Cloud-Native Application Protection (CNAPP)
High scrutiny and high blast radius; proof and governance matter.
Inside this journey
-
Pre-Discovery
Align the room on outcomes, decision process, and constraints before deeper discovery.
-
Stakeholder Alignment
Confirm decision roles, timelines, veto points (e.g., platform performance), and required success signals for the POC.
Alignment Questions
Snapshot: What's Happened and Who's Here?
- Briefly describe the incident or trigger that led you to evaluate a unified container security platform now.
- How many production Kubernetes clusters are in scope today?
- Which cloud providers host your container workloads?
- Who is leading this evaluation and which role will sign the final purchase (pick the primary contact)?
- What’s your target decision timeline for selecting a vendor?
- How would you rate your team’s current confidence in detecting exploitable container threats?
Are We Mistaking Noise for Risk?
- When your security tools flood you with findings, how often are those findings actually exploitable versus just noise?
- Which image scanners, CSPM, and runtime tools are currently part of your stack (list all that apply)?
- How often do you today succeed in correlating an image CVE, a cloud misconfiguration, and a network path into a single actionable attack story?
- Tell us about the last time a pen test or incident uncovered a container escape or exploitable path — what happened and what surprised you most?
- Which specific signal or connection do you wish your current toolset surfaced automatically?
- How does it feel for your team when these gaps surface — frustrated, overwhelmed, resigned, motivated, or something else?
Who Holds the Final Say — and What Will Make Them Say Yes?
- If the VP of platform rejects a tool for any performance or velocity impact, it's game over—what would we need to prove to keep their support?
- Which stakeholders must be involved in the POC (decision maker, technical approver, DevOps owner, security sponsor)?
- What are the non‑negotiable veto points (e.g., pod startup latency, deployment failures, false positives above X%) that would block a rollout?
- For each key stakeholder, what format of evidence would convince them (live demo, raw telemetry, executive summary, SLA guarantees)?
- What internal approvals or procurement steps do we need to kick off now to avoid delays after a positive POC?
What Would Make Your Nightmares Stop?
- Imagine a week without a container security incident — what changed in your day‑to‑day that made that possible?
- Which of these outcomes would most convince the CISO that this platform is worth buying?
- Which single metric would you call the north star for POC success (pick one)?
- How do you currently measure MTTR for container issues, and what's the representative baseline number?
- If the POC needs to demonstrate prioritized exploit paths, what level of context must each finding include to be actionable (CVE + config + network path + remediation steps)?
Where Should the Two‑Week POC Live to Be Convincing?
- Would testing in a realistic staging/preprod cluster with your CI/CD pipeline integrated give you more confidence than synthetic demos?
- Which environment(s) do you propose for the bake‑off?
- Which CI/CD systems and registries should we integrate with during the POC?
- Which specific pipelines, repos, or services absolutely must be included to validate blocking and provenance?
- Which modules do you want exercised in the POC (pick all that must be validated)?
- Who on your side will own daily POC ops (names/roles) and who is the escalation contact for issues?
What Would Make You Throw the Vendor Overboard?
- What's the smallest measurable degradation (in latency, build times, or reliability) that would cause you to stop the test?
- What maximum false positive rate for runtime detections would you accept during the POC?
- How much CI/CD build-time overhead (absolute or percent) is tolerable while still considering the solution viable?
- Describe your rollback and mitigation plan if the integration causes pod startup failures or deployment blockages.
- Which observability and SRE teams must be fed dashboards/alerts to feel comfortable during the POC?
Let's Make the Test Real — How Will We Prove It?
- If we engineered realistic attack paths in staging and your team could reproduce them end‑to‑end, would that be the strongest proof point?
- Do you have test images, vulnerable binaries, or scripted exploit scenarios we can run during the bake‑off?
- Are red‑team or automated attacker simulations acceptable during the two weeks, and what limits should we respect?
- What credentials and read/write access will you provision for the POC (kubeconfig levels, cloud read roles, CI tokens)?
- Which logs, telemetry, and dashboards must be captured and handed back to you to validate detection fidelity and performance?
- Who will be on‑call from your side to triage findings and confirm reproducibility within the two weeks?
If We Only Leave With One Outcome, What Should It Be?
- At the end of the POC, what single change or proof would make this engagement unambiguously successful for you?
- Select the top three acceptance criteria you need to sign off the POC (choose up to three).
- If the POC is successful, what licensing or procurement steps must begin immediately?
- Who must attend the final review/demo and in what format would you prefer the wrap‑up (live demo, recorded replay + report, executive summary)?
- Preferred primary communication channel for shared collaboration during the POC (pick one)?
