Container Security

Protect all aspects of container-based applications including the CI/CD pipeline, Kubernetes infrastructure, container runtime and workloads



Calico Cloud provides active build, deploy, and runtime security that detects, prevents and mitigates security breaches in container based applications.

With Calico Cloud, DevOps teams can:

  • Secure the build pipeline with automated vulnerability management
  • Integrate image scanning with the CI/CD lifecycle to block vulnerable images from being deployed in your applications
  • Secure the Kubernetes environment
  • Secure the container runtime
  • Secure workloads with fine-grained access controls
  • Detect and mitigate risks from both host and network based malware


Reduces Attack Surface

Continuously detects vulnerabilities and actively blocks deployment of risky workloads. Enforces security controls that proactively limit ways an application can be breached

Prevents, detects and stops attacks

Prevents, detects and stops known and zero-day attacks from host or the network

Actively mitigates risks of exposure

Actively recommends and deploys security controls to mitigate the risks of exposure in case of a breach

Key Features

Image Assurance

Calico Cloud’s Image Assurance capabilities secures the build pipeline with automated vulnerability management. Calico Cloud continuously scans first- and third-party images for known CVEs and prevents risky workloads from being deployed with an automated admission controller. The Calico Image Scanner integrates with CI/CD pipeline to automate image scanning. Calico Cloud provides a runtime view of vulnerable workloads to assess the risk, and deploys mitigating security controls to reduce the risk.

Configuration Assessment

Continuously monitors Kubernetes and control plane configuration to proactively detect violations. Create high-fidelity CIS benchmark reports to maintain security best practices for Kubernetes. Provides remediation tactics to mitigate high-severity risks, based on custom and pre-defined rules.

Runtime Security from host and network based threats

Active protection for containers running in multi-cloud and hybrid environments from network and host-based threats. (Learn more)

  • Host-based protection - Calico Cloud can detect the presence of malicious files in your environment. Calico Cloud maintains a threat intelligence database, which includes file hashes of known malicious files.

  • Network-based protection - Calico Cloud uses IDS/IPS with global threat feeds and SNORT rules to detect and block traffic from suspicious sources. Calico Cloud’s anomaly detection feature analyzes network activity and identifies anomalous and suspicious behavior detected in your cluster. Calico provides a Workload-Centric Web Application Firewall (WAF) to protect from application layer attacks such as OWASP10 attacks.

  • Workload Access Controls - Calico provides fine-grained access controls to prevent data exfiltration by limiting communication from pods to command and control servers.

  • Identity Aware Microsegmentation - Calico prevents the lateral movement of threats with identity aware microsegmentation. Microsegmentation ensures that only authorized pods are allowed to communicate laterally.

  • Firewall Integration - Calico enables pod level integration with existing network firewalls to extend firewall protections to containers and Kubernetes.

Observability and Troubleshooting

Purpose-built observability that helps visualize service connectivity and dependency, identify and resolve security and audit gaps, performance issues, connectivity breakdown, anomalous behavior, and security policy violations between namespaces, microservices, and pods in real time.


Encodes compliance controls as code to ensure consistent enforcement across distributed environments. Continuously collects, correlates, and prepares data to provide proof of compliance Provides controls to comply with any regulatory and customer compliance frameworks including SOC2, HIPAA, GDPR, etc.

How It Works


Secure containers from build to runtime across multi-cloud and hybrid environments.


Free eBook



Learn More