Every running pod, cryptographically itself.
STACK Lattice verifies the running binary's hash matches its signed SBOM, every minute, using Sigstore, in-toto, and eBPF — so tamper is caught at the kernel layer, not at the next scan window.
Signed SBOM is not the same as a verified runtime
Supply-chain tools stop at the build. Lattice keeps verifying after deploy — every minute, every pod, every drift.
Sigstore Signing
Build artifacts signed via Cosign. Verified at K8s admission, at pod start, and continuously at runtime.
In-Toto Provenance
Full chain: source commit → build job → image → running container. Every link cryptographically attested.
eBPF Runtime Verification
Live hash of the running binary compared to the signed SBOM. Every minute. Sub-millisecond per pod.
Rekor Transparency Log
Tamper-evident log of every signature event. Auditor-replayable; immutable; private or public instance.
Admission Gating
Kubernetes admission controller blocks unsigned, expired, or untrusted images before they reach scheduling.
Drift Alerts
Runtime hash mismatch surfaces with full lineage diff and one-command rollback to the last attested state.
Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
Isn't this just another K8s admission controller?
Admission is table stakes. The wedge is runtime hash continuity — we keep verifying after the pod is running, every minute.
How is this different from Sysdig or Aqua?
They detect runtime behavior anomalies. We attest runtime identity. Complementary, but the cryptographic chain we provide isn't something behavior tools can fake.
Performance impact?
Sub-millisecond per pod per minute via eBPF. No sidecar; no syscall interception; no measurable CPU hit on the workload.
Supported runtimes?
Docker, containerd, CRI-O, Kata, Firecracker. WASM via WAPC interceptors. Bare-metal binaries via systemd integration.