Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

Conference Link



Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain.

Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world.

In this talk, Matt and Francesco will

  • Recap incident response 101
  • Introduce some cloud-native tech including Kubernetes, Istio, and GitOps
  • Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo
  • Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.


Demo Code


Average Attendee Score: 9.7/10

Official conference summary of writted feedback: “This session was highly praised as the best at the conference, providing a well-balanced mix of theory, practice, and real-life examples. Attendees found the introduction to incident response with mesh to be particularly valuable and appreciated how the talk contextualized the information presented in the slides. As a result, many plan to change their workflows based on what they learned. Overall, this session was a great success and left a lasting impact on those who attended.”