Agentless security platforms are popular with DevOps teams because they deploy fast and skip the operational overhead of managing agents on every host. But conventional wisdom still holds that agentless necessarily comes with a tradeoff: no real-time visibility into what’s happening during an active attack. For that, DevOps teams have long assumed they need legacy agent-based tools instead, even with the cost and resource overhead that comes with them.
That tradeoff is outdated, and the data on how attacks actually unfold explains why it matters. Mandiant’s latest report says the median attacker dwell time, a measurement of how long a hacker sits inside your network before anyone notices, hit 14 days in 2025. The year before it was 11. These aren’t smash-and-grab jobs anymore. Attackers are settling in, getting comfortable, and getting better at not being seen while they do it.
A tool with runtime visibility can watch that entire window as the malicious actors do their thing – attempting lateral movement, privilege escalation, data staging and so forth. Two weeks is a real window during which runtime visibility either catches them or doesn’t, and it’s exactly the window agentless platforms were long assumed to miss.
That old tradeoff, agentless for speed, agent-based for runtime visibility, hasn’t kept pace with how agentless architecture has evolved. Agentless CNAPP platforms can now pair posture scanning with lightweight eBPF-based sensors that monitor DevOps workflows and runtime activity deep in the Linux kernel, without the fleet-wide agent overhead that used to be the price of that visibility. Wiz is one vendor that has taken this approach, adding an eBPF-based sensor to its existing agentless platform.
That shift is worth understanding, since it changes what agentless can actually promise.
Key Takeaways
- Runtime visibility is paramount: With median attacker dwell times growing, visibility into these attack windows has become as important as pre-exploit security posture.
- Agentless security is evolving: Going “agentless” doesn’t mean sacrificing runtime visibility, thanks to advances in eBPF sensors.
- Deep runtime visibility minus the overheads: eBPF-based sensors, used by Wiz, enable kernel-level visibility into system calls and processes without the friction of legacy agents.
- Unified CNAPP is the new standard: CNAPP platforms bundle runtime threat detection and cloud infrastructure posture management into a single interface to simplify DevOps operations.
What DevOps Teams Get Wrong About Agentless Runtime Security
When it first emerged, agentless security was limited to API-based scans and taking regular snapshots of cloud config and disk volumes. While this is good enough for cloud-based storage buckets, unpatched packages and static misconfigurations, it fails to show what’s happening inside workloads running in real-time, meaning it cannot spot live web shell executions, memory-only exploits and similar attacks.
That early limitation created a lasting perception: that agentless means running blind when active attacks occur. The earliest agentless CNAPP platforms genuinely had no way to see into live processes, so the perception made sense at the time. That framing has stuck, and it’s the reason why many security teams still insist on running resource-heavy agents inside production clusters, often against the wishes of platform engineers pushing for more lightweight architectures.
What many fail to realize is that agentless security no longer lacks runtime visibility. By introducing a lightweight sensor layer, modern agentless CNAPP platforms like Wiz have enabled runtime visibility without the need for cumbersome agents. It means agentless platforms can detect real-time security threats without adding too much operational burden for platform teams.
Why eBPF Is the Layer That Actually Closes the Gap
The secret sauce behind this evolution of agentless security is Extended Berkeley Packet Filter, or eBPF technology, which enables sandboxed programs to run inside the Linux kernel. This means it’s possible to hook into system calls, process behavior and network events without full-fat daemons consuming tons of resources inside every virtual machine or container environment.
To be clear, eBPF sensors aren’t the same as legacy agents. They’re much more lightweight, but they nevertheless have a presence at the kernel level. That’s why it’s important to maintain a distinction between fully agentless and eBPF-instrumented CNAPP systems.
For DevOps practitioners, eBPF provides solid advantages, dramatically reducing the performance overheads compared to standard agents. They do this by running directly inside the kernel, which allows them to avoid the burdensome context-switching that plagues user-space agents.
eBPF sensors can also be deployed broadly as a DaemonSet across an entire Kubernetes cluster, which is vastly simpler than having to configure each container image, as is the norm with agents. A third advantage is that they can hook directly into the underlying host node, allowing them to capture telemetry data from every pod simultaneously without changes to the underlying codebase.