-
Current State Mapping
Document existing scanners, CSPM/CWPP gaps, recent incidents, and where attack-path correlation is missing.
Current State
Quick Grounding — Tell Me About Today
- How many Kubernetes clusters are in scope for this evaluation and where are they hosted?
- Which environment(s) will we use for the two-week staging bake-off?
- Who will be the primary technical owner for the POC (name, role, contact) and who is the VP-level stakeholder who can veto deployment-impacting tools?
- What immediate constraints should we know about (access windows, maintenance freezes, regulatory reviews)?
- How would you describe your team’s current confidence level that a container CVE exploited in production can be detected and contained quickly?
Where the Blind Spots Live
- Which parts of your runtime are effectively invisible today—even when an incident is happening?
- How do you currently instrument east‑west traffic and service‑to‑service flows (tools, sidecars, VPC flow logs, eBPF, other)?
- How often do alerts point to a resource you cannot immediately map back to a workload, identity, or business owner?
- Describe any telemetry gaps you see today (missing fields, delayed logs, or inconsistent traces across tools).
- Which lateral movement vectors or protocols concern you most for undetected activity?
The Tools You Lean On (and Where They Let You Down)
- If your current scanners, CSPM consoles, and runtime agents had a 'tell‑the‑truth' grade, what would it be?
- List the image scanners, CSPM tools, runtime protection agents, admission controllers, and SIEMs you currently run (product and version).
- Which tool types generate the most noise versus genuine, actionable findings in your environment?
- How often do you have to manually correlate across consoles to understand an incident or root cause?
- Tell me about the last time tool fragmentation slowed a remediation—what was missed and why?
- Are there contractual, licensing, or organizational blockers that prevent consolidating or deeply integrating tools today?
When Things Break — Real Incidents & Near Misses
- Think of the last container‑related incident—what surprised you most about how the attack moved or was detected?
- How was that incident first detected (automated alert, developer report, third party, pen test, other)?
- From detection to first containment, how much elapsed time passed?
- Which teams needed to be involved to remediate and how well did the handoffs work (dev, platform, security, cloud ops)?
- What measurable business impact occurred (customer outage, data exposure, revenue impact, regulatory exposure)?
- Which takeaways from that incident changed how you prioritize container and cloud security work?
The Missing Links — Attack Path and Context
- Can you draw a single chain today from a misconfigured cloud role or exposed service to an exploitable container process?
- Do you have an automated graph or model that links identities, cloud resources, workloads, and network flows?
- How do you prioritize vulnerabilities and misconfigurations—by CVE severity, exploitability evidence, asset criticality, exposure, or another method?
- Give an example of a prioritized finding you resolved recently—how did you verify that remediation reduced actual exploitability?
- When a scan or alert surfaces an issue, how quickly can you map it to an owner and open a remediation ticket?
- How often do you find that fixing a vulnerability does not actually reduce the true attack surface because of missing context?
If Two Weeks Could Prove It — What Would You Want to See?
- What single measurable result from a two‑week staging bake‑off would make your CISO and VP of Platform say "ship it"?
- Which specific services or workloads should be included as high‑value test cases for the bake‑off?
- What is your current baseline MTTR for container vulnerabilities and misconfigurations?
- What performance or operational SLOs are non‑negotiable during the POC (startup latency, CPU/memory overhead, build time impact)?
- How will you validate detection fidelity during the bake‑off (attack simulations, synthetic tests, replay of incidents, developer sign‑off)?
- What acceptance criteria would cause the POC to be considered a failure?
What Would Stop This Before It Starts?
- What specific outcomes or events would make you pull the plug on the POC before it completes?
- Which permissions, namespaces, or data sets are absolutely off‑limits during the staging run?
- Do you require a pre‑approved rollback or mitigation playbook before any agents, admission hooks, or CI/CD changes are applied?
- Are there calendar windows or release freezes we must avoid for intrusive tests or failover simulations?
- Which legal, compliance, or privacy controls must we enforce while collecting telemetry?
- Who must be notified or approve each exploit simulation before it is executed?
Ownership, Reporting, and Next Moves
- If the bake‑off demonstrates clear value, who signs the purchase and who will champion rollout across clusters?
- What cadence and format do you prefer for POC updates and final reporting?
- Which metrics must appear in the final acceptance report (MTTR, false positive rate, exploitable paths closed, CI/CD blocking time, performance impact)?
- How will you validate that improvements are durable after production rollout (post‑rollout audit window, metrics trending, retention of changes)?
- Given your release calendar, when is the earliest practical date to kick off the POC?
- Who else should be part of the discovery or decision loop that we haven't spoken with yet?
-
-
Outcome Discovery
Define POC success criteria: runtime east‑west visibility, CI/CD blocking without slowing builds, exploitable-path prioritization, and <48h MTTR.
