04-06-2026 10:18 AM
Hello, I would like your help to understand what protections I have with Cortex XDR Endpoint Pro on a Linux server running containers/Docker.
Will XDR also protect against malicious activity originating from the container to the network, or is it more of a black box?
04-07-2026 06:13 AM
Hello @tlmarques ,
Thank you for the response.
While visibility is a key differentiator, the differences between these two scenarios also involve licensing, deployment architecture, and metadata enrichment.
Visibility:
Both deployment types (standard Linux agent and Kubernetes DaemonSet) operate at the host kernel level, allowing them to see containerized processes, network traffic, and file system activity.
The Main Difference (Orchestration):
In an orchestrated environment (Kubernetes/OpenShift), the agent is deployed as a DaemonSet. This provides orchestration metadata (cluster name, pod name, Kubernetes namespace) in the Cortex XDR console and alerts, which is not available when using a standard host agent.
Licensing:
Orchestrated environments require a Cortex XDR Cloud per Host license. If a standard "Pro per Endpoint" license is used on a node running an orchestrator, the agent may identify the host as a Kubernetes node and display a "Partially Protected" or "Unprotected" status because it expects the cloud license.
---------------------------------
Running OpenShift on top of a standard Rocky Linux agent installation provides host-level security, but the following capabilities are likely missing:
Kubernetes Metadata:
Container processes appear in the Causality Card, but they are associated with the host endpoint name rather than specific pods or namespaces.
Posture Management (KSPM):
Full orchestration support typically includes the Kubernetes Connector, which provides cloud security posture management (identifying misconfigurations). The XDR agent alone provides only runtime protection.
Lifecycle Management:
Orchestrated agents follow an accelerated lifecycle cleanup policy, automatically deleting inactive agents from the inventory after 6 hours to prevent clutter in dynamic environments.
-----------------------------------------
Your understanding of the running components is largely correct. Here is the breakdown:
| Daemon | Function |
|---|---|
| pmd | Policy Management Daemon: Handles policy application, process injection, and forensic reporting |
| clad | Cortex Local Analysis Daemon: Responsible for local malware analysis of files |
| dypd | Dynamic Protection Daemon: Powers Behavioral Threat Protection (BTP) to stop suspicious behavior and ransomware |
| sandboxd | Sandbox Daemon: Used for local analysis/emulation of suspicious files |
| lted | Live Terminal Engine Daemon: Enables remote investigation and response actions |
| pyxd | Python Executor: Executes scripts and payloads for response actions |
| cned (stopped) | Cortex Network Engine Daemon: Introduced in v8.7; expected to be stopped if features are not active |
| piud (stopped) | Post Installation Upgrade Daemon: Introduced in v8.7; expected to be stopped if not in use |
Your summary of the protection areas is correct:
For a production OpenShift environment, it is strongly recommended to switch to the Cortex XDR Cloud per Host license and deploy the agent as a DaemonSet using the Kubernetes YAML or Helm installer to ensure full compatibility and visibility.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
04-06-2026 10:25 AM
Hello @tlmarques ,
Greetings for the day.
Cortex XDR Endpoint Pro provides comprehensive protection for Linux servers running Docker by operating at the host kernel level. It is not a “black box”; rather, it extends the same security modules used for the host OS to all processes running within containers.
Protection and Visibility Scope:
The agent uses deep hooks into the host kernel to monitor system calls (syscalls), providing visibility into activities inside containers without requiring an agent to be installed in each individual container.
Cortex XDR is not a “black box” regarding network activity. It monitors network traffic originating from containers and can block or report malicious behavior.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
04-06-2026 11:04 AM
Hi @susekar ,
I appreciate your response. I understand that Cortex XDR is not a “black box” — my question is specifically about containers running inside the host.
I have a Linux server with an XDR Pro license, and inside this host there are multiple containers. My questions are:
04-06-2026 12:09 PM
Hello @tlmarques ,
Thank you for the response.
