Defensia deploys as a DaemonSet and protects every node in your cluster. Ingress WAF, pod crash detection, NetworkPolicy audit, CVE scanning — all in one lightweight agent.
Start FreeHost-level security + Kubernetes-native awareness. Nobody else combines both.
Reads nginx-ingress and Traefik access logs. One agent on the ingress node protects ALL services behind it. SQL injection, XSS, RCE, path traversal — detected and blocked.
Watches K8s events for CrashLoopBackOff, OOMKilled, ImagePullFailed, and pod evictions. Alerts in the same security dashboard.
Detects namespaces without NetworkPolicy — the #1 K8s security misconfiguration. Shown as warnings in the dashboard.
Matches installed software versions against NVD + EPSS + CISA KEV. Flags vulnerabilities before they are exploited.
Even in K8s, nodes have SSH. Defensia detects brute force attacks on node SSH with 15 patterns and auto-bans attackers.
Auto-discovers all Ingress hosts via K8s API. Each domain is monitored by WAF without any configuration.
"Falco tells you something happened. Kubescape tells you what's misconfigured. Defensia tells you both — and blocks the attack automatically."
Most tools do one thing. Defensia covers the full stack at a fraction of the price.
| Feature | Defensia | Falco | Kubescape | CrowdSec |
|---|---|---|---|---|
| SSH brute force protection | Yes | No | No | Partial |
| WAF (web attack blocking) | Yes | No | No | Partial |
| Ingress WAF (cluster-wide) | Yes | No | No | No |
| Pod event monitoring | Yes | Yes | No | No |
| CVE scanning | Yes | No | Yes | No |
| NetworkPolicy audit | Yes | No | Yes | No |
| Automatic IP blocking | Yes | No | No | Yes |
| Web dashboard | Yes | Partial | Yes | Partial |
| Multi-cluster view | Yes | No | Yes | No |
| Open source agent | MIT | Apache 2.0 | Apache 2.0 | MIT |
| Pricing | €9/node | Free | Free + paid | $900+/mo |
DaemonSet deploys one agent per node. Each agent reads host logs, queries the K8s API, and blocks attackers at 3 layers.
One command deploys an agent on every node. Privileged container with hostNetwork and hostPID for full node visibility. Auto-scales with your cluster.
Reads nginx-ingress/Traefik access logs for WAF analysis. Watches K8s events for CrashLoop and OOM. Audits NetworkPolicy. Monitors SSH on each node.
Layer 1: iptables blocks SSH attacks on the node. Layer 2: ConfigMap deny list blocks web traffic at the ingress controller. Layer 3: WebSocket propagates bans across all nodes and servers.
Per-node, same as bare metal. No per-pod or per-namespace fees.
1 domain protected by WAF
10 domains per node
Billed annually
No. The agent uses a ClusterRole with read-only access: pods, nodes, events, ingresses, namespaces, networkpolicies, and configmaps. It never creates, modifies, or deletes any Kubernetes resource.
The K8s binary is ~33MB (includes client-go). The container image is based on Alpine and weighs about 40MB. Memory usage is typically 50-100MB per node.
Yes. The DaemonSet runs on worker nodes in any K8s cluster. Tested on DigitalOcean DOKS, and compatible with EKS, GKE, AKS, and self-managed clusters.
The agent on the ingress controller node reads nginx-ingress or Traefik access logs directly from container log files (/var/log/pods/). When it detects an attack, the IP is blocked at 3 layers: iptables on the node (SSH protection), a ConfigMap with nginx deny rules (ingress-level blocking — the attacker gets 403 before reaching any pod), and WebSocket propagation to all other nodes and servers.
The DaemonSet automatically schedules an agent on the new node. It registers with Defensia using your API key. If you exceed your paid node slots, registration is blocked until you upgrade.
Yes. Defensia operates at a different layer — it reads access logs and blocks IPs via iptables. Falco monitors syscalls. Kubescape scans configurations. They complement each other.
Free: 1 domain per node. Pro: 10 domains per node. If your ingress has more than 10 domains, the extra ones are detected but not protected by WAF until you add another node slot.
One Helm command. DaemonSet on every node. Free for your first node.
Start Free See Pricing