Kubescape has released version 4.0, marking a significant milestone for open-source Kubernetes security. The update brings enterprise-grade stability to its runtime threat detection engine while introducing specialized capabilities for securing AI workloads and agentic systems. This major release represents the culmination of extensive community feedback and production testing at scale across diverse Kubernetes environments.
Runtime Threat Detection Reaches General Availability
The centerpiece of this release is the general availability of Kubescape’s Runtime Threat Detection capabilities. After extensive testing at scale across production clusters of varying sizes, the engine now leverages Common Expression Language (CEL) based detection rules that provide direct access to Application Profiles serving as comprehensive security baselines.
Version 4.0 dramatically expands monitoring capabilities to encompass a comprehensive set of system events. These include process interactions, Linux capabilities usage, system calls at the kernel level, network connectivity patterns, HTTP traffic inspection, and detailed file system activities. Rules and RuleBindings are now managed as Kubernetes Custom Resource Definitions (CRDs), enabling seamless integration with existing cluster workflows and GitOps processes.
Alert exports now support multiple destinations simultaneously, including AlertManager for Prometheus integration, SIEM systems for enterprise security operations, standard Syslog protocols, local Stdout for testing, and HTTP webhooks for custom automation. This flexibility ensures security teams can route threat intelligence into their existing incident response pipelines without workflow disruption.
Storage Architecture Achieves GA Status
Kubescape Storage has also reached general availability, leveraging the Kubernetes Aggregated API to serve as a centralized repository for security metadata. By storing Application Profiles, Software Bill of Materials (SBOMs), and vulnerability manifests outside standard etcd, the architecture prevents security data from overwhelming the core Kubernetes datastore while maintaining accessibility to the Kubescape microservices.
This architectural design has demonstrated proven performance in large-scale, high-density clusters where traditional approaches often struggle with etcd resource contention. Organizations running hundreds of nodes with thousands of pods can now maintain comprehensive security visibility without compromising cluster stability.
AI Era Security: Two Critical Perspectives
Kubescape 4.0 addresses AI infrastructure security from two critical angles that reflect the dual nature of modern AI deployments. First, it empowers AI agents with security scanning capabilities through a native KAgent plugin, allowing AI assistants to analyze Kubernetes security posture directly within their operational context. This includes automated vulnerability inspection, RBAC review across namespaces, and runtime observability support for ongoing monitoring.
Second, and equally important, Kubescape 4.0 secures the AI agents themselves against emerging threats. The release introduces comprehensive security posture scanning for KAgent, the CNCF Sandbox project for AI orchestration. With 42 security-critical configuration points analyzed across KAgent’s various CRDs and 15 new Rego-based controls, the tool identifies risks such as containers with empty security contexts, missing NetworkPolicies between AI components, over-privileged namespace watching, and other common misconfigurations in AI infrastructure.
The integration recognizes that AI workloads are increasingly mission-critical and thus increasingly targeted by sophisticated threat actors. By providing security guardrails specifically designed for agentic systems, Kubescape helps organizations maintain their security posture as they adopt these new paradigms.
Deprecation and Enhancement Changes
The host-sensor has been removed from Kubescape 4.0 based on substantial community feedback regarding DaemonSet management complexity. Following this consolidation, Kubescape has integrated host-agent capabilities directly into the node-agent component, eliminating the need for ephemeral high-privilege pods and establishing a direct API between core microservices and node-level monitoring functions.
Compliance framework updates include support for CIS Benchmark versions 1.12 for vanilla Kubernetes deployments and 1.8 for managed services including EKS and AKS. The project governance also welcomes new maintainer Amir Malka while expressing gratitude to departing maintainers David Wertenteil and Craig Box for their foundational contributions to the project’s success.