Essential Components of a Cloud Runtime Protection Strategy

Securing cloud environments at runtime is no easy feat. Unlike traditional infrastructure, cloud workloads are dynamic, ephemeral, and often span multiple platforms - making continuous visibility a moving target.

Adversaries continue to set their sights on cloud: According to the CrowdStrike 2025 Global Threat Report, new and unattributed cloud intrusions were up 26% year-over-year in 2024, indicating more threat actors seek to exploit cloud services. As a result, organizations are increasingly turning to cloud detection and response (CDR) solutions to defend their environments in real time.

Cloud intrusions rarely happen in isolation. They're often one part of a broader, cross-domain attack that weaves through endpoints, identities, and workloads. A modern CDR solution must be able to protect cloud environments from threats at runtime and integrate into a larger detection and response ecosystem so SOC teams can address threats across all domains.

Effective CDR strengthens a SOC team's ability to detect early signs of compromise within cloud environments, such as unauthorized process execution or lateral movement within workloads. These insights, when correlated with signals from other domains, can reveal adversary footholds before attackers pivot to critical resources like the cloud control plane.

So how do you build a cloud runtime protection strategy that supports this level of cross-domain defense? It starts with understanding the two main types of cloud monitoring - agent-based and agentless - and how combining them delivers greater visibility, precision and protection.

Agent-based Monitoring

Agent-based monitoring embeds a lightweight sensor directly on the host to deliver rich, real-time telemetry. These agents operate in kernel mode or use technologies like extended Berkeley Packet Filter (eBPF) to observe low-level system activity. This granular visibility allows teams to track everything from process execution and file system changes to network behavior.

What makes this approach especially powerful is its ability to both detect and actively block malicious activity. By operating at the kernel level, agent-based solutions have access to system calls, process execution, and events, enabling the agent to intercept and terminate suspicious processes in real time - stopping an attacker before damage is done.

Agentless Monitoring

Agentless monitoring, on the other hand, leverages cloud-native APIs, snapshots, and metadata to assess environments without installing anything on workloads. This method is ideal for understanding cloud security posture, identifying misconfigurations, and gaining broad coverage across multi-cloud environments.

However, agentless approaches rely on periodic polling, not real-time visibility. As a result, they will miss fast-moving attack sequences within workloads if used alone.

The Case for a Hybrid Approach

Cloud-conscious threat actors are consistently attempting to evade detections and security controls. In 2024, CrowdStrike observed the emergence and continued development of more stealthy initial access and credential collection techniques, enabling further defense evasion in cloud intrusions.¹ With this in mind, a truly adversary-first cloud defense strategy would require a combination of agent-based and agentless monitoring to identify and stop malicious activity that may otherwise seem legitimate.

Consider this scenario:

An attacker compromises a CI/CD pipeline by injecting malicious code into a trusted build process. That code silently deploys a cryptominer into a container running on a cloud-native compute instance. Because the deployment originates from a legitimate pipeline, the activity appears routine in cloud logs - making it easy to miss with agentless data alone.

However, agent-based telemetry detects unusual behavior within the container, such as sustained high CPU usage and network connections to malicious domains. These runtime signals, when correlated with context from agentless sources, provide a high-confidence detection of a cryptomining attack in progress.

This combined visibility enables security teams to:

• Rapidly stop the malicious container
• Investigate how the build was compromised
• Implement guardrails to prevent future abuse.

With agentless insights, teams can respond at scale by revoking exposed credentials and enforcing stricter IAM and pipeline security policies across the environment.