Skip to main content
← All controls
SI-4 / SI-3 / IR-4 NIST SP 800-53 Rev 5

Do you have runtime cloud workload protection (CWPP / agent or eBPF) detecting active threats?

Demonstrate that cloud workloads are instrumented with runtime protection agents or eBPF sensors capable of detecting and alerting on active threats, malicious processes, and anomalous behavior during execution.

Description

What this control does

Cloud Workload Protection Platform (CWPP) solutions deploy runtime agents or eBPF (extended Berkeley Packet Filter) sensors on cloud workloads (VMs, containers, serverless functions) to monitor process execution, file integrity, network connections, and system calls in real time. These sensors detect anomalous behavior such as privilege escalation, unauthorized process execution, cryptomining, reverse shells, and fileless malware by comparing runtime activity against behavioral baselines, threat intelligence feeds, and predefined security policies. Runtime detection is critical because static security controls (firewalls, vulnerability scans) cannot prevent exploitation of zero-day vulnerabilities or detect attacker lateral movement once initial access is achieved.

Control objective

What auditing this proves

Demonstrate that cloud workloads are instrumented with runtime protection agents or eBPF sensors capable of detecting and alerting on active threats, malicious processes, and anomalous behavior during execution.

Associated risks

Risks this control addresses

  • Undetected execution of malicious binaries, scripts, or in-memory payloads within cloud workloads leading to data exfiltration or ransomware deployment
  • Privilege escalation attacks exploiting kernel vulnerabilities or misconfigured containers proceeding undetected without runtime monitoring
  • Cryptojacking or unauthorized resource consumption from compromised workloads operating without behavioral anomaly detection
  • Lateral movement via reverse shells, command-and-control beaconing, or network tunneling from compromised instances going unnoticed
  • Container breakout attempts or exploitation of orchestrator APIs evading perimeter controls in the absence of workload-level telemetry
  • Fileless malware and living-off-the-land attacks bypassing signature-based detection due to lack of runtime behavioral analysis
  • Delayed incident response and forensic blind spots caused by insufficient visibility into workload-level process execution and system call activity

Testing procedure

How an auditor verifies this control

  1. Obtain a complete inventory of in-scope cloud workloads (VMs, containers, Kubernetes pods, serverless functions) across all cloud environments (AWS, Azure, GCP, private cloud).
  2. Review the CWPP vendor documentation and deployment architecture to confirm whether agents, eBPF sensors, or kernel modules are used for runtime monitoring and identify supported workload types.
  3. Select a representative sample of workloads spanning different environment types (production, staging), workload classes (compute instances, containerized applications, serverless), and cloud providers.
  4. Verify agent or eBPF sensor installation status on sampled workloads by reviewing agent inventories in the CWPP management console, checking process lists on workloads, and confirming active telemetry ingestion.
  5. Examine CWPP detection policies and rule configurations to confirm coverage of runtime threat categories including process anomalies, privilege escalation, reverse shells, file integrity violations, and suspicious network connections.
  6. Review recent detection logs and alerts from the CWPP platform covering the past 30-90 days to verify active threat identification, alert generation, and mean time to detect (MTTD) metrics.
  7. Execute a controlled simulation or review documented penetration test results where runtime threats (e.g., malicious process execution, reverse shell) were introduced to validate detection efficacy and alert fidelity.
  8. Confirm integration of CWPP alerts with security incident and event management (SIEM) or security orchestration platforms to ensure runtime detections trigger incident response workflows.
Evidence required CWPP deployment reports showing agent or eBPF sensor installation rates across workload inventory, configuration exports of runtime detection policies with enabled threat categories, screenshots of CWPP management console displaying active workload coverage and recent alerts, sample alert logs demonstrating detection of specific runtime threats (process anomalies, privilege escalation attempts, suspicious network activity), documented results of threat simulation exercises validating detection capabilities, and evidence of CWPP integration with SIEM or incident response platforms.
Pass criteria Runtime protection agents or eBPF sensors are deployed on at least 95% of in-scope cloud workloads, detection policies actively monitor runtime threats including process execution anomalies and privilege escalation, and documented evidence confirms recent threat detections and integration with incident response workflows.