Safe runtime scenario replay for detection validation.
Trigger real Kubernetes runtime behaviors on test clusters, verify them independently of any detection backend, and map results to your local ruleset. Safe, repeatable, well-scoped scenarios with clean setup and teardown.
# 1. Create a local test cluster (requires kind + Docker)
make setup-kind
# 2. Install Falco (optional — scenarios work without it)
make setup-falco
# 3. Run a scenario
make scenario-shell-spawn
# 4. Watch Falco alerts in a second terminal
make logs-falco
# 5. Clean up
make cleanup-shell-spawnEach scenario verifies behavior generation first, detection mapping second. Your detection backend is not required to confirm a scenario ran.
Shell spawn detection
Spawning a shell inside a running container — maps to T1059 execution techniques
Privilege escalation attempts
Privilege-sensitive syscalls from containers without expected capabilities
Sensitive file reads
Access to /etc/shadow, /etc/passwd, service account token mounts
Network anomalies
Unexpected outbound connections, port scanning behavior from within pods
Detection engineering
You have Falco rules or audit log pipelines. Verify they fire against real runtime behaviors before an incident forces the test in production.
Security workshops
Run live Kubernetes security demos with real behaviors. Scenarios are well-scoped and clean up after themselves — safe for training clusters.
Rule validation after changes
Modified a detection rule? Replay the relevant scenario on a test cluster to confirm the rule still fires before pushing to production.
k8s-runtime-replay gives you the trigger mechanism. A Baseline Review gives you the detection coverage map and prioritization your team needs to know what to validate first.
Book a Baseline Review