Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - Container Behavior Analytics


Stage Defend
Maturity Planned
Content Last Reviewed 2020-03-11

Introduction and how you can help

Thanks for visiting this category direction page on Container Behavior Analytics in GitLab. This page belongs to the Container Security group of the Defend stage and is maintained by Sam White (

This direction page is a work in progress, and everyone can contribute:


Container Behavior Analytics (CBA) refers to the ability to detect, report, and respond to attacks on containerized infrastructure and workloads. Techniques include use of one or more types of intrusion detection systems (IDS) to detect attacks. The IDS may be supplemented with custom-built monitoring capabilities and/or behavior analytics to improve the efficacy and scope of detected attacks.

An IDS is a device or software application that monitors a network or systems for malicious activity or policy violations. Malicious activity can then be reported back to an Administrator either through GitLab or through a security information and event management (SIEM) system. IDS types range in scope from single computers to large networks. The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Some leverage honeypots to attract and characterize malicious traffic. Some strictly leverage signature-based detection, while others use machine learning to automatically detect anomalies.

An ideal Container Behavior Analytics solution would include all types of intrusion detection systems to provide defense-in-depth and protection against a wide range of attacks. Additional analytics can be layered on top of the data collected from an IDS to help filter out false positives and to recommend new rules to reduce false negatives.

Target Audience


Challenges to address


Where we are Headed

We are planning to integrate an IDS into our product as a first step. We will then integrate the IDS with other GitLab categories, such as the Logging category (to surface logs in GitLab) and the Vulnerability Management category (to surface alerts in GitLab).

Longer-term we plan to add additional behavior analytics on top of our IDS to improve our threat detection capabilities.

What's Next & Why

We will start by integrating the Falco IDS as the first step in this category. This provides some initial IDS capabilities that can be added to and refined in the future.

What is Not Planned Right Now

We are not currently planning to do the following:

Maturity Plan

Planned to Minimal

User success metrics


Why is this important?


Competitive Landscape


Analyst Landscape


Top Customer Success/Sales issue(s)


Top user issue(s)


Top internal customer issue(s)


Top Strategy Item(s)

We will need to integrate an IDS as an important first step toward our strategy. Likely we will leverage the Falco IDS.

Additional strategy items will be uncovered as we do more research in this area.