Discovery Questions
Getting Comfortable — A Quick Snapshot
- Briefly, what single event or concern brought you to evaluate a new container security platform now?
- Which role will lead the technical evaluation and run the two‑week staging POC?
- How many Kubernetes clusters and namespaces do you plan to include in this initial POC?
- Which clouds and distributions are in scope for the POC?
- Who holds veto authority for adopting a new tool (name the role/title), and what will they watch most closely?
- Which CI/CD systems will we integrate with during the POC?
If We Could Rewrite the Rules — What's Broken Today?
- What do you secretly assume your current scanners and runtime tools will never be able to do for you?
- When the last production incident happened, what surprised you most about how it unfolded or was discovered?
- Which gaps do you see between image scanners, CSPM dashboards, and runtime agents in your org today?
- How often do findings slip through to production that were flagged earlier in CI or build scans?
- Tell us about an example where tool noise or missing context delayed remediation—what happened and how did it feel for your team?
- If someone asked your VP of Platform whether the current stack is 'fit for modern microservices,' what answer would you expect?
Show Me the Pain — Where Time and Risk Leak Out
- Why do you think remediations take longer than you want—process, people, tooling, or priorities?
- What is your current mean‑time‑to‑remediate (MTTR) for exploitable container vulnerabilities or misconfigurations?
- Which part of the remediation workflow is slowest for your team?
- Who spends the most time investigating alerts today and how does that impact their other responsibilities?
- How many false positive alerts per week would you consider unacceptable during a staging bake‑off?
- Describe a recent situation where a false positive or performance issue almost blocked a rollout—what canceled or saved the deployment?
What a Successful POC Must Actually Prove
- If we could only demonstrate one thing in your staging POC that would convince the CISO to buy, what should it be?
- Please rank these outcome dimensions in order of importance to you during the POC.
- For each top outcome you selected, what measurable acceptance criteria should we use?
- What measurement window would you prefer for validating improvements (e.g., detection fidelity, MTTR)?
- Which telemetry sources will we use to establish baselines (select all that apply)?
- How will the POC outcome be judged—who's the final approver and what format do they want for results?
Reality Check — What Would Kill Adoption?
- If the tool added even a small delay to pod startup, what level of impact would be acceptable before your VP of Platform intervenes?
- What maximum percent increase in CPU or memory at pod startup would be a deal breaker?
- Beyond performance, what single operational concern would most likely stop a production rollout?
- What false‑positive tolerance threshold would your team accept during POC (percent of alerts requiring follow up that are false)?
- If the POC surfaces conflicts with existing policy tooling or admission controllers, how should we handle it during the bake‑off?
- Who on your side will be empowered to stop the POC immediately if something goes wrong (role/title) and how should they alert us?
Practicalities — Scope, Data, and Ownership
- Which specific clusters, namespaces, or services should we include to best demonstrate east‑west visibility and attack‑path correlation?
- Which CI pipelines and repositories will we integrate to validate blocking image pushes or deploys?
- Do you have representative test images and approved exploit scenarios we can run, or do you want us to propose realistic test cases?
- Who will own day‑to‑day POC operations on your side (names/titles) and who are the escalation contacts for urgent issues?
- What internal approvals or access do we need before starting (cloud IAM roles, kubeconfig access, CI admin rights)?
- Are there any compliance or change windows we must avoid during the two‑week staging bake‑off?
How We’ll Prove It — The Experiment Design
- If a POC could only run three tests, which would you pick to convince both Platform and Security leadership?
- What acceptance criteria would you use for CI/CD blocking to prove it 'does not slow builds'?
- How should we validate exploitable‑path prioritization—for example, do you want incident playbacks, ranked findings, or attacker storyboards?
- What reporting cadence and formats will convince stakeholders (daily dashboard, end‑of‑POC report, live demo)?
- Who should be copied on day‑to‑day updates versus executive summaries?
Commitments, Risks, and Next Steps — Closing the Loop
- What license or commercial terms must be agreed during or immediately after the POC for you to proceed to procurement?
- Who will make the final procurement recommendation and who signs off on budget (role/title)?
- If performance, false positives, and MTTR targets are met, what is your ideal timeline from POC acceptance to first production rollout?
- What are the top three risks you want us to plan mitigations for before the bake‑off begins?
- On an emotional level, what would success look like for your team after this POC—relief, confidence, fewer pagers, or something else?
- What date/time should we schedule the kickoff, and what prework would you like to complete before then?
-
Solution Experience
Validate how the platform delivers the targeted outcomes using the customer’s staging cluster and realistic exploit/attack scenarios.
