Constanze Roedig
Independent OpenSource Maintainer and Cybersecurity Researcher
Actions
Constanze is an astrophysicist turned entrepreneur: she spent over 15 years designing and implementing resilient complex systems for finance and government. CS lecturer and key researcher. Created the K8s Stormcenter for Open Threat Intelligence. Her research is on improving security using modern and emerging technologies such as eBPF, WebAssembly and AI. Her vision is to create practical and achievable security implementations usable in defendable systems for a resilient society.
Badges
How to adopt the Bill of Behaviour into your daily workflow: bobctl for transparent security
We introduce the “Bill of Behavior” (BoB): a vendor-supplied profile detailing known benign runtime behaviors for software, designed to be distributed directly within OCI artifacts. Generated using eBPF, a BoB codifies expected syscalls, file access patterns, network communications, and capabilities. This empowers powerful, signature-less anomaly detection, allowing end-users to infer malicious activity or tampering in third-party software without the current burden of authoring and maintaining complex, custom security rules.
We will demonstrate the BoB specification's portability across diverse ecosystems, languages, and stacks. The main focus of our talk will be on emphasizing the vital role of user transparency and user experience:
Starting from the perspective of a customer journey, we designed a CLI experience tailored to both vendors and users—aiming to integrate seamlessly into existing ecosystems. Since effective security depends heavily on human factors, we deliberately optimized for minimal friction. In this talk, we’ll share the compromises we made, where our assumptions failed, and how user feedback reshaped our thinking.
Our ultimate goal? Empower the cloud-native community with a shareable, composable, and actionable framework for runtime security that fits naturally into modern Kubernetes workflows.
To close, we invite you to join our live-lab experiment — an open call to test and improve the system together. Your feedback will shape the future of runtime security tooling. Let’s make runtime behaviour as observable and manageable as CI/CD pipelines.
Meet BOB: the supply chain provided “bill of behaviour” for anomaly-based runtime security
Currently, SBOM (“Software Bill of Materials”) includes only static build-time information. We propose to strengthen supply security by allowing vendors to also supply known benign runtime-behaviour information alongside the OCI artefacts as “Bill of Behaviour” (BoB).
BoB allows users to detect anomalies from the provided baseline at runtime and thus infer malicious behaviour or tampering using well-known cloud native tools.
We demonstrate a PoC reference implementation and discuss early user feedback. We will also discuss limitations for the vendors and the impact on their software-production.
Security Theater or Real Defense? Navigating Open Source Security in a Cloud-Native World
Kubernetes teams are drowning in dashboards, buried in YAML, and haunted by the ghost of “shift left.” Everyone says security is built-in, but breaches still happen, compliance still bites and engineers are still burned out. So what’s actually working… and what’s just performative security theater?
This women-led panel cuts through the noise. Featuring OSS contributors, DevSecOps veterans, and security leads from production-grade, cloud-native environments, we’re here to talk honestly about what breaks, what works, and what’s pure illusion. They’re contributors and practitioners behind CNCF toolsets—and they’ve seen it all: what works, what fails, and what we wish we knew earlier. Explore what’s real vs. theater in Kubernetes security: how to measure impact, where CNCF tools help (or fall short), and how to stay effective under pressure. No fluff, no vendor pitches. Just battle-tested insights from engineers on the front lines of securing cloud-native infrastructure at scale.
Multi-messenger security: Adaptive Kubernetes SOC from Disparate eBPF Tools
The linux kernel through eBPF offers to unify the disparate fields security and observability through shared data structures. We show how a K8s Security Operations Center, organically composed of established eBPF projects (CNCF Kubescape, Pixie and Tetragon) can see signals that the individuals cannot.
We explain how we achieve both a comprehensive baseline and use independent signals to dial up/down coverage as suspicious indicators surface. The mutual independence of signals from across processes, file system, and network activity achieves a high signal-to-noise, enabling manageable data volumes and facilitating selective forensic storage.
You will see a *live demo of the io_uring root-kit which is hard to detect for sys-call based security tools in their default configurations, however almost trivial to detect with our adaptive setup.
Additionally, our SOC architecture is node-local, and no data leaves the cluster meaning you remain sovereign and in control of your data.
Updates from the Kubernetes Storm Center: Open Source Threat Intelligence for Cloud Native
The cloud native ecosystem currently has no consistent Open Source Threat Intelligence. The community initiative "The Kubernetes Storm Center" aims to change that.
In this talk, we show how a non-expert would use a "Honey-Cluster" to practically validate threat modelling predictions and quantify the relative risk of different attack vectors. And, as an optional step, how to contribute the collected threat intelligence to (open) upstream databases such as MISP, by mapping the threats onto MITRE.
After a general introduction, we detail how to utilize and adopt our method that, based on a given threat model:
a) generates a Kubernetes-based environment with embedded eBPF trip-wires, enabling the detection of real attacker paths without interference,
b) exposes these simulated environments to the wild to observe quantitative threat intelligence in action, and
c) informs cost-effective decisions for a defensive team.
We discuss recent community development and remaining caveats, emphasise the critical role of automation in scalability across diverse threat models, live showcase one quantified attack tree and discuss data we have collected from experiments, so far.
To benefit the Kubernetes ecosystem, this accessible framework can be crowd-sourced into an open source threat intelligence capturing network for risk exposure quantification.
Cloud Native Threat Intelligence for Everyone
Accurate and current threat intelligence data plays a vital role in threat modelling, as we can learn about what attackers are doing in the wild, and how likely certain attack paths are to be exploited. Whilst open source threat intelligence does exist, it is often ‘event-based’, focusing on historical incidents of attackers using particular techniques to exploit specific vulnerabilities. However, what if we want to quantify our own threat models, which may involve chaining together many such attack vectors?
The Kubernetes Storm Centre is a newly established open source initiative that aims to provide a framework for independent quantification of cloud native attack paths, with contributing organisations running diverse ‘honey-clusters’ and sharing their results with a central hub for the world to freely consume. In this session, we will discuss the progress made by the project so far, share our initial results and insights, and explain how interested parties can contribute.
CNCF-hosted Co-located Events North America 2025 Sessionize Event
KubeCon + CloudNativeCon North America 2025 Sessionize Event
Cloud Native Denmark 2025 Sessionize Event
KCD Sofia 2025 Sessionize Event
Cloud Native Summit 2025 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top