Kubescape 4.0 for Kubernetes Security
Kubernetes security tooling keeps getting broader, but busy operators still need one thing most: signal they can use. Kubescape has been steadily moving from point-in-time posture checks toward a fuller platform that spans manifest scanning, image analysis, policy enforcement, and runtime detection. The 4.0 release is an important step because it makes that coverage more operationally useful for production clusters.
What is Kubescape?
Kubescape is an open source Kubernetes security platform created by ARMO and now incubating in the CNCF. It covers several layers that matter to SRE and platform teams: misconfiguration scanning, vulnerability scanning, compliance checks, runtime monitoring, and admission control. You can run it as a CLI during development and CI, or deploy the operator for continuous in-cluster visibility.
The new 4.0 release stands out because it tightens the runtime story while also addressing the way teams now mix Kubernetes operations with AI-assisted workflows.
Key Features
- Runtime threat detection is GA: Kubescape 4.0 promotes runtime detection to general availability, using CEL-based rules and workload baselines to catch suspicious process, filesystem, system call, network, and HTTP activity.
- Kubernetes-native rule management: Rules and RuleBindings are managed as CRDs, which makes detection logic easier to version, review, and ship through normal cluster workflows.
- Scalable security metadata storage: Kubescape Storage is now GA and uses the Kubernetes Aggregated API so security metadata such as SBOMs, vulnerability manifests, and application profiles do not overload the main etcd datastore.
- Cleaner node architecture: The release removes the old host-sensor and folds host-agent capabilities into the node-agent, reducing cluster noise and removing some operational friction.
- AI-aware integrations: Kubescape now exposes security data to AI assistants and adds posture checks for KAgent, which is relevant for teams experimenting with agent-based operations on Kubernetes.
Installation
For a quick CLI install on Linux, Kubescape provides a bootstrap script:
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
If you want continuous cluster monitoring, install the operator with Helm:
helm repo add kubescape https://kubescape.github.io/helm-charts/
helm upgrade --install kubescape kubescape/kubescape-operator \
--namespace kubescape \
--create-namespace
Usage
A simple starting point is to scan your current cluster and then export machine-readable results for CI or reporting:
kubescape scan
kubescape scan --format sarif --output results.sarif
kubescape scan image nginx:1.21
For teams that want continuous detection, the operator is where 4.0 gets more interesting. Runtime threat detection, vulnerability data, and configuration findings can flow into existing tools such as Alertmanager, SIEM pipelines, syslog, stdout, and webhooks.
Operational Tips
Start with posture and vulnerability scans in CI so developers get feedback before deployment. Then add the operator in a non-production cluster to tune runtime detections and understand normal workload behavior. Because Kubescape can export structured findings, it fits well into incident pipelines where you want one source for compliance, runtime, and image-level risk signals.
The AI angle is also worth watching. If your team is testing agent-driven operations, Kubescape 4.0 is one of the clearer examples of security tooling adapting to that future without abandoning core Kubernetes hygiene.
Conclusion
Kubescape 4.0 is a meaningful release for teams that want broader Kubernetes security coverage without stitching together a pile of disconnected tools. The GA runtime engine, better storage model, and AI-era integrations make it a practical project to evaluate in 2026.
Looking to automate infrastructure operations? Akmatori helps SRE teams reduce toil with AI agents built for real production workflows. For reliable global infrastructure, check out Gcore.