Calico Cloud: Active build and runtime security for cloud-native applications

Calico Cloud has just celebrated its 1-year anniversary! And what better way to celebrate than to launch new features and capabilities that help users address their most urgent cloud security needs.

Over the past year, the Tigera team has seen rapid adoption of Calico Cloud for security and observability of cloud-native applications. With this new release, Calico Cloud becomes the first in the industry to offer the most comprehensive active cloud-native application security that goes beyond detecting threats to limit exposure and automatically mitigate risks in real time.

With news of new zero-day threats emerging almost every day (e.g. Argo CD, Chrome Browser), the current security approach needs to evolve. We need active build, deploy, and runtime security, all together, instead of using a siloed approach. Security threats, vulnerabilities, and risks for all three areas should be addressed together, by the same security platform, rather than using multiple disjointed tools. Calico Cloud does just that!

With Calico Cloud, you can reduce your cloud-native application’s attack surface, harness machine learning to combat runtime security risks from known and unknown zero-day threats, enable continuous compliance, and prioritize and mitigate the risks from vulnerabilities and attacks.

Let’s take a look at how Calico Cloud provides active build and runtime security for cloud-native applications as an active CNAPP platform.

Build-time security with image assurance and admission controller

Calico Cloud continuously assesses 1st- and 3rd-party images for vulnerabilities and misconfigurations. It also provides runtime visibility by correlating image scan results to provide a real-time view of the images running in your clusters and any potential risk associated with them. An admission controller in Calico Cloud automatically blocks the deployment of pods that contain high-severity vulnerabilities. You can define exceptions for vulnerabilities that are not applicable based on how an affected component may be used in your environment.

With Calico Cloud, not only can you scan the images and allow the deployment of ones that pass the security requirements, but you can also actively control which images get deployed based on security profiles tailored to cloud-native applications. This helps to further improve and strengthen the security posture of your environment.

Read more about image assurance.

Configuration assessment for images, workloads, and Kubernetes

Calico Cloud continuously monitors images, workloads, and Kubernetes infrastructure configuration against common configuration security standards. Evidence and audit reports for PCI DSS, SOC 2, GDPR, CCPA, and FIPS are available from the platform. You can also create specific reports for your custom compliance frameworks. You can get a detailed daily, weekly, or monthly assessment report based on your organizational requirements and deployment model. This is especially helpful when you are working in a dynamic and ephemeral environment such as Kubernetes. Further, you can integrate these reports into your CI/CD pipeline or incident response workflows for active mitigation.

Read more about configuration assessment.

Zero-trust workload security

Calico Cloud enforces zero-trust workload security for better prevention against security threats. It reduces the attack surface by enabling zero-trust workload access controls, identity-aware microsegmentation for workloads, and integration with firewalls and security information and event management (SIEM) tools.

Calico Cloud enables fine-grained, zero-trust workload access controls between your microservices and external databases, cloud services, APIs, and other applications with an egress access gateway, DNS policy, and NetworkSets. These features help you control access between individual pods in a Kubernetes cluster and external resources or other workloads as per your requirements. You can limit the blast radius of breaches by restricting lateral movement of threats with identity-aware segmentation in Calico Cloud that works across all of your workload environments, including hosts, VMs, Kubernetes components, and services.

Read more about zero-trust workload security.

Runtime threat defense for container and network-based threats

With new capabilities, Calico Cloud now delivers runtime security against both container and network-based threats. Calico Cloud has built-in probes based on eBPF that collect workload activity data across the network, file system, system calls, and processes. The threat defense engine compares data from these probes, in near real time, with known malicious attacks. It uses a combination of signature-based techniques, curated rulesets based on historical attacks, and machine learning to create a behavioral baseline of the workload. To complete runtime threat defense, Calico provides workload-level intrusion detection and prevention (IDS/IPS), deep packet inspection (DPI), distributed denial-of-service (DDoS) attack prevention, and application-level protection with a web application firewall (WAF).

Calico Cloud’s highly performant security policy engine can alert, pause, quarantine, or terminate infected pods within milliseconds in multi-cloud and hybrid environments. The Security Policy Recommender scans your environment and recommends policies for robust security.

Read more about runtime threat defense.

Live visualization and faster troubleshooting with Dynamic Service and Threat Graph

Calico Cloud’s Dynamic Service and Threat Graph provides live visualization of communication between services, namespaces, and workloads enabling faster troubleshooting. You have a live view of security gaps and vulnerabilities along with performance issues and communication breakdown between microservices. With simple clicks, you can drill down into the visualization to perform troubleshooting and significantly reduce the time and steps it takes to pinpoint and troubleshoot container or connectivity issues.

Read more about Dynamic Service and Threat Graph.


Calico Cloud is the only active cloud-native application security platform that goes beyond finding and alerting DevOps, security, and platform teams about vulnerabilities in their cloud-native applications. Calico Cloud helps reduce the attack surface using zero trust, actively mitigates risks with a combination of preventive measures, and combines behavioral baselining and known threat knowledge to detect anomalous activity at runtime, providing security policies to address them in real time. As securing cloud-native applications becomes a shared team goal, it becomes important for active CNAPP to address problems at build, deploy, and runtime while not adversely impacting the rate at which cloud-native applications are being built and deployed.

To see these new features and capabilities in action, try out Calico Cloud for yourself with a free trial.

If you’d like to know more about the driving force behind these recent changes and why an ‘active’ approach to security is needed, read this blog from President & CEO Ratan Tipirneni.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!