Security Stack Logo
Calico logo

Network & Infrastructure SecurityContainer Security

Calico

Kubernetes network security with eBPF data plane for high-performance policy enforcement.

Kubernetes Network SecurityMicrosegmentation

Calico Overview

What it does

Calico provides container and Kubernetes network security through network policy enforcement, zero-trust networking, and runtime threat defense built on open-source Project Calico. Unlike traditional Kubernetes networking relying on iptables creating performance bottlenecks, Calico delivers eBPF-powered data plane performing packet processing directly in Linux kernel eliminating overhead while providing native Kubernetes service handling without kube-proxy.

How it works

Built on pluggable data plane architecture supporting eBPF, standard Linux networking, Windows HNS, and VPP, Calico powers over 100 million containers across 8 million nodes in 166 countries. Core capabilities include Kubernetes Network Policy enforcement with fine-grained pod-to-pod communication controls, DNS policy enforcement controlling domain-based access, egress gateway managing outbound traffic, and WireGuard encrypted tunneling. The eBPF data plane delivers higher throughput with lower CPU consumption, scales to thousands of services, and provides XDP-based DDoS mitigation with source IP-preserving load balancing. Additional capabilities include runtime threat detection with threat intelligence integration, vulnerability management with container image scanning, compliance automation for CIS Benchmarks, and detailed flow logs with network visualization for forensics.

Credentials and traction

Calico was named a Leader and Outperformer in the 2025 GigaOm Radar for Container Networking, recognized for its container networking security, cross-environment networking, and scalability. Customers include Discover, Chipotle, NBCUniversal, Box, Siemens Healthineers, Royal Bank of Canada, and Bell Canada. The underlying open-source Project Calico secures container networking across enterprise Kubernetes environments, with adoption spanning large-scale and regulated cloud-native deployments.

Key Capabilities

mapped to solution categories
Kubernetes Network Security

Captures and logs all pod-to-pod network flows including service mesh traffic, providing full observability for anomaly detection and policy validation.

Enforces network policies using eBPF programs attached to kernel hooks, providing lower overhead and higher throughput than iptables-based NetworkPolicy enforcement.

Enforces DNS-based and IP-based egress policies for pod outbound traffic, preventing C2 communication, data exfiltration, and unauthorized external API calls.

Analyzes observed pod-to-pod traffic and generates Kubernetes NetworkPolicy manifests that allow only observed legitimate connections, reducing policy authoring to review and approval.

Microsegmentation

Applies consistent microsegmentation policy to cloud VMs and containers alongside on-premises workloads, using cloud-native enforcement mechanisms (security groups, NSGs) under unified policy.

Enforces identity-based allow policies (user identity, workload identity, device posture), rather than IP-based rules, policy follows the workload regardless of network location.

Evaluates proposed segmentation policies against observed traffic to identify what legitimate connections would be blocked, enabling policy validation without a production enforcement change.

Enforces segmentation via a host agent at the OS network stack or through upstream network controls (cloud security groups, SDN, switch ACLs) where agents are not viable.

Integrations

compatible tools
ArgoCDAWS Security HubAzure Security CenterDatadogElasticsearchEnvoyGoogle Cloud Security Command CenterGrafanaIstioJenkinsPagerDutyPrometheusSlackSplunkSysdigWebhook

Implementation & support

Deployment model
CloudHybridOn-PremisesSaaS
Pricing structure
Community EditionCustom / EnterpriseFreemiumSubscriptionUsage-based
Support channels
Community ForumDocumentationEmail SupportKnowledge BasePhone SupportTraining / Academy

Info last updated on May 28, 2026

Vendors

Is this your product?

Claim your profile to connect with the teams looking for your solutions.

Security Stack Logo

The curated research platform for enterprise cybersecurity solutions.

All product and company names, logos, and brands are property of their respective owners and are used on this website for identification purposes only. Security Stack does not endorse any vendor, product, or service listed, and makes no warranties, express or implied, as to the accuracy or completeness of this content, including any warranties of merchantability or fitness for a particular purpose.

© 2026 Security Stack. All rights reserved.