Intrusion Detection (IDS )

Detect and mitigate Advanced Persistent Threats (APTs) using machine learning and a rule-based engine that enables active monitoring



Threat actors are now aware of Kubernetes and the inherent vulnerabilities of its larger attack surface. By default, Kubernetes clusters are left open, which means that any pod can talk to any other pod, even across namespaces. Attackers can hop from service to service until they find valuable data. Firewalls have traditionally been used to block attacks, but if the perimeter is breached, there's no protection from within the cluster. The conventional way of identifying attacks is with an intrusion detection system (IDS); however, the dynamic nature of Kubernetes requires a specialized approach.

Calico delivers a feature-rich IDS solution purpose-built for Kubernetes. Calico’s IDS pinpoints the source of malicious activity, uses machine learning to identify anomalies, and can create a security moat around critical workloads, deploy HoneyPods that capture zero-day attacks, and automatically quarantine potentially malicious workloads to thwart an attack. Calico’s IDS monitors inbound and outbound traffic (north-south) and east-west traffic that is traversing the cluster environment.


Workload Protection

Protects sensitive Kubernetes workloads against vulnerabilities and threat actors deploying APTs, zero-day attacks, and other exploits, using automated detection, response, and mitigation

Custom Alerts

Ensures security teams are immediately notified when an attack or intrusion occurs, enabling further investigation and prompt remediation

Runtime Defense

Provides critical, supplemental protection to firewall defenses to ensure that sensitive workloads are not exposed if there is a perimeter breach

Key Features

Threat Feed Integration

Calico ingests threat feeds that identify IP addresses for known bad actors such as botnets. Any ingress or egress traffic to those IPs is automatically blocked and can be configured to generate alerts. In addition, traffic to VPNs and TOR exit nodes is blocked and triggers alerts when detected. Firewalls often detect and block traffic associated with known bad actors, but don’t have visibility into which pod is infected. Our threat feed can pinpoint and report on the exact source of malicious traffic.

Custom Alerts for Known Attacks

Calico Enterprise can alert on unauthorized changes to your cluster and security policies as well as known attack patterns such as domain generation algorithms (DGA). Alerts are available out-of-the-box and can be customized and augmented by your security researchers or Tigera’s.

Anomaly Detection

Calico’s anomaly detection solution evaluates connection flows using machine learning to identify the baseline behavior of your microservice environment and can generate alerts when unexpected behavior is detected. This enables you to detect and protect your Kubernetes environment against zero-day exploits.

Port scans, IP sweeps, and service byte anomalies can all be indicators that your environment has been compromised and is hosting an APT. Our solution detects and alerts on that activity and can quarantine those workloads.

We can also detect and prevent OWASP Top 10 attacks targeting your microservices.

Configure Security for Critical Workloads

A small set of your workloads may have access to sensitive data, and you will want to provide supplemental detection and alerting for those microservices.

Calico can configure policies and alerts for a subset of your environment that will detect and alert on abnormal activity, effectively creating a virtual moat to protect your critical workloads. Defining your moat is as simple as using a label and then defining detailed alerts for workloads utilizing those labels. .


While inspecting all network data can enable you to detect attacks, this level of activity can create a huge performance penalty. To avoid performance impacts, Calico Enterprise and Calico Cloud utilize an innovative approach to identify cluster traffic that warrants deeper inspection.

HoneyPods are fake pods that run in your cluster. Any traffic to these pods will generate an alert that will trigger further inspection of the data. When traffic hits a honeypod, Calico inspects packets from the traffic and analyzes it for known malware signatures, using SNORT and other tools.

Automatic Remediation

Alerts generated by Calico can trigger automated remediation. First, the rogue microservice is immediately isolated from the network. Calico’s IDS then generates policy recommendations to prevent future attacks. The quarantined workload can be left running to allow your SOC analysts to complete a forensic analysis.

How It Works




Learn More

Free eBook

Learn More


Learn More