# Pattern: Runtime Threat Detection Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Kubernetes and platform ## Problem Admission controls and build checks do not detect every compromise that appears after workloads are running. ## Context Use this pattern for Kubernetes runtime events, process and network signals, container behavior, privileged action monitoring, and incident response triggers. ## Forces - Runtime signals can be noisy. - Detection must distinguish platform, tenant, human, service, and agent activity. - Alerts need enough context for response. - Detection coverage should feed audit and incident workflows. ## Solution Collect runtime process, network, Kubernetes, and workload signals, classify them using a security event taxonomy, and route actionable alerts into incident response and audit workflows. ## Verification - Runtime detections include actor, workload, namespace, tenant, and severity where available. - Known suspicious events trigger alerts or findings. - False positives are tuned without disabling critical coverage. - Detection events link to incident runbooks. ## Related Patterns - Security Event Taxonomy. - Central Audit Ledger. - Incident Runbook Library. - Kill Switch / Tenant Freeze.