Runtime Threat Defense

Runtime threat visibility, ML-based zero-day threat detection and malware protection for containerized workloads


Organizations are increasingly adopting a microservices-based architecture. Decomposing cloud-native applications into microservices running as containers, organizations are simultaneously expanding their applications’ attack surface. A traditional security approach that relies primarily on detecting vulnerabilities and misconfigurations is not adequate for securing cloud-native applications. In the dynamic environment of Kubernetes, modern application owners need the ability to observe and monitor containers in the cloud for malicious activity, and actively mitigate any associated security and compliance risk from known and zero-day threats.

Calico Cloud delivers the industry’s most comprehensive runtime threat defense solution for containerized workloads. Calico Cloud has built-in probes that collect workload activity data across network traffic, file system, processes, sys calls, binaries, and more. The threat defense engine compares data from these probes, in near real time, with known malicious attacks. It uses machine learning to create a behavioral baseline of the workload, and Tigera’s own curated ruleset based on historical attacks, to provide a comprehensive threat defense solution against zero-day threats.


Rapid Response

Quickly detect, block, and mitigate risks known and unknown threats across multi-cloud and hybrid environments

Data and ML-based detection of known and unknown threats

Strengthen runtime security by blocking known malicious threats based on indicators of compromise (IoCs), and alerting on potential zero days using ML-based behavioral analysis

Runtime Threat Visibility

Monitor network traffic, file activity, processes, and system calls across your workloads for broad visibility into threats at runtime


Malware Protection

Calico Cloud’s runtime threat defense solution assesses your containerized workloads against IoCs for known malicious activity. Administrators or service owners can proactively block, quarantine, or terminate compromised workloads, or send security alerts to their security operations center for further analysis. This capability enables security and operations teams to ensure that their workloads are continuously monitored and protected against known malware, ransomware, and other advanced threats.

Zero-Day Protection

A signature-based detection approach is not sufficient to detect new zero-day exploits. Typically, zero-day attacks are attempted by compromising a system that might be affected by an unknown vulnerability. Calico Cloud’s runtime threat defense solution implements a behavioral-learning based approach to protect against these unknown attacks. A workload baseline is defined based on normal workload activity across network, processes, files, syscalls, and binaries. Any deviation from this baseline is compared against indicators of attacks (IoAs) to detect zero-day attempts. Operators can then configure Calico Cloud’s active security capabilities to block, terminate, or quarantine affected workloads.

Workload-based IDS/IPS, DPI, DDoS Protection, Envoy-based application-level security with WAF

Calico cloud’s workload-based IDS/IPS, DPI, DDoS Protection and Envoy-based application-level security controls protect containerized workloads at a granular container level from network-based external threats and lateral movement.

Key Features include:

  • Security as declarative code to protect containers from network-based attacks
  • Intrusion detection and prevention
  • Deep packet inspection
  • Protection from DDoS attacks
  • Honeypods to detect and trap malicious traffic/actors/activity

Security Policy Recommender

Auto-generate a recommended security policy based on ingress and egress traffic between existing microservices. You can implement security policy with less than a handful of clicks and modify it according to your environment behavior to pause, quarantine, or terminate a workload.

Calico’s Security Policy Recommender is the fastest way to implement security policies in an existing cluster if you are unsure what policy is needed.

How It Works

See how Calico Cloud protects cloud-native applications from malware and zero-day attacks.



Learn More

Technical Blog

Learn More

Calico Cloud Datasheet

Learn More