan; suspicious connection from mining machines; suspicious program; suspicious tool initiating brute-force attacks on ports; suspicious attack program; backdoor program; malicious vulnerability detection tool; malicious program; mining program; trojan; self-mutating trojan; worm |
| WebShell | WebShell |
| Suspicious process | Suspicious command run by Apache CouchDB; suspicious command run by FTP applications; suspicious command run by Hadoop; suspicious command run by Java applications; suspicious command run by Jenkins; suspicious account creation in Linux; suspicious command run by scheduled tasks in Linux; suspicious command run by MySQL; suspicious command run by Oracle; suspicious command run by PostgreSQL applications; suspicious command run by Python applications; suspicious execution of non-interactive SSH commands that contain only one line targeting remote machines; webshell running suspicious probe commands; modification of Windows RDP configurations for port 3389; suspicious execution of download commands in Windows; suspicious account creation in Windows; malicious code injection in crontab jobs; suspicious command sequence in Linux; execution of suspicious commands in Linux; dynamic injection of suspicious scripts; reverse shell; reverse shell command; potential data breach by using HTTP tunnels; suspicious SSH tunneling; suspicious webshell injection; suspicious starting of a privileged container; suspicious port listening; malicious container startup; remote API debugging in Docker that may pose security risks; suspicious command; privilege escalation in containers or container escapes; malicious container startup |
Container escape prevention
Container escape prevention monitors processes, files, and system calls to detect high-risk behavior before a container escape succeeds. The feature establishes a protective barrier between containers and hosts, intercepting both known and unknown attack patterns — including attacks that exploit container vulnerabilities to reach the underlying host.
Prerequisites
Before you begin, ensure that at least one of the following switches is turned on:
Malicious Host Behavior Prevention
Webshell Prevention
For instructions, see Proactive Defense.
Enable container escape prevention
Log on to the Security Center consoleSecurity Center console. In the top navigation bar, select the region of the asset you want to manage: China or Outside China.
In the left-side navigation pane, choose System Settings > Feature Settings.
On the Container Protection Settings tab of the Settings tab, go to the Container Escape Prevention section and turn on Threat Detection.
What's next
After enabling container escape prevention:
Create a defense rule for container escapes to activate the protection. For instructions, see Use container escape prevention.
If Security Center detects risks in your Kubernetes clusters, alerts appear on the Detection and Response > Alert page. View and handle them promptly. For details, see Evaluate and handle security alerts.
If the Agentic SOC feature is enabled, the entry point to Alert changes. For details, see Agentic SOC overview.