Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-runtime-threat-detection.md

1.3 KiB

Pattern: Runtime Threat Detection

Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Kubernetes and platform

Problem

Admission controls and build checks do not detect every compromise that appears after workloads are running.

Context

Use this pattern for Kubernetes runtime events, process and network signals, container behavior, privileged action monitoring, and incident response triggers.

Forces

  • Runtime signals can be noisy.
  • Detection must distinguish platform, tenant, human, service, and agent activity.
  • Alerts need enough context for response.
  • Detection coverage should feed audit and incident workflows.

Solution

Collect runtime process, network, Kubernetes, and workload signals, classify them using a security event taxonomy, and route actionable alerts into incident response and audit workflows.

Verification

  • Runtime detections include actor, workload, namespace, tenant, and severity where available.
  • Known suspicious events trigger alerts or findings.
  • False positives are tuned without disabling critical coverage.
  • Detection events link to incident runbooks.
  • Security Event Taxonomy.
  • Central Audit Ledger.
  • Incident Runbook Library.
  • Kill Switch / Tenant Freeze.