Smart Cloud Detection and Response: Detecting attacks in real-time with Panoptica

Tim Miller
Monday, May 6th, 2024

Modern technology continues to assist, enhance, and shape every aspect of our lives—in our work, our homes, and even our vehicles. Home security video cameras and car dashcams are prevalent ways to ensure our personal safety and security. A popular electric vehicle has a “sentry mode” that is a perfect example of a system that monitors and captures events happening around the vehicle, providing information about incidents to vehicle owners. 

Similar to video surveillance, cloud detection and response (CDR) systems generate a stream of security events that offer insights into activities occurring within cloud environments.  Examples of this telemetry could be user access outside of working hours, downloads of large amounts of data, or creation of large numbers of container instances. Each one of these events on its own could be harmless. 

Add enough context thoughthe user is logging in from an unknown location, the downloads are initiated by that user in an unknown location, and ransomware software was detected in those containersand there is ample reason for concern. CDR functionality needs to be able to correlate these events with the totality of telemetry to accurately detect and identify the intent of the attack. 

We previously highlighted some cloud-specific challenges and requirements for CDR. Many traditional CDR approaches focus on rule-based anomalous behavior—a statistical approach with a limited view of the entire cloud environment. This approach is a good, first start but has some shortcomings.  Let’s consider two scenarios from the examples above where anomalous behavior is innocuous: 

  1. A user logging in from an unknown location could be on vacation 
  2. The large downloads of data could happen once a year for financial reporting reasons 

The end result of this anomalous behavior approach is that it simply provides more alerts that need to be investigated alongside the multitude of CVE vulnerabilities, misconfigurations, and more that occur in cloud environments. 

Enterprises need an approach that is real-time and can correlate multiple events to detect the patterns of intent that identify an attack to be able to have high fidelity and then respond quickly to potential costly breaches. 

Panoptica's Smart Cloud Detection and Response 

Outshift announces a new approach to cloud detection and response, Smart CDR, that focuses on three critical phases in real-time detection and response of security events: 

  1. Suspicious Activity 
  2. Threats 
  3. Attacks 

Let’s look at each of these in more detail. 

Suspicious Activity 

The foundation of cloud detection and response systems is the identification of events that could be clues that attackers are present. The best source of visibility of these events comes from an agent-based approach into the cloud environments.  Panoptica customers have long enjoyed this visibility via the open source, eBPF-based Falco agent which previously was employed to generate telemetry for SIEM consumption.  With the introduction of Smart CDR, Panoptica expands the ruleset used with the eBPF agent to cover additional scenarios to support the real-time capabilities described below. 

Figure 1
Attack story: graphical view of attack kill chain


Smart CDR provides Suspicious Activity correlation to identify potential Threats. A threat maps directly to recognized MITRE ATT&CK framework TTPs (tactics, techniques, and procedures). Threat examples include correlation of file downloads that result in a new process to indicate initial exploitation of public-facing application. 


A set of threats correlated in time that align to recognized patterns of breaches become Attacks within Panoptica’s Smart CDR. These breach patterns can be further categorized into known attacker intent: cryptojacking, data exfiltration or destruction, ransomware, and container escape. The unique capability that Smart CDR brings to Panoptica is the real-time detection of these attacks as they are progressing.  

Figure 1
Attack story: graphical view of attack kill chain

Advanced Attacks Need Advanced Techniques 

No cybersecurity tool is one-size-fits-all. Every enterprise is unique in its business requirements, cloud infrastructure setup, and security requirements. For this reason, Panoptica’s Smart CDR solution values customizability and flexibility as tools to match the security needs of each enterprise. 

Smart CDR leverages machine learning (ML) models specifically trained to detect security threats by using behavioral analysis, analyzing application activity to discern user behaviors and patterns. ML-powered Smart CDR can surface subtle or previously unknown threats. As more and more data is collected and analyzed, the ML models also undergo continuous improvement, thereby strengthening the system’s ability to protect against emerging threats. 

Overall, Panoptica delivers an advanced approach to CDR, ensuring resilience in systems and aiming to provide real-time protection tailored to each enterprise’s unique requirements. This strategy ensures not only threat mitigation but also enables cloud environments to adapt and respond effectively in the ever-evolving landscape of cyber threats. 


In complex cloud application ecosystems, organizations face a staggering number of vulnerabilities. With a complex cloud of distributed components, hundreds or even thousands of cloud resources, and a plethora of access control measures, any IT or security team depending on human-based management would be quickly overwhelmed. Threat detection, risk mitigation, and issue remediation—if they are to be proactive and effective—depend on a CDR. 

Panoptica’s Smart CDR demonstrates its leadership in the field of cloud security. This involves improving ML algorithms to detect threats proactively, neutralizing them before they become full-blown issues. By integrating and combining threat intelligence from multiple sources, Panoptica provides a comprehensive and nuanced understanding of the security landscape. Panoptica’s commitment to innovative CDR solutions ensures that organizations have access to adaptable and user-friendly security tools. 

For details about Panoptica’s vision and offerings in cloud security, read more here

Popup Image