When containers drift and scans miss what's running

Your security team runs Trivy on every image before deployment. Green checkmarks across the board. But six months later, you discover a container has been running with an expired certificate, a vulnerable dependency that was added at runtime, and SUID binaries that weren't in the original image.

The Problem

Without continuous capture:

  • Image scans show deployment state, not runtime state
  • Containers drift from their images over time
  • Runtime-installed packages aren't tracked
  • Certificate expiration isn't monitored
  • You only discover problems after they cause incidents

How reel Helps

Continuous SBOM on running containers

Scan what's actually running, not just what was deployed.

terminal
$ reel export sbom -n prod api-server-pod --scanners vuln

Scanning live container...

PACKAGE              VERSION    VULNERABILITY    SEVERITY
libssl3              3.0.2      CVE-2024-0727   HIGH
python3-requests     2.28.0     CVE-2024-35195  MEDIUM
...

Total: 312 packages, 0 CRITICAL, 2 HIGH, 5 MEDIUM
terminal
$ reel export cbom -n prod api-server-pod

CERTIFICATES (8 found):
  ✓ api.example.com          expires 2025-06-15   RSA-2048
  ⚠ internal-service.local   expires 2024-12-22   RSA-2048  (12 days)
  ✗ legacy-api.internal      expired 2024-11-01   RSA-1024  (weak)

PRIVATE KEYS (3 found):
  ⚠ /app/certs/legacy.key    RSA-1024 (weak algorithm)

CBOM catches cryptographic issues

Find expired certificates, weak algorithms, and key management problems.

Malware detection on live state

ClamAV scanning catches threats that weren't in the original image.

terminal
$ reel export malware -n prod api-server-pod

Scanning filesystem...

THREATS DETECTED: 0
Files scanned: 12,847
Scan time: 4.2s
terminal
$ reel export files -n prod api-server-pod --ioc

INDICATORS OF COMPROMISE:

SUID/SGID BINARIES (unexpected):
  ⚠ /usr/local/bin/nmap          SUID root (not in base image)
  ⚠ /tmp/escalate                 SUID root (suspicious location)

HIDDEN FILES:
  ⚠ /var/www/.backdoor.php       added 2024-12-10 03:15
  ⚠ /tmp/.X11-unix/.hidden       added 2024-12-10 03:14

EXECUTABLES IN SUSPICIOUS LOCATIONS:
  ⚠ /tmp/nc                       netcat binary
  ⚠ /dev/shm/miner               cryptocurrency miner

Files extracted to: ./ioc-export-20241210/

Continuous file extraction for indicators of compromise

Extract and monitor files that shouldn't be there—SUID binaries, hidden files, executables in /tmp, unauthorized scripts.

Schedule continuous IoC monitoring

Catch suspicious files as they appear, not after the incident.

deployment.yaml
metadata:
  annotations:
    reel.io/schedule: |
      # Extract IoC files every 5 minutes
      */5 * * * * | export files --ioc --alert

The Outcome

Instead of assuming your production matches your scans, you know:

  • Exactly what packages are running (including runtime additions)
  • Which certificates are expiring or using weak crypto
  • Whether any malware has been introduced
  • What suspicious files appeared and when (SUID, hidden, /tmp executables)
  • All continuously, not just at deploy time

Your security posture reflects reality, not assumptions. Catch indicators of compromise before they become incidents.

Know what's actually running

Coming soon. Deploys in minutes. Join the waitlist for early access.

Next: When incidents happen →