ACCORDING to Elastic Security Labs, Linux & Cloud Detection Engineering – Getting Started with Defend for Containers (D4C) introduces Defend for Containers as a runtime security integration, released in version 9.3.0, with a focus on containerized Linux workloads and Kubernetes environments.
The article, dated 19 March 2026 and authored by Ruben Groenewoud, explains that Defend for Containers captures runtime events from running containers, enriches them with container and orchestration context, and streams them into Elasticsearch for detection analysis. It covers deploying the integration via Elastic Agent in Kubernetes, configuring a policy with selectors and responses, and using a Kubernetes manifest that requires specific capabilities such as BPF, PERFMON, and SYS_RESOURCE in securityContext.
The piece notes that Defend for Containers is in Beta, with support currently limited to Amazon EKS and Google GKE, and that AKS deployments lack file event telemetry and network events are not captured by this Beta. It also outlines the policy structure and demonstrates how selectors and responses combine to express detection logic, emphasising runtime behaviour over static indicators.