Intrusion Detection

In addition to Cloud Microsegmentation and Zero Trust Security, Calico Enterprise and Calico Cloud provide another layer of protection through a highly effective Intrusion detection system (IDS).

IDS identifies Advanced Persistent Threats (APTs) through behavior monitoring using machine learning and a rule-based engine.

Threat Feed Integration

Custom Alerts

Anomaly Detection

Configure Security


Automatic Remediation

Watch Details Video

Threat Feed Integration

Calico Enterprise and Calico Cloud ingest threat feeds that identify IP addresses for known bad actors such as botnets. Any ingress or egress traffic to those IPs are automatically blocked and can be configured to generate alerts. In addition, traffic to VPNs and TOR exit nodes is blocked and triggers alerts when detected.

Firewalls often detect and block traffic associated with known bad actors, but don’t have visibility into which pod is infected. Our threat feed can pinpoint and report on the exact source of malicious traffic.

Custom Alerts for Known Attacks

Calico Enterprise can alert on unauthorized changes to your cluster and security policies as well as known attack patterns such as domain generation algorithms (DGA). Alerts are available out-of-the-box and can be customized and augmented by your security researchers or Tigera’s.

Anomaly Detection

Our Anomaly Detection solution evaluates connection flows using machine learning to identify the baseline behavior of your microservice environment and can generate alerts when unexpected behavior is detected. This enables you to detect and protect your Kubernetes environment against zero-day exploits.

Port scans, IP sweeps, and service byte anomalies can all be indicators that your environment has been compromised and is hosting an advanced persistent threat (APT). Our solution detects and alerts on that activity and can quarantine those workloads.

We can also detect and prevent OWASP Top 10 attacks targeting your microservices.

Configure Security for Critical Workloads

A small set of your workloads may have access to sensitive data, and you will want to provide supplemental detection and alerting for those microservices.

Calico Enterprise and Calico Cloud have the ability to configure policies and alerts for a subset of your environment that will detect and alert on abnormal activity, effectively creating a virtual moat to protect your critical workloads.

Defining your moat is as simple as using a label and then defining detailed alerts for workloads utilizing those labels.


While inspecting all network data can enable you to detect attacks, this level of activity can create a huge performance penalty. To avoid performance impacts, Calico Enterprise and Calico Cloud utilize an innovative approach to identify cluster traffic that warrants deeper inspection.

Honeypods are fake pods that run in your cluster. Any traffic to these pods will generate an alert that will trigger further inspection of the data.

When traffic hits a honeypod, Calico Enterprise inspects packets from the traffic and analyzes it for known malware signatures using SNORT and other tools.

Automatic Remediation

Alerts generated by Calico Enterprise and Calico Cloud can trigger automated remediation. First, the rogue microservice is immediately isolated from the network. Then the IDS generates policy recommendations to prevent future attacks.

The quarantined workload can be left running to allow your SOC analysts to apply forensic analysis.

Watch Product Details Video


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>