Smart Runtime Defense

Container Runtime Protection Against Active Threats And Policy Violations

Twistlock’s Runtime Defense protects your containers against exploits, compromises, program mistakes and configuration errors. We monitor container activities, detect policy violations, report anomalies, and execute corrective actions. We do all this without changing your host, your containers, the container daemon, or your applications.

Runtime Defense bugs

Smart policies

Twistlock’s runtime protection for containers uses a set of automatic profiling policies to detect anomalies in runtime. These policies are derived from system call profiling, malicious behavior fingerprinting, user access analysis, and intelligence from image scanning during development. These policies require no or little intervention from sysadmins and are a powerful tool to detect active threats and compromises

runtime protection for containers icon

Config/Process management 

Our runtime protection solution provides easy-to-use policy templates, including best practices from the CIS benchmark, and a policy interface to specify approved settings, certified images and sanctioned processes for production containers. Twistlock Defenders can enforce policies (e.g., no root, no SSH enabled), detect violations, and execute remediation for every container in your environment.

Newtwork container security

Network activity profiling

We can automatically build network activity profiles for containers, detect deviating behavior dynamically, spot suspicious communications to compromised IP’s, and report policy-violating network actions. We can also enforce container linkages and port restrictions.  When policy violations occur, we can notify, log, block user access, or kill compromised containers.

Container Runtime Protection

Visibility & Analytics

The Twistlock Console provides a central dashboard displaying the number of active containers, vulnerability information, software libraries used, risk visualization/trending, policy violations, corrective actions, and user activities. A complete export of Defender logs (as in syslogs) are available for forensics and SIEM analysis.


Dev-to-production vantage point

For DevOps, policies governing static container images are often the same policies applied to running containers. Twistlock can enforce consistent policies from dev time to production with our container tagging framework and central intelligence.  Our unique vantage point in both dev and production enables us to optimally gather intelligence and enforce policies for your production applications.

runtime protection for containers icon 2

Real-time threat intelligence

The Twistlock Intelligence Stream includes real-time threat feeds from a variety of sources covering known malicious sites, command & control servers, high risk IP ranges and attack signatures. Twistlock Defenders use this information to detect compromised containers and the existence of active threats.

The Twistlock Architecture

runtime protection for containers infographic

This is exactly what we have been looking for – the ability to enforce certified base images and sanctioned processes in runtime and still give developers the freedom to do their work.” 

Director of IT Opeations, A US government agency

Twistlock components


  • The Twistlock Console: A central dashboard and a policy configuration portal. Runs in the cloud or on premises.
  • Twistlock Defenders: A Defender runs as a privileged container on the host with protected app containers. It monitors runtime behavior, reports violations, and executes corrective actions.
  • The Twistlock Intelligence Service: This service runs in the Twistlock cloud. It aggregates real-time threat and vulnerability info from a variety of sources and updates the Twistlock Console.

Want to learn more?

Get datasheet

Get Twistlock Today

Sign up for a free trial