Every running pod, cryptographically itself.
STACK Lattice verifies the running binary's hash matches its signed SBOM, every minute, using Sigstore, in-toto, and eBPF — so tamper is caught at the kernel layer, not at the next scan window.
Signed SBOM is not the same as a verified runtime
Supply-chain tools stop at the build. Lattice keeps verifying after deploy — every minute, every pod, every drift.
Sigstore Signing
Build artifacts signed via Cosign. Verified at K8s admission, at pod start, and continuously at runtime.
In-Toto Provenance
Full chain: source commit → build job → image → running container. Every link cryptographically attested.
eBPF Runtime Verification
Live hash of the running binary compared to the signed SBOM. Every minute. Sub-millisecond per pod.
Rekor Transparency Log
Tamper-evident log of every signature event. Auditor-replayable; immutable; private or public instance.
Admission Gating
Kubernetes admission controller blocks unsigned, expired, or untrusted images before they reach scheduling.
Drift Alerts
Runtime hash mismatch surfaces with full lineage diff and one-command rollback to the last attested state.
→ Pods: 142 running, 142 scanned
→ Signatures: 139 Cosign signatures VALID, 3 MISSING
→ SBOM match: 138 runtime hashes match signed SBOM VERIFIED
→ Drift: pod/api-gateway-7b4d (image: v2.14.1) hash MISMATCH
→ Provenance: in-toto chain verified — commit → build → image L4 SLSA
→ Rekor: 142 attestation events anchored to log entry 22,481,007
→ ACTION drift alert fired — rollback to last attested state available
From unsigned to fully attested, in three weeks
Lattice layers onto your existing CI/CD and Kubernetes. Cosign signs at build, admission blocks at deploy, eBPF verifies at runtime — three layers, one chain.
1. Sign
Cosign integrated into your CI pipeline. Every new build signed at push. Private Rekor transparency log provisioned.
Week 12. Gate
Kubernetes admission controller deployed. Unsigned, expired, or untrusted images blocked before they reach scheduling.
Week 23. Verify
eBPF runtime verifier deployed. Continuous hash checks every minute. First drift report delivered with lineage diff.
Week 3Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
Isn't this just another K8s admission controller?
Admission is table stakes. The wedge is runtime hash continuity — we keep verifying after the pod is running, every minute.
How is this different from Sysdig or Aqua?
They detect runtime behavior anomalies. We attest runtime identity. Complementary, but the cryptographic chain we provide isn't something behavior tools can fake.
Performance impact?
Sub-millisecond per pod per minute via eBPF. No sidecar; no syscall interception; no measurable CPU hit on the workload.
Supported runtimes?
Docker, containerd, CRI-O, Kata, Firecracker. WASM via WAPC interceptors. Bare-metal binaries via systemd integration.