kcsa security observability monitoring falco audit-logging

Security Observability and Monitoring

by Alexis Kinsella·April 3, 2026·15 min read

A compromised container runs curl to an external C2 server. It reads /etc/shadow. Then it creates a new ClusterRoleBinding granting cluster-admin. Three events, three different detection layers. If you're only watching one, you're blind to the others.

Preventive controls like RBAC, Pod Security Standards, and network policies reduce your attack surface. But prevention alone isn't enough. You need to see what's happening right now and what already happened. Security observability bridges that gap: it tells you what occurred, when, who initiated it, and which resource was affected.

Sign in to access this lesson

Create a free account or sign in to enroll in the KCSA — Kubernetes and Cloud Native Security Associate course and access all 39 lessons.

KCSA — Kubernetes and Cloud Native Security Associate

39 lessons

Browse the full course curriculum →