Your container just got compromised. But Kubernetes is ephemeral by design: the pod restarts in 30 seconds, and when it does, the memory, processes, and ephemeral filesystem are gone. How do you investigate something that no longer exists?

The cloud native ecosystem has gotten good at prevention and detection, but once an alert fires, actually figuring out what happened is still a gap.

This session walks through a forensics pipeline we built from open source tools, with a live demo of a simulated attack. Falco detects suspicious activity, Falco Talon automatically captures syscalls and network traffic, and we analyze the evidence in StratoShark, a Wireshark-style tool for system calls. We'll also show how the Kubernetes Checkpoint API can freeze container runtime state for offline inspection.

Attendees will walk away knowing how to set up automated evidence capture with Falco Talon, analyze captures in StratoShark, and trigger forensic checkpoints in their clusters.