The lightweight nature of eBPF sensors dramatically enhances the capabilities of posture scanning tools, providing teams with a contextualized, real-time feedback loop that can surface richer and deeper insights as security incidents unfold. In the case of Wiz Sensor, eBPF expands the capabilities of its native agentless cloud graph models to facilitate runtime investigations in real time. Engineers are then able to quickly correlate between known security vulnerabilities and the real-time impact of any exploits.
How Leading Security Platforms Handle Runtime Detection Differently
Wiz isn’t the only security platform leveraging eBPF capabilities to enhance posture management and extend its capabilities with real-time runtime monitoring. However, security firms are pursuing fundamentally different approaches in the way they are deploying the technology.
| Platform | Architecture | Runtime Detection Approach | Tradeoff |
| Falco | Open-source eBPF runtime detection engine | Kernel-level syscall monitoring and rule-based alerting | Because it’s open-source, it can require deep integration and heavy manual maintenance |
| Sysdig Secure | Based on the open-source Falco project | Rules-based engine on top of Falco’s detection core, vibrant developer community and ecosystem | Traditional agent-per-host deployment creates operational and configuration friction |
| Wiz | Agentless-first posture layer with eBPF-based Wiz Sensor | Implements a lightweight eBPF sensor instead of fleet-wide agent management | Runtime layer is newer than its posture scanning, though built on the same agentless architecture |
| Aqua Security | Agent-based runtime protection, enhanced by eBPF | Combines standard agent-based detection with Tracee, an open-source eBPF project | Lack of tight integration between agent-based runtime protection and eBPF tools |
| CrowdStrike Falcon Cloud Security | Agent-based runtime security with Falcon sensor | Single sensor that unifies endpoints with cloud runtime detection | Tightly coupling with legacy endpoints means it’s not truly agentless |
What This Means for CNAPP and Kubernetes Security Going Forward
Cloud-native security is converging towards unified platforms that marry runtime security with posture management. The consequences of this shift are significant, because it means platform engineers and DevOps leads can view cloud development through the same pane of glass, without asking their counterparts on the other team to make tradeoffs.
For vendors, it’s no longer enough to focus on just one or another aspect of cloud security. Enterprises are increasingly demanding unified capabilities, with one of the most pressing questions for security vendors being the way they implement runtime detection.
Increasingly, DevOps teams are actively searching for the best tools for Kubernetes runtime security and asking which CNAPP platforms include runtime detection and response. That’s why it’s not enough for vendors to simply state these capabilities – they have to show if runtime security is handled by traditional agents, API-based snapshots or lightweight, eBPF-based sensors, or even a hybrid approach, so customers can carefully assess the impact on cluster performance.
For much of the CNAPP category, runtime detection has moved from an add-on to a foundational part of the architecture.
Frequently Asked Questions
Does CNAPP cover runtime threats?
Increasingly, yes, but the exact nature of this coverage varies. Some vendors employ lightweight eBPF sensors, with others utilizing resource-heavy agents in tandem with posture scanning. Pure API-native scanning alone does not provide runtime visibility, which matters given the 14-day median attacker dwell time. That’s why the strongest CNAPP platforms now pair posture scanning with an eBPF or agent-based runtime layer rather than relying on snapshots alone.
What is the difference between agentless CNAPP and runtime protection?
Older agentless CNAPP platforms identify misconfigurations with snapshots and API calls, while modern variants enable runtime visibility to actively monitor live application environments. This is done using lightweight eBPF-based sensors that capture process data without the resource overheads of legacy agents.
Which CNAPP platforms include runtime threat detection and response?
The leading players include Wiz, with its agentless-first platform. and Falco and Sysdig Secure, with their open-source eBPF engines. CrowdStrike Falcon Cloud and Aqua Security also provide runtime visibility through traditional agent-based monitoring.
Which cloud security tools use eBPF for runtime monitoring?
The open-source Falco project, and Sysdig’s commercial platform that’s based on Falco are prominent examples, alongside the lightweight Wiz Sensor client. Aqua Security and CrowdStrike offer a balanced, hybrid approach that marries legacy agents with eBPF capabilities.
Bottom Line
Dwell times are increasing as malicious actors bide their time, meaning runtime visibility has become more critical than ever. CNAPP vendors are stepping up, leaning on eBPF to enable this. DevOps teams no longer need to choose between runtime awareness and agentless security, but they do need to carefully study each vendor’s methodology to find the best fit.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals