Kubescape 4.0: Runtime Threat Detection and AI Agent Security Scanning Now GA
Kubescape 4.0 has reached general availability with two major capabilities: Runtime Threat Detection and Kubescape Storage, the latter providing a dedicated Kubernetes Aggregated API layer for storing security metadata — SBOMs, vulnerability manifests, and runtime profiles — completely separate from etcd. The threat detection engine uses Common Expression Language rules evaluated against Application Profiles that are built from observed syscalls, network connections, HTTP traffic, and filesystem activity. The result is a 95 percent reduction in CVE noise, surfacing only the vulnerabilities that are genuinely reachable in a running environment rather than every theoretical flaw in the dependency tree.
The headline addition for AI practitioners is what Kubescape is calling the industry's first dedicated security scanning for AI agents running on Kubernetes, powered by KAgent, a CNCF Sandbox project. As agent frameworks like LangGraph, CrewAI, and AutoGen increasingly deploy workloads to Kubernetes, the attack surface grows to include MCP pathways, tool invocation chains, and agent-to-agent communication — all surfaces that generic container security tools were not designed to reason about. Kubescape 4.0 is the first platform to offer runtime guardrails specifically scoped to these agentic execution patterns.
For security-conscious teams managing agent infrastructure on Kubernetes, Kubescape 4.0 is worth evaluating as a first-class part of the platform stack rather than an afterthought. The GA release is available now through the CNCF ecosystem.