Innovations to our Modern Agent


When choosing how to secure your cloud, you have many options. However the focus should be on getting the entire breadth and depth of data needed to secure your cloud environments and workloads throughout build time and runtime.

For starters, do you know what data you need to effectively monitor and detect misconfigurations, vulnerabilities, and threats in your cloud environment?

Agentless solutions gather data on cloud configurations and compliance to support cloud security posture management (CSPM) while agents collect data on hosts and containers to protect your workloads from vulnerabilities and threats. Unfortunately, some vendors force you to choose between agents and an agentless approach when in reality a combined approach gives you the benefits of comprehensive visibility and security across your entire cloud environment.

Simply put, Lacework agents get the data that an agentless-only approach simply can’t access.

Agent Innovations

You might avoid some security agents that have (sometimes rightfully) earned the reputation for being heavy, clunky, and downright inefficient. Accepting such an impact on workload performance and reliability, especially without complete visibility, is unacceptable in modern cloud security.

For this reason, Agents must be lightweight, agile, and easily deployed in all cloud workloads, containerized environments, and serverless technologies, to be effective. Enter the Lacework agent.

Get the Data You Need

Easy to set up and quick to provide enhanced visibility, Lacework agents enable you to continuously monitor, detect, and investigate known and unknown threats in workloads and containers within minutes. Once installed on your hosts or within containers, our agents scan and pull relevant data from your environment to build a customized baseline of normal behavior. We then continually monitor and compare the new data to your specific baseline to provide detailed alerts of anomalous behaviors with our patented Polygraph® technology.

In addition to anomaly-based detection, we offer policy-based detection. This allows you to create custom policies for specific unwanted behaviors, enable Lacework-defined policies, and enable or disable policies or fine-tune alerts to your chosen criteria to focus on particular assets. And finally, we utilize ReversingLabs threat feeds to detect known bad IPs, crypto mining, and harmful file hashes and to alert you of any Indicators of Compromise (IOCs).

All this data is essential to help you understand what’s happening on your systems through:


  • Host intrusion detection (HIDS)
  • File integrity monitoring (FIM)
  • User, application, and process behavior monitoring
  • Network anomaly detection
  • Kubernetes, containers, and workloads runtime visibility
  • Host vulnerability (with runtime correlation, CI/CD integration)

While not enough (or the wrong) data leaves you vulnerable, too much data can make it nearly impossible to separate the critical alerts from the rest of the noise. To simplify cloud security, Lacework agents collect, analyze, and present data to you with the necessary context to make it actionable. For example, if a machine sends data to an unknown IP, or if a user logs in from a never before used IP, that abnormal behavior will trigger an alert that comes with the necessary details required to investigate and quickly find a resolution.

Lacework Agents Keep Getting Better

Our engineers are continually innovating to update our agents and regularly releasing enhanced new versions. Modern Lacework agents not only detect and alert on behavioral anomalies but also vulnerabilities like Log4J. Recent upgrades focus on expanded support, improved efficacy, more effective detections, and new deployment mechanisms.

Extended Berkeley Packet Filter (eBPF) is a Linux kernel technology that improves observability, networking, security and runs sandboxed programs in an operating system kernel. It eliminates the need to change kernel source code or add modules, so you can create a richer infrastructure to support your system without overcomplication. With the most recent Lacework agents supporting eBPF, we’ve fundamentally changed network observability and how security data is delivered in containers. It enables us to observe and attribute connections and processes more efficiently. The result is additional data that offers deeper visibility, better context, and more accuracy with less alert noise, thanks to the power of the Lacework Polygraph.

AWS Fargate EKS

is a serverless Compute Engine that provides on-demand, right-size compute capacity for Kubernetes (K8s) and containerized applications. By adding Amazon EKS support, in addition to Fargate ECS, Lacework delivers full visibility into EKS Fargate clusters – allowing you to visualize the data in our UI. Additionally, we offer multiple deployment mechanisms, including the option to embed the agent and as a sidecar injected in the K8s Pod deployed in EKS Fargate.


is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using compatible runtimes. It provides a lightweight alternative to using Docker as the runtime for K8s, and it supports Open Container Initiative (OCI) images. With the recent depreciation of Docker, and other container runtimes gaining popularity, Containerd and CRI-O are two runtimes that have seen increased adoption. Lacework’s support for CRI-O gives you complete visibility across the major runtime interfaces.

Container Networking Interface (CNI)

is a way of implementing the K8s network model. When workloads are deployed on K8s, the containers are using one of these CNIs for communication. We can now collect richer data –attribute pod communication while reducing the connection data noise. Then we process that data with our Polygraph behavioral modeling and alert you when there truly is a problem in your K8s workloads. Modern Lacework agents have added support for pod to pod traffic, incoming pod traffic, pod to external traffic, host processes to pod, and other variations in a variety of K8s deployments. This recent release also enables Lacework to add support for additional CNIs you might be using – EKS, Weavenet, Calico, Flannel, Kubelet (default K8s), Cilium, and GKE variants that use default K8s/aliases. CNI support allows for better behavior modeling with Lacework’s Polygraph, improved attribution to pods, less CPU usage, and reduced connection data noise – all within seconds.

Multi-Package Repo to Download Any Agent Version

is a browsable repo with multiple agent release versions. You can easily pick, compare, and choose which agent versions to install and run – making it easy to integrate with your existing deploy workflows.

Easier Deployment with Helm Charts

allows you to download and install the Lacework agent using Helm commands alone without needing to manually edit any config files. It also provides configurable options including storing the agent token as a Kubernetes Secret, configure sending diagnostic logs to stdout, and opt-out of auto-upgrade through Helm charts.

Lacework’s commitment to continuous improvement allows us to meet our customers when and wherever they are. When it comes to zero day or recently discovered vulnerabilities (such as Log4j), we know it’s critical to find out if you’ve been compromised as soon as possible. Thankfully our combination of agents and our agentless approach provides a comprehensive view of the systems across your cloud environment to scan for signs of compromise and reduce risk in real time.

No matter your cloud environment or workloads, we are excited to continually bring you even more expanded coverage and innovation. So be sure to check back regularly to learn about our most current product features and enhancements.

Copyright 2022 Lacework Inc. All rights reserved.