Kubernetes Security
CIS, NSA, and MITRE-aligned cluster assessment — automatic from onboarding.
What this replaces
Kubernetes security is a quarterly manual audit at best: RBAC drift, privileged workloads, and vulnerable images accumulate silently between checks.
What Offload does
Continuous assessment of Kubernetes clusters — CIS benchmarks, workload best practices, framework-aligned checks, and image vulnerabilities — from a validated, encrypted cluster connection.
What you get
- Cluster onboarding with kubeconfig safety validation and encrypted credential storage
- CIS Kubernetes Benchmark (kube-bench) and workload best practices (Polaris)
- Framework-based posture: NSA-CISA, CIS, MITRE ATT&CK-aligned controls (Kubescape)
- Image CVE scanning for workloads running in cluster pods (Trivy)
- Findings tagged with MITRE ATT&CK techniques
- Automatic first scan on onboarding; scheduled recurring scans; live scan status
- Strict per-team cluster ownership on every scan and read path
How it works
Scans run as background jobs: the platform connects to the cluster, executes each scanner in an isolated container, parses results into a common schema, tags MITRE techniques, and persists per-cluster history.
Execution is instrumented end-to-end, with orphaned-scan cleanup and a reconciler so scan status always reflects reality.
One platform, one risk view
Kubernetes findings flow into unified vulnerability management with the same triage lifecycle as cloud and code findings, mint into the risk register, and contribute to compliance posture and reports.