v0.7.0 — available now · 7-day free trial

Catch threats in your
Kubernetes cluster
before they catch you.

Kernel-level runtime threat detection built on Falco, running entirely in your own cluster. No phone-home, no telemetry — nothing leaves except the alerts you tell it to send, to the destinations you pick.

⎈ Helm install 🔒 Self-hosted ⚡ Kernel-level (eBPF) 💾 Perpetual license 🔧 No phone home
install
$ helm repo add kubesentry https://charts.kubesentry.io $ helm repo update $ helm install kubesentry kubesentry/kubesentry \ $ --namespace kubesentry --create-namespace

Installs in minutes · full product for 7 days · no credit card

live
Critical +1
2
High +3
5
Medium −4
12
Suppressed dedup
847

Recent alerts — last 24h

⌘ K
Severity Rule ×
CRIT Reverse shell in container 1
CRIT Crypto mining process detected 3
HIGH Privileged container started 1
HIGH Sensitive file accessed 6
HIGH RBAC role modified 1
MED Unusual outbound connection 2
MED Container drift detected 1
// how it works

From helm install to first alert in under 5 minutes.

01 install
$ helm install kubesentry \
    kubesentry/kubesentry

One-command install

Falco + collector + dashboard + alerter — all deployed via one Helm chart, on any cluster running a kernel Falco supports.

02 detect
Reverse shell in pod/payments-api
Crypto miner process
Privileged container started

Curated rules

14 KubeSentry rules tuned for low false positives — crypto miners, reverse shells, privilege escalation, lateral movement — running on top of Falco's default ruleset.

03 alert
→ Slack
→ Email digest
→ Discord / Teams
→ Custom webhook

Actionable alerts

Critical events fire instantly. Daily digests roll up the noise. Every KubeSentry rule ships with triage steps and remediation commands.

// what gets installed

Everything runs inside your cluster.

One Helm chart installs a Falco DaemonSet on every node, a router, and a single collector Deployment — that's every pod you'll see. Detection, storage, and the dashboard never talk to us. The only thing that ever leaves is an alert you explicitly configured, going to a destination you picked.

your cluster · your infrastructure
node-1 node
payments-api redis
falco
eBPF · reads the kernel
node-2 node
web worker
falco
eBPF · reads the kernel
node-3 node
api-gateway
falco
eBPF · reads the kernel

DaemonSet — one Falco pod per node, privileged, watching syscalls

falcosidekick
routes Falco's output to the collector
collector deployment
aggregate
events from every node land in one place
deduplicate
a crashlooping exploit becomes one alert, not 900
store
SQLite on a PersistentVolume in your cluster
dashboard
Served by the collector. Reach it with kubectl port-forward — not exposed by default.
notifier
Instant on critical, daily digest for the rest. Off until you configure it.
outside your cluster
Email Slack Discord Teams Custom webhook

This is the only thing that ever leaves. If you turn notifications on, the alert goes to the destination you configured — and nowhere else. There is no KubeSentry server in the picture: no telemetry, no phone-home, not even for licensing, which is verified offline against a key compiled into the binary. Air-gap the cluster and everything except these notifications still works.

// why kubesentry

Enterprise security
at enterprise prices.
for €99.

Datadog. Sysdig. Aqua. Built for enterprises with security teams, and sold as subscriptions metered by how much you run — for as long as you run it. KubeSentry is built for the rest of us: the five-to-fifty-person engineering org with real clusters and nobody whose full-time job is security.

You pay once. It runs in your cluster. Nobody meters your hosts.

// pricing

Pay once. Own it.

One-time payment. Yours forever. Every tier includes all future updates — no subscription, no renewals, ever.

7-day free trial · no credit card

Solo

Individuals and very small clusters.

€99 once

perpetual license

Licensed for 1 cluster
  • Full dashboard + alerting
  • Curated ruleset + remediation advice
  • Email, Slack, Discord, Teams
  • All future updates, forever
Buy Solo
most popular

Team

Small teams running a handful of clusters.

€299 once

perpetual license

Licensed for 5 clusters
  • Full dashboard + alerting
  • Curated ruleset + remediation advice
  • Email, Slack, Discord, Teams
  • All future updates, forever
Buy Team

Pro

Larger deployments.

€499 once

perpetual license

Licensed for unlimited clusters
  • Full dashboard + alerting
  • Curated ruleset + remediation advice
  • Email, Slack, Discord, Teams
  • All future updates, forever
Buy Pro

Cluster counts are licence terms, not technical limits. Nothing in the collector checks how many clusters you run — enforcing that would mean phoning home, and we promise never to. So we trust you to buy the tier that fits, and you get to verify that promise by reading the code.

Checkout and invoicing are handled by Lemon Squeezy (our merchant of record); VAT is calculated at checkout. Your license key is emailed to you automatically right after purchase — apply it with --set license=…. Don't want to buy yet? Install and run the 7-day trial first; it's the full product.

// questions

You probably want to know.

Is this just a Falco wrapper? +
Falco is the engine — open source, world-class, and free. KubeSentry is the experience around it: a curated ruleset tuned for low false positives, smart deduplication, a clean dashboard, email digests, multi-channel alerting, and triage + remediation guidance attached to every KubeSentry rule. Think of it as 'managed Falco you actually self-host.'
Is this a subscription? +
No. Pay once, use forever — including all future updates. There is no renewal, no maintenance window, and no recurring charge of any kind. Your license is perpetual: it never expires, on any version.
Is the cluster count enforced? +
No. It's a licence term, not a technical limit — nothing in the collector counts your clusters, and a Solo key works anywhere you paste it. Enforcing it would mean every install reporting back to us, which is exactly the telemetry we promise never to send. You can verify that in the source. We'd rather trust you and keep the promise than police the count and break it.
Does it phone home? +
No. There is no KubeSentry server your cluster talks to — not for telemetry, not even for licensing, which is verified offline with Ed25519 signatures against a public key compiled into the collector. Your alerts and cluster data stay put; the one exception is notifications, which go only to the destinations you configure (your Slack, your inbox). Turn those off and the cluster can be fully air-gapped.
What about Wazuh / Tetragon / Kubescape? +
They're great tools. Wazuh is a full SIEM (heavyweight). Tetragon is powerful but low-level. Kubescape focuses on posture, not runtime. KubeSentry is opinionated and focused: real-time threat detection with zero setup pain. If you want to combine — go for it.
Can I try it before buying? +
Yes. Every install starts with a 7-day free trial — the full product, no restrictions, no credit card. Install the chart and it just works; a banner in the dashboard tracks the trial. Add a license key when you are ready.