
Container Security
SUSE Container Security Platform
Open-source container security with Layer 7 firewall, DPI, and zero-trust runtime protection.
SUSE Container Security Platform Overview
What it does
SUSE Security (formerly NeuVector) is the only 100% open-source, zero-trust container security platform delivering full lifecycle protection from build to runtime for Kubernetes environments. Unlike proprietary container security solutions, SUSE Security provides end-to-end vulnerability scanning throughout the CI/CD pipeline and into production, with patented Deep Packet Inspection (DPI) technology and a true Layer 7 container firewall that secures east-west traffic between containers and pods.
How it works
The platform features automated behavioral learning that discovers application patterns and creates security policies, combined with AI-driven anomaly detection to identify and block network, packet, zero-day, and application attacks including Distributed Denial of Service (DDoS) and Domain Name System (DNS) threats. Security policies can be managed as code using Kubernetes Custom Resource Definitions (CRDs) enabling GitOps workflows, while automated compliance auditing using Docker Bench and Kubernetes Center for Internet Security (CIS) Benchmark tests generates risk scores and compliance reports for Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR).
Credentials and traction
Built on the open-source NeuVector project, SUSE Security's container platform is adopted by fintech firm Nova Credit, which uses it to help secure personal credit data for 5.6 million customers. The platform targets regulated industries such as financial services, healthcare, and government that require PCI-DSS, HIPAA, and GDPR auditing.
Key Capabilities
mapped to solution categoriesScans container image layers for OS package CVEs and application dependency vulnerabilities at build time, registry push, or pre-deployment, before execution.
Captures a continuous record of workload events (process, network, file, syscall) for forensic investigation of incidents in running workloads.
Enforces pod security standards, network policies, and RBAC controls across Kubernetes clusters, blocking non-compliant workload deployments and detecting policy drift.
Detects in-memory exploitation techniques (shellcode injection, heap spraying, ROP chains), in running workloads without relying on file-based signatures.
Monitors process execution, network connections, and file system activity in running workloads using a kernel agent, eBPF sensor, or sidecar container to detect behavioral anomalies and known attack patterns.
Enforces segmentation via a host agent at the OS network stack or through upstream network controls (cloud security groups, SDN, switch ACLs) where agents are not viable.
Discovers actual application communication flows by observing traffic before policy creation, producing a dependency map that forms the basis for allow-list policy without manual documentation.
Evaluates proposed segmentation policies against observed traffic to identify what legitimate connections would be blocked, enabling policy validation without a production enforcement change.
Applies consistent microsegmentation policy to cloud VMs and containers alongside on-premises workloads, using cloud-native enforcement mechanisms (security groups, NSGs) under unified policy.
Enforces identity-based allow policies (user identity, workload identity, device posture), rather than IP-based rules, policy follows the workload regardless of network location.
Blocks SMB, RDP, and WMI connections between endpoints by default, preventing ransomware from moving laterally via common network shares and remote management protocols.
Integrations
compatible toolsImplementation & support
Info last updated on May 27, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.