SANS 2026 Kubernetes & CNAPP Forum

Thu, Jan 15, 2026
10:00AM - 1:05PM EST
English
Dave Shackleford
Solutions Forum

Thank You To Our Sponsors

The SANS 2026 Kubernetes and CNAPP Forum is a focused, one-day event designed for security professionals, DevOps teams, and cloud architects seeking to secure modern, containerized applications. As Kubernetes and Cloud-Native Application Protection Platforms (CNAPPs) become core to enterprise infrastructure, this forum explores the evolving threat landscape, key attack vectors, and emerging defense strategies. Through expert-led sessions, technical demos, and case studies, attendees will learn how to integrate CNAPP capabilities, harden Kubernetes environments, and build continuous, scalable security into the cloud-native lifecycle—empowering organizations to protect what they deploy in real time.

Get Connected —> Join us on Slack!

Schedule

Showing 8 of 8

Filter by:

Select day:

Opening Introduction and Housekeeping

10:00AM - 10:15AM EST

Presented by

Dave Shackleford

Senior Instructor

Virtual

How Kubernetes Risk Emerges at Runtime: Lessons from an Attack Scenario

Kubernetes security often looks complete on paper. Policies are enforced, permissions align, and scans report clean results. But risk doesn’t announce itself in configuration. A trusted service drifts from its intended role as traffic patterns shift, yet the environment still appears compliant. This session will examine a real Kubernetes production attack that unfolds exactly this way, from detection to response. You'll see how a runtime CNAPP exposes risk by observing service execution and network activity, then correlating that behavior with configuration, identity, and policy context to guide investigation and immediate response. You’ll leave with a clear example of how to identify and respond to runtime risk in Kubernetes before it becomes an incident.

*Sponsored by Sweet Security

10:15AM - 10:45AM EST

Virtual

Why You Need CNAPP for Complete K8S Security

Kubernetes is powerful but notoriously difficult to secure with point tools alone. Misconfigurations, workload vulnerabilities, excessive permissions, and runtime threats often span multiple layers, making it easy for risks to hide in plain sight. This webinar explains how a Cloud-Native Application Protection Platform (CNAPP) unifies visibility and security across clusters, workloads, identities, and pipelines to deliver true end-to-end K8s protection. Learn why CNAPP is the most effective way to reduce blind spots, detect active threats, and secure Kubernetes at scale.

Reducing Cloud and AI Risk: Securing Applications from Code to Runtime

As AI adoption accelerates across hybrid and multi-cloud environments, security teams are overwhelmed by fragmented tools, limited visibility, and alert fatigue, making it hard to identify real risk and protect what matters most. In this session, learn a practical approach to securing cloud and AI-driven applications across the full lifecycle, from the first line of code to runtime. See how FortiCNAPP brings together posture, identity, vulnerabilities, runtime activity, and network context to help teams prioritize risk and respond faster with confidence. You’ll walk away with clear, actionable guidance to improve multi-cloud visibility, shift security left, detect threats in real time, and enable innovation without adding complexity.

*Sponsored by Fortinet

11:15AM - 11:45AM EST

Presented by

Tom Clavel

Director of Product Marketing

Virtual

Break

11:45AM - 12:00PM EST

Virtual

Unifying Kubernetes Security Posture Management and Real-Time Protection with Cortex Cloud

Recent industry reports show that while Kubernetes adoption is growing, security teams are struggling to keep up. A common mistake is focusing entirely on fixing misconfigurations, while ignoring what happens when the application is running. To be truly secure, you need to handle both.

In this webinar, we will build a checklist of 5 questions to help you choose the right Kubernetes security and CNAPP solution. We will also dive into a technical demonstration of Cortex Cloud™, showing you exactly how to bridge the gap between posture management and real-time protection.

Defending Kubernetes at Runtime: Where Configuration Ends and Reality Begins

Kubernetes security controls traditionally focus on configuration, policy, and pre-deployment validation. However, real-world attacks rarely exploit malicious images or bypass admission checks. Instead, they abuse trusted identities and legitimate workloads at runtime.

This session explains why runtime execution is the only place where meaningful attack behavior becomes visible in Kubernetes. Using a practical attack-path perspective, the talk highlights common runtime techniques used for execution, persistence, and lateral movement, and outlines what effective runtime security looks like in production. You’ll also hear how Upwind approaches this challenge: by embedding eBPF-based sensors at the kernel level to capture workload behavior in real time, enriched with Kubernetes context and cloud metadata. This gives teams live visibility into what’s actually happening in their clusters, so they can stop guessing and start defending with clarity.

Closing Remarks

01:00PM - 01:05PM EST

Presented by

Dave Shackleford

Senior Instructor

Virtual

Meet Your Chairperson

Dave Shackleford

Founder

Dave Shackleford, founder of Voodoo Security, has advanced cybersecurity through his leadership roles, including serving as CTO for the Center for Internet Security, where he coordinated the first published virtualization security benchmarks.

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SANS 2026 Kubernetes & CNAPP Forum

Share

Thank You To Our Sponsors