KubeSentry¶
Runtime threat detection for Kubernetes — self-hosted, and built for teams that don't have a dedicated security operations group.
KubeSentry runs entirely inside your cluster. It watches for suspicious activity at the kernel level using Falco, collects and stores those events, shows them on a live dashboard, and alerts you by email and webhook. Your alert data never leaves your infrastructure.
Who it's for¶
Small-to-mid teams (roughly 5–50 people) running production workloads on Kubernetes who need real runtime visibility but can't justify the cost or complexity of enterprise platforms like Datadog Security or Sysdig.
What you get¶
- Kernel-level detection — a Falco DaemonSet on every node flags things like a shell spawned in a container, unexpected outbound connections, or writes to sensitive paths.
- Central collector — events are aggregated, deduplicated, and stored so nothing gets lost.
- Live dashboard — alerts appear within a few seconds of the underlying event.
- Notifications — instant email on high-severity alerts, plus a daily digest. Webhooks for Slack, Discord, and Microsoft Teams.
- Fully offline licensing — no phone-home. Your license is verified in-cluster.
Get started¶
New here? Start with Installation, then run through the Quickstart to see your first alert.
Already running it? Jump to Configuration or Licensing.
How it fits together¶
Falco detects → the collector aggregates and stores → the dashboard and notifier surface it. See Architecture for the full picture.