Experience Meetings
- Solution Experience Kickoff
- Staging Cluster Baseline & Instrumentation
- Controlled Exploit Run — Runtime Visibility & Attack‑Path Correlation
- CI/CD Pipeline Integration & Image Blocking Test
- Results Review, Acceptance Validation & Next Steps
- Identify any policy tuning required to reduce false positives prior to production rollout.
- Seller: Deploy instrumentation with a documented rollback playbook and validate pod startup times do not degrade.
- Both: Agree on exact measurement methodology (metrics, log collection, timestamps) for MTTR and detection fidelity.
- Recap Scenario & Expected Outcomes
- Prove that the platform detects the exploit in runtime, surfaces east-west traffic, and correlates the attack path to actionable entities.
- Validate, with customer confirmation, that each correlated finding maps to their described problem and operational consequences.
- Capture timestamped evidence to quantify detection fidelity and MTTR improvement versus baseline.
- Seller: Deliver collected logs, graph snapshots, and a timeline of detection/remediation events for the executed scenario.
- Customer: Mark any findings that are noise/false positives and provide context for why they are not actionable.
- Both: Agree any immediate tuning needed and schedule re-run if detection or correlation failed to meet acceptance criteria.
- Recap CI/CD Acceptance Metrics
- Demonstrate image-blocking works reliably and that pipeline latency remains within the agreed threshold.
- Validate developer remediation and rollback process is acceptable to platform and DevOps owners.
- Introductions & Objectives
- Customer: Provide CI pipeline access for the test jobs and confirm synthetic build parameters.
- Seller: Run tests and provide build-time metrics, block evidence, and CI logs for post-test analysis.
- Both: Document any policy changes and schedule a follow-up re-test if false positives exceed the agreed threshold.
- Executive Summary: One-sentence Current v Future State
- Validate, with customer sign-off, whether the Solution Experience met the agreed acceptance criteria for each scenario.
- Agree a concrete next-step plan (production rollout schedule, tuning tasks, or POC extension) with owners and dates.
- Deliver a prioritized list of remaining gaps and a remediation/tuning backlog to reach production readiness.
- Seller: Produce a concise results pack (evidence, timelines, metrics, and recommended rollout plan) and share it to the shared workspace.
- Customer: Provide formal validation/acceptance decision and confirm owners for rollout or additional tuning tasks.
- Both: Schedule the Deployment Enablement kickoff or a re-run of specific failing scenarios within agreed SLA.
- All attendees can state the current state in one sentence and agree its consequence.
- Finalize the one-sentence future state and explicit, measurable acceptance criteria for the bake-off.
- Agree on test scenarios, ownership, timeline, and rollback/mitigation approach before any testing begins.
- Customer: Provide a one-paragraph timeline of the reported incident(s), current MTTR metrics, and the official future-state sentence.
- Seller: Produce a draft test plan mapping each scenario to measurable success signals and required artifacts.
- Both: Confirm schedule for the staging bake-off and participants for observation and validation checkpoints.
- Inventory & Baseline Statement (one sentence)
- Produce a documented baseline for pod startup, build latency, detection volume, and MTTR to compare against post-test results.
- Confirm safe instrumentation and rollback steps so no production-impacting changes occur.
- Ensure required accesses, artifacts, and sample images are available for scenario execution.
- Customer: Provide sample images, manifests, CI pipeline access, and recent incident logs exported to the shared workspace.
- Pre-Execution Validation Check
- Current State — one sentence
- Access & Permissions Verification
- Pipeline Preflight & Access
- Measurement Walkthrough
- Blocked Image Test (vulnerable image)
- Consequence Quantification
- Stepwise Exploit Execution (live)
- Instrumentation Plan & Safe Install
- Scenario-by-Scenario Evidence & Validation
- Control Builds & Performance Measurement
- Collect Baseline Metrics
- Future State — one sentence & Acceptance Criteria
- Gaps, Tuning, & Risk Discussion
- Real-Time Evidence Collection
- Decision & Next Steps
- Forced Validation Pause
- Test Scenarios & Success Signals
- Capture Current Tool Outputs
- Developer Flow Validation
- Measure Time-to-Detect & Time-to-Remediate
- Tally False Positives & Discuss Policy Tuning
- Scope, Roles & Timeline
-
Solution Scope
Define scope: clusters, CI/CD pipelines, modules (image scanning, CSPM, runtime), measurement windows, and ownership.
