Your nodes still run SSH. Your ingress still receives attacks. Your containers still need protection at the host level. Defensia deploys as a container and protects the entire node.
Choose your platform. The agent auto-registers and starts protecting immediately.
docker run -d --privileged --net=host --pid=host \
-v /var/log:/var/log:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-e DEFENSIA_TOKEN=<TOKEN> \
ghcr.io/defensia/agent:latest
Also available on Docker Hub: defensiacloud/agent
echo "<TOKEN>" | docker secret create defensia_token -
docker stack deploy -c docker-compose.swarm.yml defensia
Deploys as a global service. Token stored as Docker secret.
helm install defensia-agent \
oci://ghcr.io/defensia/charts/defensia-agent \
--set token=<TOKEN>
DaemonSet — 1 agent per node, including control-plane. Tolerates all taints.
No config files. Just add labels to your containers and Defensia auto-detects what to monitor.
# docker-compose.yml
services:
nginx:
image: nginx
labels:
defensia.monitor: "true"
defensia.log-path: "/var/log/nginx/access.log"
defensia.domain: "example.com"
defensia.monitorForce-include or exclude a container from monitoring (true/false).
defensia.log-pathExplicit host log path(s). Skips auto-detection. Comma-separated.
defensia.domainAssociate domain names with this container's logs. Comma-separated.
defensia.wafInformational flag — WAF on/off is controlled from the dashboard.
The agent runs on the node and monitors everything — host-level and container-level threats.
15 detection patterns covering auth failures, pre-auth scanning, and protocol mismatches.
Reads Nginx/Apache logs from containers. Detects SQLi, XSS, path traversal, RCE, and 15+ OWASP types.
70+ bot fingerprints with per-org policies: allow, log, or block.
Reports all running containers, images, and status to the dashboard.
CPU, memory, disk, network, zombie processes — reported every 60 seconds.
Detects vulnerable packages and matches against NVD, EPSS, and CISA KEV.
Most container security tools focus on runtime detection only. Defensia covers the full stack.
Defensia runs on the host machine (or as a privileged container) and reads container logs, monitors exposed ports, and detects attacks on web services running inside containers. It blocks attackers at the host firewall level using iptables/ipset.
Yes. Add Defensia as a service in your docker-compose.yml with privileged mode and host networking. It auto-detects other containers and their exposed services.
Yes. Deploy via Helm chart as a DaemonSet — one agent per node. It reads ingress controller logs, monitors pod events, audits NetworkPolicy, and protects SSH on every node. See the Kubernetes Security page for details.
Yes. The agent detects Docker version, lists running containers, identifies web containers by port/image/label heuristics, and reports this data to the dashboard. Container info appears in the Docker tab of each server.
Falco monitors system calls at the kernel level (syscall tracing). Defensia reads application logs (nginx, SSH, mail) and blocks IPs at the firewall level. They operate at different layers and complement each other — Falco detects kernel-level anomalies, Defensia blocks network attacks.
Free tier available. Deploy on Docker, Swarm, or Kubernetes in under a minute.
Get Started Free