Container Security Is a Mess
The cloud-native security market wants to sell you five different products: a container image scanner, a runtime security agent, a Kubernetes admission controller, a cloud posture manager, and a CNAPP platform that supposedly ties them all together. Each one has its own deployment, its own dashboard, its own pricing model, and its own opinion about how your cluster should be configured.
Meanwhile, your actual security coverage has gaps between all these tools, and the operational overhead of managing them is a full-time job. The irony of cloud-native security is that the tools designed to simplify security have made it more complex than ever.
1-SEC: One Pod, Full Coverage
Deploy 1-SEC as a single Kubernetes pod using the included Helm chart:
helm install 1sec ./deploy/helm
That one pod runs all 16 security modules. No DaemonSet sprawl, no sidecar injection, no CRDs to install.
Container Escape Detection
The Runtime Watcher monitors for container escape indicators: attempts to access /proc/sysrq-trigger, Docker socket mounts, host filesystem access, kernel module loading, and the syscall patterns (ptrace, unshare, setns) that characterize namespace breakout attempts. These are caught and alerted before the escape succeeds.
Runtime Monitoring
File integrity monitoring inside containers, LOLBin detection (curl, wget, python being used to download payloads), persistence mechanism creation, and process behavior anomalies. If a container that normally runs a Node.js app suddenly spawns a shell process, that's an alert.
Cloud Posture Management
The Cloud Posture Manager checks for Kubernetes misconfigurations: pods running as root, missing security contexts, overprivileged service accounts, exposed dashboards, and secrets stored in plain text. Continuous monitoring catches configuration drift — not just the state at deployment time, but changes that happen afterward.
Network Policy Monitoring
The Network Guardian monitors inter-pod traffic for lateral movement, unexpected cross-namespace communication, and egress to suspicious destinations. In a cluster where pods should only talk to specific services, any deviation is a potential indicator of compromise.
The Helm Chart: Security by Default
The included Helm chart deploys 1-SEC with security best practices baked in:
— Non-root security context (runAsNonRoot: true) — Read-only root filesystem — Dropped capabilities — Liveness and readiness probes on /api/v1/status — PersistentVolumeClaim for event bus data — ConfigMap for configuration overrides — Secret for API keys (or reference an existing secret) — Optional Ingress for the REST API
The chart is customizable via values.yaml, but the defaults are production-ready. Install it and it works. Customize later when you understand your cluster's specific needs.
Docker Compose for Simpler Deployments
Not running Kubernetes? The Docker Compose file in deploy/docker/ gives you the same coverage:
cd deploy/docker docker compose up -d
1-SEC runs as a container alongside your application containers, monitoring the Docker network. For small teams running Docker Compose in production (and there are more of you than the Kubernetes crowd wants to admit), this is the simplest path to real container security.
The CLI shortcuts work from anywhere in the repo: 1sec docker up, 1sec docker logs, 1sec docker status. No need to remember docker compose commands.