Scope Configuration
- Integrate image scanning into CI/CD with pre-deploy blocking
- Scan container registries and auto-tag vulnerable images
- Enable runtime workload protection for a Kubernetes cluster
- Map cloud resources and identities into a unified security graph
- Attack-path analysis correlating misconfigurations to exploitable paths
- Generate east-west microservice traffic visualization
- Auto-generate Kubernetes NetworkPolicies from observed traffic
- Prioritize exploitable findings with risk scoring and alerting
- Integrate cloud IAM scanning to highlight privilege misconfigurations
- Deploy admission-controller hooks to block vulnerable images at deploy
- Capture forensic runtime telemetry and export incident timelines
- Enforce policy-as-code for Infrastructure-as-Code scans in CI
- Apply detection tuning: whitelisting and automated policy exceptions
Scope Questions
Integrate image scanning into CI/CD with pre-deploy blocking
- Which CI/CD systems run your container build and deploy pipelines?
- How many distinct pipelines would need image-scanning enforcement during the POC?
- What is the maximum acceptable additional build latency (average) for pre-deploy scanning?
- Should a detected high/critical vulnerability fail the pipeline automatically or open a review ticket?
- Which image formats/artifact types need scanning (e.g., OCI, Docker image, SBOM)?
- List any required policy inputs or regulatory constraints that must be enforced by CI image scanning (e.g., CVSS threshold, license checks).
Scan container registries and auto-tag vulnerable images
- Which container registries do you use in-scope for registry scanning?
- Do you permit automatic tagging/labeling of images in the registry (e.g., vulnerable/needs-fix) or prefer read-only annotations?
- How frequently should registry scans run (initial full scan + ongoing cadence)?
- What notification or triage workflow should registry findings trigger?
- Do you require automatic image quarantine or blocking of tags that reach critical vulnerability thresholds?
- Provide registry access method and credential pattern (e.g., cross-account role, service principal, robot account) and any network restrictions.
Enable runtime workload protection for a Kubernetes cluster
- Which Kubernetes clusters are in-scope for runtime protection (name, cloud, cluster count)?
- What Kubernetes versions and CNI/CRI implementations are used in-scope clusters?
- Do you accept host-based agents, sidecar approaches, or require agent-agnostic/non-intrusive methods?
- What runtime detections are highest priority (process injection, exec into containers, lateral movement, crypto-mining, suspicious outbound connections)?
- Are there namespaces or workloads to exclude from runtime monitoring (e.g., infra, sandbox, high-performance pods)?
- Define performance constraints (acceptable CPU/memory overhead per node and any startup latency thresholds).
Map cloud resources and identities into a unified security graph
- Which cloud providers and accounts/projects should be connected for the security graph?
- Approximately how many cloud accounts/projects and IAM identities (roles/users/service accounts) are in-scope?
- Do you require mapping of on-prem or hybrid resources (VMs, bare metal) into the same graph?
- Who will own cloud account connections and approve required read-only permissions (security team, cloud team, platform engineering)?
- What sync cadence is required for inventory and identity changes (real-time, hourly, daily)?
- List any compliance or sensitive resources that must be treated differently in the graph (e.g., PCI workloads, prod secrets stores).
Attack-path analysis correlating misconfigurations to exploitable paths
- Which environments should be included for attack-path analysis (staging, production, QA)?
- Do you want analysis restricted to specific applications or the entire cloud footprint?
- What types of misconfigurations are highest priority to correlate (network, IAM, S3/bucket, container capabilities)?
- What threshold defines an actionable exploitable path (e.g., attacker can reach pod with high-privilege role)?
- Who is responsible for triage and remediation of attack-path findings during the POC (security, platform, app owners)?
- Provide examples of recent incidents or gaps you expect the attack-path analysis to detect.
Generate east-west microservice traffic visualization
- Do you run a service mesh (e.g., Istio, Linkerd) or use standard iptables/CNI for intra-cluster traffic?
- Which clusters/namespaces should be instrumented for east-west traffic visualization during the POC?
- What level of detail is required (service-to-service call graphs, pod-to-pod flows, L7 metadata)?
- Are there privacy or data residency constraints for captured traffic metadata?
- Preferred sampling or retention window for traffic data during POC (e.g., continuous 2 weeks, sampled 10% traffic).
- Which visualization outputs are useful to your teams (dashboards, exportable graphs, raw flow logs)?
Auto-generate Kubernetes NetworkPolicies from observed traffic
- Do you want NetworkPolicies to be auto-generated and applied, or generated for review before apply?
- Which namespaces or workloads should be targeted first for NetworkPolicy generation?
- Do you follow a default deny or default allow posture when generating policies?
- How long should generated policies be tested in a canary/dry-run window before enforcement?
- Are there workloads that cannot tolerate network policy enforcement due to dynamic connectivity (e.g., autoscaling ingress)?
- Describe rollback or mitigation procedures if a generated policy breaks application communication.
