Continuous Security Control Validation
A NetworkPolicy can be defined and not enforcing. An admission webhook can be configured and silently disabled. Sidereal probes your cluster's security controls on a continuous schedule and audits whether they are operationally effective.
Configuration scanners, detection tools, and attack simulators are each valuable parts of a security stack. They do their jobs well. Sidereal is built for the operational validation layer that sits alongside them, by continuously probing whether controls are active, mapped to compliance frameworks, and generating the evidence your ISSO needs.
An ISSO validating Kubernetes security controls today pivots between disconnected tools: Kubescape for posture, Falco dashboards for detection, the SIEM for audit records, manual crosswalks to NIST 800-53, hand-built reports, spreadsheet POA&Ms. Each tool covers one piece. None of them connect the pieces. The ISSO becomes the integration layer.
Sidereal is a single operator that probes controls, maps results to frameworks, exports to your SIEM, and generates the evidence package. No manual integration required.
Kubescape, kube-bench, Trivy
Verify that security configurations are present and match known benchmarks. Well-suited for posture assessment and CIS compliance checks.
Stratus Red Team, Atomic Red Team
Purpose-built for adversary simulation and red team exercises. They generate realistic attack telemetry to test detection and response capabilities.
Falco, Tetragon
Monitor runtime behavior and alert on suspicious activity. A critical layer of any Kubernetes security stack and a direct input to incident response.
The gap between a configured control and a working control is documented, recurring, and exploitable. These are real incidents, not hypothetical failure modes.
Kyverno enforcing image policy with
validationFailureAction: Enforce. Any
resource with a Kubernetes finalizer attached has its
deletionTimestamp set, which caused
Kyverno to skip policy evaluation entirely. A
developer-level account was sufficient to place any
resource in a permanently policy-exempt state.
(CVE-2023-34091, patched in Kyverno 1.10.0.)
NetworkPolicy objects applied to Amazon EKS clusters using the default VPC CNI plugin. The API accepted every policy and returned success. Until Amazon added native enforcement in October 2023, none of those policies filtered any traffic. Configuration scanners reported them as present. Inter-pod traffic was never blocked.
Falco and Tetragon deployed for runtime detection.
ARMO's "Curing" rootkit conducts all operations
through Linux's io_uring interface,
bypassing the syscall layer both tools instrument.
Full data exfiltration with zero alerts from Falco,
Tetragon, or Microsoft Defender for Endpoint.
(ARMO, April 2025.)
Sidereal is a Kubernetes-native operator for continuous security control validation on federal systems. It runs targeted, low-impact probes against a live cluster to verify that security controls are operationally effective, not merely configured. Results are mapped to compliance frameworks and written to an append-only, HMAC-verified audit log.
Probes run on configurable schedules, firing real actions against real enforcement layers. Not cached configuration state.
Every result tagged with NIST 800-53, CMMC, CJIS, IRS 1075, HIPAA, NIST 800-171, and Kubernetes STIG controls automatically.
Fires known-bad syscall patterns, then independently verifies the detection pipeline (Falco or Tetragon) raised the expected alert.
Continuous monitoring summaries, POA&M entries, coverage matrices, and OSCAL evidence packages generated from probe results.
Install via Helm into the sidereal-system namespace. Choose a deployment profile for your CNI
and admission controller. Default execution mode is dryRun.
The controller scans your cluster and generates SiderealProbeRecommendations. Review and promote what fits. No probe authoring
required to get started.
Probes run on schedule. Results are written to an HMAC-verified audit log, mapped to compliance frameworks, and exported to your SIEM or report pipeline.
dryRun Validates configuration without executing
probes. Safe to run immediately after install. observe Probes execute live. Results are recorded. No
incidents or alerts generated. enforce Full operation. Incidents created on control
failure, IR webhook notified. Six built-in probe surfaces cover the control categories federal assessors most commonly examine. A custom probe interface lets agencies extend coverage to their own surfaces.
ServiceAccount permission boundaries are enforced and denying unauthorized operations.
East-west traffic restrictions are actively blocking unauthorized paths at the CNI layer.
Admission policies reject non-compliant workload specs at the API server.
Workloads cannot access secrets outside their authorized namespace.
Known-bad behaviors trigger expected alerts in your detection pipeline (Falco or Tetragon).
Operator-extensible probe surface. Bring your own probe binary with a standardized contract.
Sidereal installs in minutes and starts discovering probe recommendations immediately.