Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - Container Behavior Analytics


Stage Defend
Maturity Planned
Content Last Reviewed 2020-05-19

Introduction and how you can help

Thanks for visiting this category direction page on Container Behavior Analytics in GitLab. This page belongs to the Container Security group of the Defend stage and is maintained by Sam White (

This direction page is a work in progress, and everyone can contribute:


Container Behavior Analytics (CBA) refers to the ability to detect, report, and respond to attacks on containerized infrastructure and workloads. Techniques include use of one or more types of intrusion detection systems (IDS) to detect attacks. The IDS may be supplemented with custom-built monitoring capabilities and/or behavior analytics to improve the efficacy and scope of detected attacks.

An IDS is a device or software application that monitors a network or systems for malicious activity or policy violations. Malicious activity can then be reported back to an Administrator either through GitLab or through a security information and event management (SIEM) system. IDS types range in scope from single computers to large networks. The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Some leverage honeypots to attract and characterize malicious traffic. Some strictly leverage signature-based detection, while others use machine learning to automatically detect anomalies.

An ideal Container Behavior Analytics solution would include all types of intrusion detection systems to provide defense-in-depth and protection against a wide range of attacks. Additional analytics can be layered on top of the data collected from an IDS to help filter out false positives and to recommend new rules to reduce false negatives.

Target Audience

Where we are Headed

We are planning to build a Container Host Protection solution that is cloud native, easy to use, and tightly integrated with the rest of GitLab. Our underlying architecture will combine several technologies to create a full-featured solution while also simplifying and unifying the mangement experience to look and feel like a single, easy-to-use product. We plan to be both a host-based IDS and an IPS, allowing users to choose to either log, alert, or block any activity that is detected in their containerized environments.

Some of the top detection and protection capabilities that are planned include application allow listing, file integrity monitoring, malware scanning, and vulnerability scanning. We plan to provide an intuitive policy editor to simplify the administration of the tool. We also plan to surface actionable alerts and logs inside GitLab to allow for a simple triage and response workflow to detected attacks. Longer-term we plan to add additional behavior analytics on top of our host protection to improve our threat detection capabilities.

What is our Vision (Long-term Roadmap)

Q2 FY'21 - (April 2020 - July 2020)

Q3 FY'21 - (August 2020 - October 2020)

Q4 FY'21 - (November 2020 - January 2021)

Q1 FY'22 - (February 2021 - April 2021)

What's Next & Why (Near-term Roadmap)

After some deep engineering research and a proof of concept of the available technologies, the architecture below was chosen for our Container Host Protection solution. We plan to begin integrating these into GitLab according to the priority order below.

Priority Status Technology Requirements Addressed
1 Planned for %13.1 Falco Monitoring of container activity and a prerequisite to all other technologies below
2 Stretch goal for %13.1 AppArmor + Pod Security Policy Inline Blocking/Prevention, Application Allow Listing, File Integrity Monitoring
3 Not yet Planned Falco Sidekick Active Response Options (create GitLab issue, send Slack message, run shell script, etc.)
4 Not yet Planned GitLab Scheduled Pipeline running Secure Scans Vulnerability Scanning, Configuration Vulnerability Scanning
5 Not yet Planned ClamAV Malware Scanning

What is Not Planned Right Now

We are not currently planning to do the following:

Maturity Plan

User success metrics

We plan to measure the success of this category based on the total number of monthly alerts generated by our Container Host Protection solution across our entire customer base.

Why is this important?

Categories already exist to provide container security at the network layer, including WAF and Container Network Security. This category is critical to securing a containerized environment as it extends the security controls down to the host level and protects against attacks inside the running container.

Competitive Landscape

Top competitors:

Key features offered by competitors:

Analyst Landscape

Gartner defines two markets that are relevant to this category:

  1. Intrusion Detection and Prevention Systems market
  2. Cloud Workload Protection Platforms (CWPP) market

Of these two markets, the second aligns more closely with where we are headed as we are focused on cloud and containerized workload protection rather than attempting to be a generic IDS/IPS for all types of workloads. <!–

Top Customer Success/Sales issue(s)

Top Strategy Item(s)

We will need to integrate an IDS as an important first step toward our strategy.

Additional strategy items will be uncovered as we do more research in this area.