Prioritize exploitable findings with risk scoring and alerting
- Which channels should prioritized alerts be sent to (Slack, PagerDuty, Email, Jira, Other)?
- What is your acceptable false-positive rate for high-priority alerts during the POC?
- Do you require alerts to auto-create tickets with remediation playbooks attached?
- Which attributes must be present on prioritized findings (exploitability score, affected service, remediation owner)?
- Do you want risk scoring tuned to business context (crown-jewel services, public-facing APIs)?
- Who will own tuning and acceptance of the prioritization model during the POC?
Integrate cloud IAM scanning to highlight privilege misconfigurations
- Which cloud providers and identity stores should be scanned for IAM misconfigurations?
- Do you require simulation of privilege escalation paths or passive detection only?
- How often should IAM scanning run and how quickly must new findings be reflected in the graph?
- Are there service accounts or roles that must be excluded from automated remediation or blocking?
- What level of detail is required in IAM findings (policy diff, policy document, resource mapping)?
- Provide examples of privileged roles or patterns that are considered high-risk for your organization.
Deploy admission-controller hooks to block vulnerable images at deploy
- Do your clusters allow deploying admission controllers, and who must approve that change?
- Should admission hooks run as validating, mutating, or both during the POC?
- Which enforcement mode is acceptable initially (dry-run/report-only vs block deploys)?
- Which clusters/namespaces should receive admission-controller enforcement during the staging bake-off?
- What are the expected rollback or emergency bypass procedures for admission-controller failures?
- List any compliance or change-control windows that restrict when enforcement can be enabled.
-
Mutual Commit
Agree on license, POC duration, acceptance criteria, SLAs (performance & false-positive thresholds), and escalation paths.
Agreement Modules
- Statement of Work (SOW)
- Proof-of-Concept (POC) Agreement
- License Agreement
- Order Form / Quote
- Service Level Agreement (SLA)
- Performance & False-Positive Thresholds
- POC Acceptance Checklist
- Support & Escalation Plan
- Data Processing Agreement (DPA)
- Onboarding & Implementation Plan (SOW Appendix)
- Change Order Agreement
- Termination & Exit Plan
- Renewal & Production Rollout Addendum
-
Deployment
Operationalize rollout with readiness checks, enablement, and outcome validation.
-
Pre-Deployment Readiness
Confirm access, test images, CI/CD hooks, policies, and rollback/mitigation plans to prevent pod startup impact.
Readiness Questions
Quick Orientation — who are we talking with today?
- Which of these best describes your role on this evaluation?
- Which cloud providers host the Kubernetes clusters you’ll include in this POC?
- Roughly how many production Kubernetes clusters and active namespaces are in scope for initial adoption?
- What specifically triggered this evaluation right now?
- Which of the following success signals would you prioritize for the POC? (select up to 3)
If Your Stack Could Speak, What Would It Confess?
- What blind spots keep showing up even though you’ve deployed several point tools?
- Which tools make up your current security stack?
- Where do you see the most noise or false positives today?
- How long does it typically take to link an image vuln or infra misconfiguration to an exploitable runtime path today?
- Tell us about a recent finding that never translated into remediation—what happened and why?
When the Smoke Hits the Fan — tell us about the last incident
- Describe the most recent container or cluster security incident you had and how it was discovered.
- How long from detection until the first containment action (e.g., pod isolation, image block, IAM change)?
- Who owned the response and what teams were involved?
- What were the most frustrating blockers during remediation (technical, organizational, or tooling)?
- Did that incident lead to any changes in budget, priorities, or team structure? If so, what changed?
What’s Really Broken — and What Keeps You Up at Night?
- Which of these risks feels most likely to cause a repeat incident if not addressed?
- How worried are you about a security control degrading application performance or slowing deployments?
- When you imagine a missed vulnerability being exploited, what downstream business impacts concern you most?
- Which metrics or signals would make you sleep easier if improved within 60–90 days?
- How does the team currently prioritize which findings to remediate when resources are limited?
If Everything Went Right — what would actually be different?
- If we eliminated noisy, non‑actionable findings and surfaced only exploitable paths, what would your team do differently week-to-week?
- Which of these would be a game-changer for adoption?
- What quantitative targets would prove the POC succeeded (list top 3 with numbers if possible)?
- How quickly do you expect to see prioritized, actionable findings after installation?
- What would adoption look like after a successful POC—clusters onboarded and timeline?
Where You Won’t Compromise — the real veto points
- What specific outcomes will cause the VP of Platform or SREs to reject the solution outright?
- How much startup overhead (ms/percent) is acceptable for pod initialization before it becomes a showstopper?
- Which stakeholders must sign off for production rollout and what are their top concerns?
