Containers changed the attack surface. But security models didn’t

Written By Hannes Ullman

The shift from virtual machines to containers and Kubernetes fundamentally changed how software is built, shipped, and operated. Infrastructure became ephemeral. Applications became distributed. Dependencies exploded.

Yet, much of the security tooling in use today still assumes a world of long‑lived servers, static binaries, and clearly defined perimeters.

This mismatch has real consequences — especially as supply‑chain attacks and cloud‑native breaches continue to rise.

Containers reshaped the attack surface

In traditional environments, attackers needed persistence. Gaining a foothold often meant deploying malware, escalating privileges, and maintaining access over time.

In containerized environments, persistence is optional.

Modern attackers:

  • Exploit vulnerable dependencies or poisoned images

  • Abuse default permissions and overly broad runtime access

  • Live off the land by using existing binaries and system calls

  • Move laterally through APIs and cloud credentials

Why traditional security tools struggle

Most security programs rely heavily on two pillars:

  1. Pre‑deployment scanning

  2. Post‑compromise detection

Both have limitations in cloud‑native environments.

Vulnerability scanners

Scanners analyze images, SBOMs, and packages to identify known CVEs. While valuable, they provide no context on whether a vulnerability is actually reachable or exploitable at runtime.

This leads to:

  • Long remediation backlogs

  • Misplaced prioritization

  • Engineering teams fixing issues that pose little real risk

Detection‑first runtime tools

Detection tools monitor behavior and raise alerts when something looks suspicious. But in practice:

  • Alerts arrive after exploitation begins

  • Human response times are measured in minutes or hours

  • Attackers only need seconds

Detection without enforcement turns security into an investigative exercise rather than a control.

Supply‑chain attacks expose the gap

Supply‑chain attacks highlight this disconnect perfectly. When a compromised dependency is introduced:

  • The binary may be “known and trusted”

  • The vulnerability may be unknown or zero‑day

  • Detection triggers only after malicious behavior starts

At that point, the question isn’t if the attacker got in, it’s how far they got.

Runtime behavior is the real control point

Containers reduce isolation to process‑level boundaries.
That makes runtime behavior — system calls, file access, network connections — the most reliable signal of intent.

Security models that enforce *intended behavior* at runtime can:

  • Block exploitation paths regardless of CVE awareness

  • Contain supply‑chain attacks automatically

  • Reduce noise by preventing incidents instead of reporting them

This shifts security from reactive to preventive.

What a modern security model looks like

A container‑native security model assumes:

  • Compromise is inevitable

  • Not all vulnerabilities are equal

  • Runtime enforcement matters more than static assumptions

Instead of asking, “Is this container vulnerable?”. The better question becomes
“Should this container ever be allowed to do this?”.

Closing the gap

Containers changed the attack surface.
Security models must evolve accordingly.

Preventive runtime controls won’t replace scanning or detection — but they complete the picture.

For security leaders, this means:

  • Fewer high‑severity incidents

  • Clearer risk reduction

  • Security that scales with modern delivery


Cloud‑native systems deserve cloud‑native security, enforced where it matters most: at runtime.

Hannes Ullman https://bifrostsec.com
Next

What the Cyber Resilience Act means for you