Twistlock recently introduced its thirteenth release, Twistlock 2.4, and with it comes new capabilities to protect your non-containerized servers. Although Twistlock was conceived as a container security company, and this certainly remains our focus, many customers were asking if we could extend our container security technology to hosts that are not running containers.

Our core product has always had features designed to protect the container host with vulnerability scanning and CIS compliance checks, as well as runtime protection that ensures only authorized activity happens on a host. To help our customers protect both environments, Twistlock introduces our Linux and Windows Server based defenders. The Twistlock Server Defenders provide the same level of security as our container Defender, but does not require a container runtime environment.

Some companies are still early in their movement to containers, and therefore have a hybrid environment that includes both containers and virtual machines running services like databases. With Twistlock Server Defenders, we hope to simplify the deployment of security policies and offer the ability to standardize security into a single platform.

Runtime protection for your servers

The primary feature of the Server Defender is to provide runtime support for your servers. From a runtime perspective, one of the most difficult problems when securing hosts is trying to profile all the behavior of a host without generating a large number of false positives. Twistlock Server Defender takes a new approach to defense by modeling information about the steady state of the server and incorporating elements of how attacks progress in the real world to generate actionable alerts with near zero false positives.

Vulnerability scanning for the host

With the Twistlock Server Defender, you no longer need to have a separate tool for scanning your hosts. Because the Twistlock scanner is already running on your hosts, you don’t need to execute authenticated scans either. Twistlock pulls from over 30 different sources for our vulnerability data, which includes official vendor security feeds along with private and public vulnerability sources combined with threat intelligence from the Twistlock Labs research team. This allows Twistlock to get a much clearer picture of the vulnerabilities present on a host and deliver alerts with precision and accuracy.

Easy installation

The Twistlock Server Defender can be installed just as easily as our existing defenders. You can install them by running a shell script or calling our APIs directly. Below I will walk you through the installation on a Linux based server.

  1. Navigate to Manage >> Defenders >> Deploy
  2. Under section 1a choose the management console host or IP for the Defender.
  3. Under section 1b choose the operating system you want to defend. In this case select Linux Server:
  4. Copy the shell script by clicking the copy button at the bottom
  5. SSH to your server
  6. Paste the script and run it!
  7. You’re protected!


The Twistlock Server Defender has seen great adoption due to the need for companies to consolidate security offerings and protect hybrid environments as they move to cloud native applications. Although the deployment and build strategies have shifted quite a bit in the last few years, the need for server-based security has always been and will continue to be necessary. The most critical factors of server security are vulnerability mitigation and real-time runtime protection from attacks. Twistlock Server Defender can help you with both.

If you would like to know more, you can try Twistlock today or reach out to our team.

Related Twistlock 2.4 Posts:

  • Twistlock 2.4 Release Notes
  • Multi Tenancy & Infinite Scale with Projects in Twistlock 2.4
  • Multiple Registry Scanners: 2.4 Deep Dive
  • ← Back to All Posts Next Post →