- What specific evidence (benchmarks, logs, runbooks) will each approver require to greenlight production?
- Have you had previous POCs fail due to non-technical reasons (timing, ownership, politics)? Tell us the story briefly.
Pre-Deployment Readiness — safety nets and the things that must be in place
- If a security control blocked a deployment unexpectedly, what rollback or mitigation playbooks do you already have?
- Which CI/CD systems and gate types do you currently run that we’ll need to integrate with?
- Which test images or synthetic workloads can you provide for a staging bake‑off to validate blocking and runtime detections?
- Do you have a staging cluster that faithfully reproduces production performance characteristics?
- What rollback/RCA SLA would you require if a control caused a widespread outage during the POC?
Measuring the Bake‑Off — what will convince you in two weeks?
- Do you believe a two‑week staging bake‑off can produce reliable signals, or do you have concerns about that timeframe?
- Who will be the day‑to‑day POC owner responsible for triage, testing, and acceptance during the bake‑off?
- Which baseline metrics and monitoring sources should we record to compare before vs during the bake‑off?
- What acceptance criteria—both quantitative and qualitative—will you use to declare the POC a success?
- When is the earliest window you could run the staging bake‑off (provide date ranges or quarters)?
Governance, Escalation, and Next Steps — closing the loop
- What escalation path would you expect if we surface a live exploit during the POC?
- Who needs to be in the weekly POC sync and what decisions must they be empowered to make?
- What licensing, contractual, or legal constraints should we be aware of before deploying test agents or scanning images?
- If everything lines up, what is the minimum viable next step you’d accept from us after this discovery?
- Any other unstated fears, constraints, or political dynamics we haven’t asked about that could derail the project?
-
Deployment Enablement
Schedule and execute the two‑week staging bake‑off with owners, CI/CD integration tasks, and monitoring configuration.
-
Validation Checklist
Verify detection fidelity, image-blocking effectiveness, attack-path correlation, and measured MTTR improvements against baseline.
Validation Questions
Start Here — Tell Us About Your World
- How many Kubernetes clusters do you run in production (include EKS/GKE/AKS and self-managed)?
- Which cloud providers host those clusters?
- Who will lead the two‑week POC evaluation on your side? (role/title and primary contact preferred)
- When was the last production security incident (container exploit, escape path, or failed patch) that prompted this evaluation?
- How does that incident still affect you day-to-day (operational burden, executive pressure, customer impact)?
Are We Still Fighting Fires — Or Preventing Them?
- If your current security stack were doing its job, why did the recent container incident still happen?
- Where was the visibility gap during that incident (image scanning, runtime telemetry, network east‑west, IAM misconfiguration, attack path correlation)?
- Who first detected the issue and how long elapsed from breach to initial detection?
- How did that detection-to-remediation timeline feel to your team emotionally and operationally?
- Quantitatively, what was your MTTR for that incident (hours/days)?
Where the Toolchain Is Letting You Down
- Which parts of your current toolchain consistently create blind spots, false alarms, or operational friction?
- Which of these tools are in your security stack today?
- How often do your existing tools surface the same issue in different consoles without clear correlation?
- Give a recent example where separate tools created more work than insight—what happened and what was the manual effort to reconcile it?
- Which data-silo pain points matter most for your team right now?
What’s Getting Between Security and Velocity?
- Would you choose slowed builds that block riskier images, or faster builds that allow potentially exploitable images to reach prod—what’s the real tradeoff you’re living with?
- How often do security checks delay your CI/CD pipelines today (frequency and typical delay per build)?
- What is an acceptable additional latency for pod startup or build time from the VP/SRE perspective (ms/seconds/minutes)?
- Which team has veto power over anything that impacts deployment velocity or pod scheduling?
- Describe a time a security control was rejected due to performance or velocity concerns—what convinced them to say no?
If the POC Worked, What Would Change on Day 15?
- If this POC proves its case, what concrete changes would you expect to see immediately after (select all that apply)?
- What baseline metrics can you provide for the POC to measure improvement (current MTTR, mean time to detect, number of open exploitable findings)?
- Who must be satisfied for the POC to be considered successful (roles: security, platform, dev, executive)?
- Which of these acceptance criteria would be automatic deal-breakers if unmet?
- How would you like us to present POC evidence (dashboards, playbooks, recorded exploit runs, incident timelines)?
The Staging Bake‑off — Let’s Be Real
- How realistic is your staging cluster compared to production in terms of traffic, RBAC, network topology, and secrets?
- Which CI/CD system will we integrate with during the bake‑off?
- Do you have representative test images and exploit scenarios we can run or do we need to create realistic simulation artifacts together?
