Catch threats in your
Kubernetes cluster
before they catch you.
Kernel-level runtime threat detection built on Falco, running entirely in your own cluster. No phone-home, no telemetry — nothing leaves except the alerts you tell it to send, to the destinations you pick.
$ helm repo add kubesentry https://charts.kubesentry.io $ helm repo update $ helm install kubesentry kubesentry/kubesentry \ $ --namespace kubesentry --create-namespace Installs in minutes · full product for 7 days · no credit card
Recent alerts — last 24h
| Severity | Rule | Pod / Namespace | Time | × |
|---|---|---|---|---|
| CRIT | Reverse shell in container | payments-api-7d8f · prod | 2m ago | 1 |
| CRIT | Crypto mining process detected | redis-cache-2k · cache | 14m ago | 3 |
| HIGH | Privileged container started | debug-tools-x · ops | 1h ago | 1 |
| HIGH | Sensitive file accessed | api-gateway-9 · prod | 2h ago | 6 |
| HIGH | RBAC role modified | kube-api-proxy · kube-system | 3h ago | 1 |
| MED | Unusual outbound connection | worker-batch-3 · jobs | 4h ago | 2 |
| MED | Container drift detected | user-service-1 · prod | 5h ago | 1 |
From helm install to first alert in under 5 minutes.
One-command install
Falco + collector + dashboard + alerter — all deployed via one Helm chart, on any cluster running a kernel Falco supports.
Curated rules
14 KubeSentry rules tuned for low false positives — crypto miners, reverse shells, privilege escalation, lateral movement — running on top of Falco's default ruleset.
Actionable alerts
Critical events fire instantly. Daily digests roll up the noise. Every KubeSentry rule ships with triage steps and remediation commands.
Everything runs inside your cluster.
One Helm chart installs a Falco DaemonSet on every node, a router, and a single collector Deployment — that's every pod you'll see. Detection, storage, and the dashboard never talk to us. The only thing that ever leaves is an alert you explicitly configured, going to a destination you picked.
DaemonSet — one Falco pod per node, privileged, watching syscalls
kubectl port-forward — not exposed by default.
This is the only thing that ever leaves. If you turn notifications on, the alert goes to the destination you configured — and nowhere else. There is no KubeSentry server in the picture: no telemetry, no phone-home, not even for licensing, which is verified offline against a key compiled into the binary. Air-gap the cluster and everything except these notifications still works.
Enterprise security
at enterprise prices.
for €99.
Datadog. Sysdig. Aqua. Built for enterprises with security teams, and sold as subscriptions metered by how much you run — for as long as you run it. KubeSentry is built for the rest of us: the five-to-fifty-person engineering org with real clusters and nobody whose full-time job is security.
You pay once. It runs in your cluster. Nobody meters your hosts.
Pay once. Own it.
One-time payment. Yours forever. Every tier includes all future updates — no subscription, no renewals, ever.
7-day free trial · no credit card
Solo
Individuals and very small clusters.
perpetual license
- Full dashboard + alerting
- Curated ruleset + remediation advice
- Email, Slack, Discord, Teams
- All future updates, forever
Team
Small teams running a handful of clusters.
perpetual license
- Full dashboard + alerting
- Curated ruleset + remediation advice
- Email, Slack, Discord, Teams
- All future updates, forever
Pro
Larger deployments.
perpetual license
- Full dashboard + alerting
- Curated ruleset + remediation advice
- Email, Slack, Discord, Teams
- All future updates, forever
Cluster counts are licence terms, not technical limits. Nothing in the collector checks how many clusters you run — enforcing that would mean phoning home, and we promise never to. So we trust you to buy the tier that fits, and you get to verify that promise by reading the code.
Checkout and invoicing are handled by Lemon Squeezy (our merchant of record); VAT
is calculated at checkout. Your license key is emailed to you automatically right
after purchase — apply it with --set license=….
Don't want to buy yet? Install and run the 7-day trial first; it's the full product.