Launching today

k8scan
Kubernetes security scanner with attack path analysis
13 followers
Kubernetes security scanner with attack path analysis
13 followers
k8scan is an open-source Kubernetes security scanner that goes beyond finding misconfigurations. It runs 123+ security checks across 8 categories and correlates findings using its Capability Break Engine to identify attack paths, privilege escalation opportunities, and container escape scenarios. Deploy it as SaaS or run it fully on-premises to keep sensitive cluster data inside your environment.







ran it against one of our staging clusters and the attack path correlations were actually eye opening, caught a privilege escalation chain between two workloads i would have missed with basic kubescape checks.
@serdarlaql Thank you, I really appreciate the feedback!
That's exactly the problem I wanted to solve with k8scan. Most tools do a great job of finding individual issues, but it's often the relationships between those findings that create the real risk.
I'm glad the attack path analysis was able to highlight a privilege escalation chain that might have been overlooked otherwise. Feedback like this is incredibly valuable as I continue improving the Capability Break Engine and overall correlation logic.
Thanks for taking the time to test it and share your experience!
how does the capability break engine actually correlate findings into attack paths, is it rule based or something more dynamic? also curious if the on prem version has any feature gaps compared to the SaaS one.
@ravza1134309 On the Capability Break engine:
It's rule-based with weighted signal scoring — not ML, but smarter than a simple rule matcher. Each CB (we have 10: container isolation, RBAC boundary, node trust, cloud identity bridge, etc.) has a set of signals with weights. The engine scans all findings for keyword hits using word-boundary matching, sums the weights into a 0–100 confidence score, and drops anything below the threshold.
The more interesting part is the second pass: Compound Breaks. Once individual CBs fire, the engine checks which combinations form real multi-stage attack chains — e.g. CB-001 + CB-003 = "Container Escape to Cluster Admin." Each CB in the chain gets a path position weight (entry point vs bridge vs leaf), so the compound confidence reflects where in the kill chain each boundary failure sits.
No LLM, no ML — just carefully tuned signal weights that map to real attack vectors.
On on-prem vs SaaS:
The scan engine is identical across both — same 123+ checks, same Capability Break analysis, same PoC commands. The platform layer is what differs:
- Scan history & trends — CLI produces a snapshot and forgets it. The platform stores every scan so you can track posture over time and diff what changed.
- Scheduled scanning — continuous monitoring with alerts when new criticals appear, not just one-shot runs.
- Finding lifecycle — Open → Acknowledged → Fixed → Verified, with SLA tracking and team assignments.
- Multi-cluster dashboard — manage and compare multiple clusters in one place.
- API & integrations — trigger scans from CI/CD, push findings to Jira/Slack, pull results programmatically.
On-prem gives you all of that with zero data egress — useful when the scan output itself contains sensitive findings you don't want leaving your infrastructure.
Really impressed after running this in a real environment. Instead of just dumping a massive list of alerts like Kubescape, showing the actual privilege escalation paths makes remediation so much easier. Awesome work, thanks a lot!
@crpytorich Thanks for feedback.
Tested it in a real production environment and it worked incredibly well. Compared to tools like Kubescape, the way it connects the dots to map out actual attack paths is a game-changer. Thanks a lot for this, amazing work!
@jackryan7777 Thanks.