- What access constraints or guardrails do we need to honor in staging (RBAC, no access to production secrets, limited egress, scheduled windows)?
- Who will own day‑to‑day bake‑off tasks on your side (names/roles for CI integration, infra, security, and dev contacts)?
If We Could Only Fix One Thing Right Now
- Which single capability, if solved, would reduce your most feared risk or the most operational toil today?
- Why is that capability so critical—tell us a recent story or pain point that makes it top priority?
- If that capability were delivered perfectly, estimate the real-world impact (hours saved/week, incidents avoided/year, or business risk reduced).
- Which stakeholders would be most persuaded by that win, and what evidence would convince them?
- Would you accept a phased approach that delivers this capability first and others later?
Decision & Momentum — Who Signs Off and How?
- What is the smallest contractual or governance commitment that will let you move from POC to production (trial license, pilot agreement, SLAs, performance guarantees)?
- Who holds final procurement and technical approval authority, and what are their top decision criteria?
- Following a successful POC, how quickly do you expect to start a cluster-by-cluster rollout (0–14 days, 15–30, 31–60, 60+ days)?
- What SLAs or thresholds must be met to trigger procurement (performance, false-positive rate, MTTR improvement)? Please list numeric targets if you have them.
- What concerns or internal blockers should we anticipate so we can plan preemptive mitigations?
-
-
Success
Review POC results against success signals, confirm production rollout plan, and open a shared channel for issues and improvements.
Success Reviews
- POC Results Review & Acceptance
- Production Rollout Planning
- Shared Channel, Support & Escalation Setup
- Metrics, Reporting & Continuous Improvement Cadence
Issues & Enhancements
- One‑sentence Current State Recap
- Finalize a phased production rollout plan with dates, measurable validation gates, and assigned owners.
- Agree concrete performance and false‑positive SLAs and the operational escape hatches if thresholds are exceeded.
- Ensure rollback and mitigation procedures are documented and owners are identified before any production changes.
- Publish the rollout runbook that includes scope, timeline, validation criteria, and rollback steps.
- Assign and document primary and secondary owners for each rollout milestone in the runbook.
- Schedule a pre‑deployment dry‑run in a non‑prod environment to validate CI/CD hooks and monitoring alerts.
- Collaboration Channel & Access
- Open and populate a shared operational channel with appropriate access and ownership.
- Agree SLAs, escalation paths, and runbook ownership so incidents are handled predictably post‑rollout.
- Schedule training and handover to ensure the customer's teams can operate, tune, and escalate effectively.
- Create the shared channel, invite confirmed members, and pin the escalation matrix and runbook links.
- Finalize and distribute the escalation matrix with contact information and SLA timers.
- Upload operational runbooks to the shared repository and schedule the first enablement session.
- Agree Measurement Windows and Baseline Metrics
- Agree a measurable set of metrics and reporting cadence that will demonstrate reduced risk and improved MTTR post‑rollout.
- Set 30/60/90 day milestones and a prioritized backlog to drive continuous improvement after go‑live.
- Assign owners for recurring reporting and continuous improvement actions.
- Publish agreed dashboards and schedule automated weekly and monthly reports to stakeholders.
- Create the prioritized improvement backlog with owners and target completion windows for the 30/60/90 milestones.
- Schedule the recurring review meetings and invite the assigned owners for each cadence.
- Confirm whether the POC met each predefined success signal with evidence, and record binary acceptance or a defined remediation plan.
- Document any residual technical or operational risks that must be addressed before production rollout.
- Assign owners and deadlines for all remediation actions required to achieve acceptance if not already met.
- Produce a concise final POC results report mapping each success signal to evidence and acceptance status.
- Create a remediation tracker listing open issues, owners, due dates, and verification criteria for Partial/Not met signals.
- Schedule the Production Rollout Planning meeting (if accepted) or a focused re‑test session (if partial).
- Scope Confirmation
- Consequence Summary
- Dashboard & Report Templates
- SLA & Alerting Definitions
- Phased Rollout Timeline & Milestones
- Escalation Matrix and Contacts
- Success Signals & Baseline Metrics
- Validation Gates & Measurement Windows
- 30/60/90 Day Success Milestones
- Improvement Backlog & Prioritization
- Proof Demos — Real Incidents & Attack Paths
- Resource Allocation & Owner Mapping
- Runbooks, Playbooks & Handover
- Gaps, False Positives & Residual Risks
- Recurring Review Cadence & Owners
- Triage Workflow & False‑Positive Tuning
- Performance & SLA Guardrails
- Customer Validation & Acceptance Triage
- Training & Knowledge Transfer Schedule
- Rollback, Mitigation & Contingency Plan
- Decision & Immediate Next Steps