It's 3am. PagerDuty alerts: suspicious outbound connections from your API pod. By the time your on-call engineer logs in, Kubernetes has already restarted the pod. The container that was compromised? Gone. The evidence? Gone with it.
Without continuous capture:
Process memory often contains credentials, decrypted secrets, and attack payloads that never touch disk.
$ reel get checkpoint chk-api-server-20241210-030015 --extract memory
Analyzing memory dump...
Found: AWS_SECRET_ACCESS_KEY in process 1842 (python)
Found: Database connection string in process 1844 (node)
Found: Suspicious base64 payload in process 1850 (sh)$ reel get layer layer-api-server-20241210-030015 --diff
Added: /tmp/.hidden/backdoor.sh
Added: /usr/local/bin/cryptominer
Modified: /etc/crontab
Modified: /root/.bashrcCompare the compromised state against the original image to see exactly what changed.
See what the container was connected to at the moment of capture.
$ reel get checkpoint chk-api-server-20241210-030015 --network
ESTABLISHED 10.0.1.15:443 → 185.234.72.x:4444 (suspicious C2)
ESTABLISHED 10.0.1.15:5432 → 10.0.2.100:5432 (database)
LISTEN 0.0.0.0:8080 (expected)Instead of "we don't know what happened," you have forensic evidence showing:
Your incident report goes from "inconclusive" to "actionable intelligence."
Coming soon. Deploys in minutes. Join the waitlist for early access.