Kubernetes gives us abstraction and power—but with great YAML comes great responsibility. In this talk, we’ll walk through live demos of real-world misconfigurations that allow attackers to escape containers and tamper with the host. You’ll see exactly what happens when Pods run in privileged mode, use hostPath volumes carelessly, or retain excess Linux capabilities. We’ll also show how to detect these attacks in real time using Falco, and enforce safety nets with Pod Security Admission. If you’ve ever wondered "what’s the worst that could happen?"—this session answers that with receipts.

Overview of Falco plugins and the broader Falco ecosystem.

How Falco rules work and how to use them to detect threats in runtime environments.

Details on Falco architecture and installation in the lab environment.

Overview of runtime security in cloud-native environments, including how it applies to Kubernetes and how Falco protects applications.