Difficulty: medium
Estimated Time: 30 minutes

Sysdig Secure is a unified data platform that provides vulnerability management, compliance, runtime security and forensics for enterprise cloud native environments at scale.

It is designed to provide container run-time security and forensics for enterprises with distributed, dynamic services. Sysdig Secure comes with deep container visibility and a natural integration with key orchestration technologies like Kubernetes, Docker, OpenShift, Amazon ECS…

It shares the same instrumentation as Sysdig Monitor, the exact same analytics backend, and consistent UIs. We call this reusable goodness the Sysdig Container Intelligence Platform – a unified approach to secure, monitor, and troubleshoot your container environment.

In this scenario we will use Sysdig Secure to detect anomalous activity, and research the incident, even if the affected container no longer exist.


  • Explore the default policies
  • Customize a policy to do a capture of all syscalls happening around a security event
  • Use Sysdig Secure to detect an interactive shell in a container
  • Investigate the incident, and find out exactly what happened.

Competencies required

If you have not done it yet, it is a good idea to complete the Falco scenarios before this one.

You will play both the attacker and defender (sysadmin) roles, verifying that the intrusion attempt has been detected by Sysdig Secure.

If you got here, now you have the knowledge and tools to start securing your cloud environment!

Keep learning more about SecOps with other classrooms or check the official documentation to learn more about Sysdig Secure.

Runtime security

Step 1 of 5

Setting up the environment

We have set up a Kubernetes cluster just for you. On the right you can see the terminal of the master node, from which you can interact with the cluster using the kubectl tool, which is already configured.

For instance, you can get the details of the cluster executing
kubectl cluster-info

You can view the nodes in the cluster with the command
kubectl get nodes

You should see 2 nodes: one master and a worker.

Check that you are admin:
kubectl auth can-i create node

In order to follow this course, you will need a Sysdig account. If you do not have have a Sysdig account, you can set one up by clicking Not a customer? Try for free and following the instructions. Refer to the first lab for further details.

Click on the "Sysdig" tab and log in the Sysdig Secure web UI. You can click the pop-out icon to open this in a new tab in your browser.

Alternatively you can point your browser at https://secure.sysdig.com.

After logging in, go to your profile Settings, and in the Agent Installation tab you will find your Access Key (something like 5ca1ab1e-d3ad-beef-dea1-deba7ab1ed0c). Keep it handy, as you will need it to authorize the agent against the backend.

Agent key