Cortex XDR provides comprehensive visibility and protection for containerized workloads on Linux hosts by operating at the host kernel level. When the agent is installed on the underlying Linux host, it automatically extends its monitoring and prevention capabilities to all containers sharing that kernel, such as Docker or Podman, without requiring an agent inside each container.
1. Workload Protection Levels:
Workloads running inside containers receive the same level of security as processes running natively on the host. This includes:
The license required depends on whether the containers are part of an orchestrated environment:
To verify the agent is correctly monitoring the host and its containers, you can use the following command on the Linux server:
/opt/traps/bin/cytool runtime query
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
04-07-2026 01:56 AM
@susekar thanks a lot for your help.
I have one final question regarding the differences between non-orchestrated containers and orchestrated environments (e.g., Kubernetes/OpenShift).
Is the main difference related to visibility inside containers?
For example, if I have a Rocky Linux server with Cortex XDR Endpoint Pro installed, and I’m running OpenShift on top of it:
On my system, I currently see the following components running:
Based on what I’ve read, my understanding is that my Linux host (and, to some extent, the containers running on it) is protected against:
Is this understanding correct?
04-07-2026 06:13 AM
Hello @tlmarques ,
Thank you for the response.
While visibility is a key differentiator, the differences between these two scenarios also involve licensing, deployment architecture, and metadata enrichment.
Visibility:
Both deployment types (standard Linux agent and Kubernetes DaemonSet) operate at the host kernel level, allowing them to see containerized processes, network traffic, and file system activity.
The Main Difference (Orchestration):
In an orchestrated environment (Kubernetes/OpenShift), the agent is deployed as a DaemonSet. This provides orchestration metadata (cluster name, pod name, Kubernetes namespace) in the Cortex XDR console and alerts, which is not available when using a standard host agent.
Licensing:
Orchestrated environments require a Cortex XDR Cloud per Host license. If a standard "Pro per Endpoint" license is used on a node running an orchestrator, the agent may identify the host as a Kubernetes node and display a "Partially Protected" or "Unprotected" status because it expects the cloud license.
---------------------------------
Running OpenShift on top of a standard Rocky Linux agent installation provides host-level security, but the following capabilities are likely missing:
Kubernetes Metadata:
Container processes appear in the Causality Card, but they are associated with the host endpoint name rather than specific pods or namespaces.
Posture Management (KSPM):
Full orchestration support typically includes the Kubernetes Connector, which provides cloud security posture management (identifying misconfigurations). The XDR agent alone provides only runtime protection.
Lifecycle Management:
Orchestrated agents follow an accelerated lifecycle cleanup policy, automatically deleting inactive agents from the inventory after 6 hours to prevent clutter in dynamic environments.
-----------------------------------------
Your understanding of the running components is largely correct. Here is the breakdown:
| Daemon | Function |
|---|---|
| pmd | Policy Management Daemon: Handles policy application, process injection, and forensic reporting |
| clad | Cortex Local Analysis Daemon: Responsible for local malware analysis of files |
| dypd | Dynamic Protection Daemon: Powers Behavioral Threat Protection (BTP) to stop suspicious behavior and ransomware |
| sandboxd | Sandbox Daemon: Used for local analysis/emulation of suspicious files |
| lted | Live Terminal Engine Daemon: Enables remote investigation and response actions |
| pyxd | Python Executor: Executes scripts and payloads for response actions |
| cned (stopped) | Cortex Network Engine Daemon: Introduced in v8.7; expected to be stopped if features are not active |
| piud (stopped) | Post Installation Upgrade Daemon: Introduced in v8.7; expected to be stopped if not in use |
Your summary of the protection areas is correct:
For a production OpenShift environment, it is strongly recommended to switch to the Cortex XDR Cloud per Host license and deploy the agent as a DaemonSet using the Kubernetes YAML or Helm installer to ensure full compatibility and visibility.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
