Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Product Stage Direction - Defend

Protecting cloud-native applications, services, and infrastructure

GitLab Defend enables organizations to proactively protect their cloud-native environments by providing context-aware technologies to reduce your overall security risk. Defend is a natural extension of your existing operation's practices and provides security visibility across the entire DevSecOps lifecycle. This empowers your organization to apply DevSecOps best practices with visibility from the first line of code written all the way through monitoring and protecting your applications deployed into operations.

Defend Overview

Stage Overview

The Defend Stage focuses on providing security visibility across the entire DevSecOps lifecycle as well as providing monitoring and mitigation of attacks targeting your cloud-native environment. Defend reduces overall security risk by enabling you to be ready now for the cloud-native application stack and DevSecOps best practices of the future. This is accomplished by:


The Defend Stage is made up of two groups supporting the major categories focused on cloud-native security including:

Resourcing and Investment

The existing team members for the Defend Stage can be found in the links below:

3 Year Stage Themes

Cloud native first

Defend will focus first on providing reactive security solutions that are cloud native. Whenever possible, Defend capabilities will be cloud platform agnostic, including support for self-hosted cloud native environments.

Visibility first, protection second

Defend will focus on detecting and alerting on malicious traffic and activity as a first step followed by introducing prevention as a second step. This is valuable to you because it means that you can introduce Defend within your cloud native applications, services, and infrastructure gradually over time without disrupting your end users. This allows you to examine the alerts generated by Defend using detection policies to ensure all security settings are appropriate and accurate for your cloud native deployment prior to moving to protection policies. This allows you to eliminate false positives and prevents your users from having a poor user experience with your applications and services. Furthermore, Defend will provide you with evidence of malicious traffic and activity as well as any actions taken, allowing you to meet and exceed your compliance goals and requirements.

As examples, GitLab will provide:

Blur the line between development and security operations

One of the key advantages to GitLab being a single application for the entire DevOps lifecycle is that all of our stages are tightly integrated. This empowers Defend to both provide information into other stages, such as Plan, as well as to receive information from other stages, such as Secure.

Defend will leverage knowledge from the Secure Stage and provide virtual patching of security policies within Defend Categories. Additionally, Defend will eventually leverage Secure scanning capabilities to provide on-going scanning of applications after they have been deployed to production. This allows for detection of any new threat vectors or vulnerabilities that were published after the original push to production.

Defend will identify and protect against threats as they happen, and will also strive to provide actionable next steps to close a vulnerability or point of exploit, not just defend it.

Not only does shifting left and acting on results earlier give your apps better security, it helps enable collaboration with everyone at your company. We believe that security is everyone's responsibility and that everyone can contribute. Informing other stages is a powerful way to do this.

As examples, GitLab will provide:

Improve OSS security standards

Defend will leverage OSS security projects to build our solutions. Defend will contribute improvements to these projects upstream helping everyone be more secure.

For example, GitLab recently added a Policy Audit Mode to the upstream open source Cilium project to allow users to test their policies before enforcing them.

Emphasize usability and convention over configuration

Defend capabilities will be pre-configured to provide value to protecting your applications. Rather than require you to read documentation manuals and provide complex configuration files, GitLab will always provide reasonable defaults out of the box.

We will provide the ability for advanced and customized configurations, but these will only be needed based on your specific use case and when you feel comfortable doing so.

3 Year Strategy

Effectively protecting applications running in production requires the following key software capabilities that will be developed over the next 3 years:

  1. A streamlined workflow for triaging, investigating, and mitigating application attacks. This workflow will be tightly integrated into the rest of the GitLab product.
  2. Seamless two-way integrations with other security products to both allow GitLab to share alerts with other tools as well as to allow other tools to share information about attacks with GitLab.
  3. A best-in-class policy editor that is both powerful and easy to use. By providing clear information about what policies are deployed, misconfigurations and accidental security holes can be avoided.
  4. Analytics that save time and reduce errors by leveraging GitLab's knowledge of the application code to reduce false positives by tuning policies, effectively prioritizing alerts, and auto-suggesting security best practices.
  5. In-depth introspection into the overhead, uptime, and performance of Defend technologies to ensure that security protections are always up and running without interfering with application performance.
  6. Enterprise-grade user permissions, audit logging, change control, and reporting to ensure that the GitLab application itself is safe from threats.
  7. Managed Security Service Provider (MSSP) support to allow partners to effectively and efficiently monitor the security posture of their clients' applications.


Defend is focused on providing enterprise-grade security capabilities to protect production environments. The intent is to provide enough value in paid features so as to allow Defend to contribute in a significant way over the next 3 years toward GitLab's company-level financial goals.

Although paid features are the primary focus, there are several reasons why features for unpaid tiers might be prioritized above paid features:

  1. The Defend stage has a powerful potential to help improve the security of projects everywhere. Features with the potential to significantly improve the secuity posture of all projects will be highly prioritized and made available in a unpaid tier.
  2. To continue to be good stewards in the open source community, any basic integration with open source projects will be available in an unpaid tier, along with the "table stakes" set of functionality required to allow that feature to be usable with GitLab.


This tier is the primary way to increase broad adoption of the Defend stage, as well as encouraging community contributions and improving security across the entire GitLab user base.

As a general rule of thumb, features will fall in the Core/Free tier when they meet one or more of the following criteria:

Some examples include:


This tier is not a significant part of Defend's pricing strategy.


This tier is not a significant part of Defend's pricing strategy.


This tier is the primary focus for the Defend stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that successfully protect against those types of attacks tend to be valued with equal weight. The types of capabilities that fall in the Ultimate/Gold tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to provide for adequate security of their production environment.

As a general rule of thumb, features will fall in the Ultimate/Gold tier when they meet one or more of the following criteria:

Some examples include:


There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.

Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.


A Web Application Firewall (WAF) can examine traffic being sent to your web application and can detect then block malicious traffic before it reaches them. The ModSecurity WAF is installed via Auto DevOps behind the ingress controller in your Kubernetes cluster. It is configured by default to run the OWASP ModSecurity core ruleset. This category is at the "minimal" level of maturity.

Priority: medium • DocumentationDirection

Container Host Security

Detect and respond to security threats at the Kubernetes, network, and host level. This category is at the "minimal" level of maturity.

Priority: high • Direction

Container Network Security

Container network security allows the implementation of network policies in Kubernetes to detect and block unauthorized network traffic between pods and to/from the Internet. This category is at the "minimal" level of maturity.

Priority: medium • DocumentationDirection


User and Entity Behavior Analytics (UEBA) is a solution that uses machine learning and other technologies to detect, alert, and block on anomalous behavior by users and systems. This category is planned, but not yet available.

Priority: high • Direction

Upcoming Releases

13.2 (2020-07-22)

13.3 (2020-08-22)

Other Interesting Items

There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.

Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!

GIT is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license