We’re completely happy to announce the discharge of Kubescape 4.0, a milestone bringing enterprise-grade stability and superior menace detection to open supply Kubernetes safety. This model focuses on making safety extra proactive and scalable. It additionally introduces capabilities that enable AI brokers to make the most of Kubescape to scan clusters in addition to allow safety posture scanning for the AI brokers themselves.
Runtime Risk Detection Reaches Common Availability (GA)
The spotlight of this launch is the GA of our Runtime Risk Detection. After rigorous testing, we’ve achieved confirmed stability at scale.
The engine is powered by CEL-based detection guidelines. These Widespread Expression Language guidelines are extremely environment friendly and have direct entry to Kubescape Software Profiles, which act as safety baselines on your workloads.
Supply: Kubescpe.io
Kubescape 4.0 screens a complete suite of occasions together with:
- System Interactions: Processes, Linux capabilities, and System calls
- Connectivity: Community and HTTP occasions
- Storage: File system actions
For seamless operations, Guidelines and RuleBindings at the moment are managed as Kubernetes CRDs. You possibly can export alerts to your current stack, together with AlertManager, SIEM, Syslog, Stdout, and HTTP webhooks.
Take a look at the Kubescape documentation for extra data.
Kubescape Storage Reaches Common Availability (GA)
Kubescape Storage has formally reached GA. This element leverages the Kubernetes Aggregated API, a Kubernetes-native characteristic, to behave as a centralized repository for all safety metadata.
By shifting customized objects like Software Profiles, SBOMs, and vulnerability manifests into this devoted storage layer, we’ve ensured that safety information doesn’t overwhelm the usual etcd occasion. This structure has been confirmed to deal with the calls for of large-scale, high-density clusters, offering the efficiency required for contemporary enterprise environments.
For extra data, try Amir Malka’s session at Kubecon + CloudNativeCon North America 2025:
Extending Kubernetes API: The Hidden Energy of Aggregated Server Objects – Amir Malka, ARMO
The Enhanced Node-Agent and Host-Sensor Deprecation
Based mostly on neighborhood suggestions relating to the complexity of node scanning, now we have eliminated the host-sensor in Kubescape 4.0. Whereas efficient, this “pop-up” DaemonSet strategy was typically perceived as intrusive and troublesome to observe from a safety perspective.
We’ve got additionally formally eliminated the host-agent and built-in its capabilities straight into the node-agent. By establishing a direct API between the core Kubescape microservices and the node-agent, we’ve eradicated the necessity for ephemeral, high-privilege Pods. This architectural shift lets you keep a cleaner cluster setting with just one agent to handle, making your safety posture each extra steady and simpler to audit.
Kubescape Enters the AI Period
With the launch of Kubescape 4.0, we’re addressing the distinctive challenges of the AI-native period by taking a look at safety from two equally necessary views. This focus is vital, as the identical cloud native ideas that scale trendy infrastructure are foundational for the subsequent era of inference pipelines and clever, agentic AI methods. We like to consider this because the “two sides of the AI security coin”: utilizing Kubescape to empower AI brokers with cybersecurity capabilities and utilizing Kubescape to safe those self same brokers.
Empowering AI Safety Sidekicks
As AI inference turns into the subsequent main cloud native workload and Kubernetes evolves into the platform for clever methods, Kubescape 4.0 introduces a KAgent-native plug-in, permitting AI assistants to investigate Kubernetes safety posture straight from the cluster. This plug-in offers the next capabilities to the AI agent:
- Safety Scanning: AI brokers can checklist and examine vulnerability manifests for CVEs and overview configuration scans to determine RBAC points or lacking safety contexts.
- Detailed Remediation: Brokers can pull particular steering to repair vulnerabilities.
- Runtime Observability: Utilizing ApplicationProfiles and NetworkNeighborhoods, AI assistants can have a look at how containers behave in actual life, like what system calls they make, what recordsdata they entry, and the way they convey over the community.
This integration allows an AI agent to change into a real safety sidekick; helping people to interpret complicated safety states and make knowledgeable choices.
Scanning the AI Posture
AI brokers are starting to realize extra autonomy, that means their infrastructure have to be secured. We’d like sturdy safety guardrails to cease brokers from exploiting them for high-risk actions like unauthorized entry or deleting manufacturing information. Kubescape 4.0 introduces safety posture scanning particularly for KAgent, the CNCF Sandbox undertaking for AI orchestration.
Since KAgent creates direct pathways between AI fashions and enterprise infrastructure, misconfigurations might be high-risk. Our new evaluation identifies 42 security-critical configuration factors throughout KAgent’s CRDs. We’re introducing 15 Rego-based controls to detect points corresponding to:
- Empty safety contexts in default deployments
- Lacking NetworkPolicies
- Over-privileged controller-wide namespace watching
By making use of these rigorous requirements, we’re guaranteeing that the “brains” of your AI operations are as safe because the workloads they handle.
Compliance
Within the repeatedly evolving cloud native panorama, sturdy governance and constant, auditable compliance are the vital foundations that enable for secure and sustainable innovation. Kubescape continues to assist maintain your clusters compliant with the newest trade requirements:
- CIS Benchmark Updates: Help for variations 1.12 (Vanilla Kubernetes) and 1.8 (EKS, AKS).
Group Nook
We’d prefer to welcome our new maintainer, Amir Malka, and thank our emeritus maintainers, David Wertenteil and Craig Field, for his or her contributions over time.
To affix the Kubescape neighborhood and discover data on how one can ask questions, be a part of within the dialog, and contribute, go to the hyperlink right here.
In case you are a Kubescape person, we’d love to listen to from you. Please attain out if you want to share an attention-grabbing use case with the neighborhood or add your self to our checklist of adopters.
