Constanze Roedig
Independent OpenSource Maintainer and Cybersecurity Researcher
Actions
Constanze is an astrophysicist turned entrepreneur: she spent over 15 years designing and implementing resilient complex systems for finance and government. CS lecturer and key researcher. Created the K8s Stormcenter for Open Threat Intelligence. Her research is on improving security using modern and emerging technologies such as eBPF, WebAssembly and AI. Her vision is to create practical and achievable security implementations usable in defendable systems for a resilient society.
Badges
Instant Kubernetes Runtime Anomaly Detection via SBOBs (Bill of Behavior)
Achieving anomaly detection at reasonable noise-levels still is inaccessible to most Kubernetes practitioners due to required effort, maintenance and missing skills. CNCF Kubescape enables a much more achievable UX and how the concept of SBoBs shifts the burden of secure-by-default baselines to the producer/vendor of the software.
The key benefit for the ecosystem is scalability of runtime-rule-maintainance by allowing users to inherit the rules and their updates from vendors directly.
In this talk, you'll learn how Kubescape leverages eBPF both to detect anomalies and filter them into relevant alerts in real-time while keeping performance overhead at bay. Its key advantage is UX: the profiles integrate with the CNCF ecosystem (e.g. gitOps) while staying human-readable and insightful, even without extra tools. Which is why SBoBs can do what seccomp and AppArmor somehow never could: give users sufficiently specific behavior profiles that neither block nor drown the analysts in noise
Attack Defense Tutorial: Leverage eBPF to reveal attack flows with rich context
In this tutorial you learn how mature, well-maintained FOSS eBPF tools make invisible activity visible - and how hooking the kernel allows you to understand what is really happening.
We guide you through a series of attacks (MITRE TTPs) using an intuitive UI and use eBPF to watch how the steps are detonated
- Intercepting malicious payloads in encrypted traffic
- Watching file access in a smart way
- The value and dangers of hooking STDOUT/IN
- Fileless malware abusing (deleted) filedescriptors
- Rating mechanisms for usefulness: syscalls, file-hashes, packets etc
- Tracing a pivot across neighboring services (in UI and kernel level)
- Capability abuse for e.g. person-in-the-middle
- How to use eBPF to achieve standardized audit logs
Two parallel difficulty levels, ensure everyone can follow along and challenge themselves. The hands-on exercises focus on giving you a systematic methodology to take home and apply in your own systems.
Meet BOB: the supply chain provided “bill of behaviour” for anomaly-based runtime security
Currently, SBOM (“Software Bill of Materials”) includes only static build-time information. We propose to strengthen supply security by allowing vendors to also supply known benign runtime-behaviour information alongside the OCI artefacts as “Bill of Behaviour” (BoB).
BoB allows users to detect anomalies from the provided baseline at runtime and thus infer malicious behaviour or tampering using well-known cloud native tools.
We demonstrate a PoC reference implementation and discuss early user feedback. We will also discuss limitations for the vendors and the impact on their software-production.
Security Theater or Real Defense? Navigating Open Source Security in a Cloud-Native World
Kubernetes teams are drowning in dashboards, buried in YAML, and haunted by the ghost of “shift left.” Everyone says security is built-in, but breaches still happen, compliance still bites and engineers are still burned out. So what’s actually working… and what’s just performative security theater?
This women-led panel cuts through the noise. Featuring OSS contributors, DevSecOps veterans, and security leads from production-grade, cloud-native environments, we’re here to talk honestly about what breaks, what works, and what’s pure illusion. They’re contributors and practitioners behind CNCF toolsets—and they’ve seen it all: what works, what fails, and what we wish we knew earlier. Explore what’s real vs. theater in Kubernetes security: how to measure impact, where CNCF tools help (or fall short), and how to stay effective under pressure. No fluff, no vendor pitches. Just battle-tested insights from engineers on the front lines of securing cloud-native infrastructure at scale.
Multi-messenger security: Adaptive Kubernetes SOC from Disparate eBPF Tools
The linux kernel through eBPF offers to unify the disparate fields security and observability through shared data structures. We show how a K8s Security Operations Center, organically composed of established eBPF projects (CNCF Kubescape, Pixie and Tetragon) can see signals that the individuals cannot.
We explain how we achieve both a comprehensive baseline and use independent signals to dial up/down coverage as suspicious indicators surface. The mutual independence of signals from across processes, file system, and network activity achieves a high signal-to-noise, enabling manageable data volumes and facilitating selective forensic storage.
You will see a *live demo of the io_uring root-kit which is hard to detect for sys-call based security tools in their default configurations, however almost trivial to detect with our adaptive setup.
Additionally, our SOC architecture is node-local, and no data leaves the cluster meaning you remain sovereign and in control of your data.
Updates from the Kubernetes Storm Center: Open Source Threat Intelligence for Cloud Native
The cloud native ecosystem currently has no consistent Open Source Threat Intelligence. The community initiative "The Kubernetes Storm Center" aims to change that.
In this talk, we show how a non-expert would use a "Honey-Cluster" to practically validate threat modelling predictions and quantify the relative risk of different attack vectors. And, as an optional step, how to contribute the collected threat intelligence to (open) upstream databases such as MISP, by mapping the threats onto MITRE.
After a general introduction, we detail how to utilize and adopt our method that, based on a given threat model:
a) generates a Kubernetes-based environment with embedded eBPF trip-wires, enabling the detection of real attacker paths without interference,
b) exposes these simulated environments to the wild to observe quantitative threat intelligence in action, and
c) informs cost-effective decisions for a defensive team.
We discuss recent community development and remaining caveats, emphasise the critical role of automation in scalability across diverse threat models, live showcase one quantified attack tree and discuss data we have collected from experiments, so far.
To benefit the Kubernetes ecosystem, this accessible framework can be crowd-sourced into an open source threat intelligence capturing network for risk exposure quantification.
Cloud Native Threat Intelligence for Everyone
Accurate and current threat intelligence data plays a vital role in threat modelling, as we can learn about what attackers are doing in the wild, and how likely certain attack paths are to be exploited. Whilst open source threat intelligence does exist, it is often ‘event-based’, focusing on historical incidents of attackers using particular techniques to exploit specific vulnerabilities. However, what if we want to quantify our own threat models, which may involve chaining together many such attack vectors?
The Kubernetes Storm Centre is a newly established open source initiative that aims to provide a framework for independent quantification of cloud native attack paths, with contributing organisations running diverse ‘honey-clusters’ and sharing their results with a central hub for the world to freely consume. In this session, we will discuss the progress made by the project so far, share our initial results and insights, and explain how interested parties can contribute.
Cloud Native Zürich 2026 Sessionize Event Upcoming
KubeCon + CloudNativeCon Europe 2026 Sessionize Event Upcoming
KubeCon + CloudNativeCon North America 2025 Sessionize Event
CNCF-hosted Co-located Events North America 2025 Sessionize Event
Cloud Native Denmark 2025 Sessionize Event
KCD Sofia 2025 Sessionize Event
Cloud Native Summit 2025 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top