top of page

Prevasio sandbox
'Detonates' containers in a safe virtual environment

Prevasio Sandbox intercepts and inspects all network traffic generated by containers, including HTTPS traffic.

SSL/TLS inspection is enabled with Prevasio’s MITM proxy certificate being dynamically injected into the virtual file system of the analysed container images.

Currently, Prevasio Sandbox provides HTTPS interception for the 10 most common Linux distributions.

The following example demonstrates an interception of HTTP and HTTPS traffic in a container spawned from a public Docker Hub image.

Network traffic analysis

Prevasio Sandbox scans container images for the presence of any vulnerable packages and libraries.

For example, this️ Docker Hub image contains critical vulnerabilities in 28 packages.

Vulnerability scan

Any x32/x64 ELF executable files created both during container image build phase and the runtime are scanned with Prevasio’s Machine Learing (ML) model.

The ML model used by Prevasio relies on ELF file’s static characteristics, its entropy, and the sequence of its disassembled code.

Here is an example of a malicious container image hosted️ at Docker Hub, that was picked up by Prevasio’s ML Classifier.

Let’s see what happens if we recompile Mirai bot’s source code️, by using custom domains for C2 (command-and-control) traffic. The Dockerfile with instructions to fetch, modify, and compile Mirai source code is available here️.

As you see in this example, the use of ML provides resistant detection, even if the malware was modified.

ML classifier for malware

Full static visibility of the container’s internals is not sufficient to tell if a container image in question is safe indeed.

During the last stage of its analysis, Prevasio Sandbox simulates attackers’ actions, first trying to fingerprint services running within the analysed container, and then engaging exploits against them.

In addition to that, the pen-test performs a brute-force attack against an identified service (such as SSH, FTP or SQL), in order to find weak credentials that would allow the attackers to log in.

As the pen-test is performed in an isolated environment, it poses no risk to the production environment.

The following example demonstrates how the automated pen-test has identified the type of MySQL server running inside a container spawned from this️Docker Hub image, then successfully brute-forced it and found working credentials against it.

Automated Pen-Test

Prevasio collects kernel-level system events within a running container:


  • File system events

  • Network events

  • Process lifecycle events

  • Kernel syscalls

  • User call events


These events are then correlated into a hierarchy, visually displayed in the form of a force-directed graph. The graph allows to visually identify problematic containers and also quickly establish remote access points.

Here is an example of an event graph generated for ️this Docker Hub image. Please note the geographic distribution of the bitcoin peer-to-peer nodes.

System event graph

Network traffic analysis

Vulnerability scan

ML classifier for malware

Automated Pen-Test

System event graph

Get the latest insights from the experts

A Guide to Upskilling Your Cloud Architects & Security Teams in 2023

Securing Cloud-Native Environments: Containerized Applications, Serverless Architectures, and Microservices

Understanding and Preventing Kubernetes Attacks and Threats

Choose a better way to manage your network

bottom of page