Competencies: DevSecOps > Runtime Security

Runtime Security

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Container Security Fundamentals	Rootless containers, read-only filesystems, dropped capabilities, seccomp, AppArmor/SELinux.	Critical	DevSecOps, Platform Engineer, Security Engineer
Container Image Hardening	Minimal/distroless base images, non-root users, multi-stage builds, vulnerability-free images.	High	DevSecOps, Platform Engineer
Container Image Scanning	Trivy, Grype, Snyk Container, CVE databases, severity thresholds, registry integration.	High	DevSecOps, Security Engineer
Runtime Threat Detection (Falco)	Syscall monitoring, Falco rules, alerts, kernel module vs eBPF, Falcosidekick integration.	High	Security Engineer, DevSecOps, SRE
eBPF for Security	Tetragon, Cilium security, kernel-level observability, network policies, syscall filtering.	Medium	Security Engineer, Platform Engineer
Kubernetes Security	RBAC, NetworkPolicies, Pod Security Standards/Admission, secrets, service accounts.	Critical	Platform Engineer, DevSecOps, Security Engineer
Kubernetes Admission Controllers	Gatekeeper, Kyverno, validating/mutating webhooks, policy enforcement at admission.	High	Platform Engineer, DevSecOps
Service Mesh Security	mTLS, authorization policies, Istio/Linkerd security features, zero-trust networking.	Medium	Platform Engineer, Security Engineer
File Integrity Monitoring	AIDE, OSSEC/Wazuh FIM, container FIM, baseline, change detection, alerting.	High	Security Engineer, Systems Administrator
Cloud Workload Protection	CWPP, runtime protection, behavior analysis, cloud-native security platforms.	Medium	Cloud Security Engineer, DevSecOps

Topic

Description

Relevance

Career Tracks

Container Security Fundamentals

Rootless containers, read-only filesystems, dropped capabilities, seccomp, AppArmor/SELinux.

Critical

DevSecOps, Platform Engineer, Security Engineer

Container Image Hardening

Minimal/distroless base images, non-root users, multi-stage builds, vulnerability-free images.

High

DevSecOps, Platform Engineer

Container Image Scanning

Trivy, Grype, Snyk Container, CVE databases, severity thresholds, registry integration.

High

DevSecOps, Security Engineer

Runtime Threat Detection (Falco)

Syscall monitoring, Falco rules, alerts, kernel module vs eBPF, Falcosidekick integration.

High

Security Engineer, DevSecOps, SRE

eBPF for Security

Tetragon, Cilium security, kernel-level observability, network policies, syscall filtering.

Medium

Security Engineer, Platform Engineer

Kubernetes Security

RBAC, NetworkPolicies, Pod Security Standards/Admission, secrets, service accounts.

Critical

Platform Engineer, DevSecOps, Security Engineer

Kubernetes Admission Controllers

Gatekeeper, Kyverno, validating/mutating webhooks, policy enforcement at admission.

High

Platform Engineer, DevSecOps

Service Mesh Security

mTLS, authorization policies, Istio/Linkerd security features, zero-trust networking.

Medium

Platform Engineer, Security Engineer

File Integrity Monitoring

AIDE, OSSEC/Wazuh FIM, container FIM, baseline, change detection, alerting.

High

Security Engineer, Systems Administrator

Cloud Workload Protection

CWPP, runtime protection, behavior analysis, cloud-native security platforms.

Medium

Cloud Security Engineer, DevSecOps

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
Container Security	Awareness	Understand rootless containers (Podman), image scanning concepts, minimal base images; no production implementation	Container Operations Reference	No Trivy/Grype scanning, no distroless images, no runtime security (Falco)
Container Image Scanning	—	—	—	No hands-on image scanning implementation
Runtime Threat Detection	—	—	—	No Falco/Sysdig/Tetragon experience
Kubernetes Security	—	—	—	No hands-on k8s security implementation

Topic

Level

Evidence

Active Projects

Gaps

Container Security

Awareness

Understand rootless containers (Podman), image scanning concepts, minimal base images; no production implementation

Container Operations Reference

No Trivy/Grype scanning, no distroless images, no runtime security (Falco)

Container Image Scanning

—

No hands-on image scanning implementation

Runtime Threat Detection

—

No Falco/Sysdig/Tetragon experience

Kubernetes Security

—

No hands-on k8s security implementation