Edera

I've been in security long enough to know when the ground shifts under your feet. This is one of those moments. For the first time in history, businesses aren't defending against human attackers. They're defending against machines. The time from vulnerability discovery to weaponized exploit has collapsed dramatically - and it's only accelerating. You will not patch your way out of this. Patching is still good hygiene. It always will be. But patching is a response to the known. Historically, it's been hard to sell against a risk you can't quantify. Like technology that prevents 0-days. That era is over. Frontier models such as Claude Mythos show a rapidly evolving capability that attackers will soon have access to, cutting the time from theoretical vulnerability to exploit by at least an order of magnitude. The unknown is now documented. The risk is now quantifiable. Edera wasn't built to patch faster. It was built to provide resilience in the face of the inevitable. Our Hardened Runtime is designed to neutralize threats on contact. The attacker can get in, they can't take anything out. The blast radius is zero. You manage a small-scale incident. Not a mass breach. Not a board meeting. Not a regulatory disclosure. The market that wasn't ready for 0-day protection a decade ago is ready now. Frontier models are the latest example of innovation that gives attackers an advantage. Defenders need to think about resiliency in the platforms they build. We built Edera for this moment and for the resilience it will take to get through it.

🛡️ Welcoming Edera as a Gold Sponsor of KCD New York 2026! We're thrilled to have Edera joining us on June 10 in Manhattan 🙌 Edera is redefining what container security looks like at the infrastructure level. Their Hardened Runtime isolates every workload in its own lightweight zone — cutting attack surface by 95% while delivering near-native performance. No trade-offs. No specialized hardware. Just containers that actually can't escape. And they're not just sponsoring — Research Scientist Marina Moore is leading the roundtable "Linux Kernel Fundamentals for Kubernetes Users" on the day. Come for the session, stay for the conversation. If you're running Kubernetes at scale and security is on your mind (and it should be), these are the people to talk to. 🎟 Grab your tickets at kcdnewyork.com Group rates available for teams of 3+ #KCDNewYork #Kubernetes #CloudNative #ContainerSecurity #PlatformEngineering #Security Edera Cloud Native Computing Foundation (CNCF)

There are a lot of security tools available on the market right now, offering solutions to many different kinds of problems. But which ones are actually useful for defenders? I have been doing security engineering, both blue teaming and red teaming (including against browsers), for basically my entire career, so I've seen a lot of products over the years. What would I pick as essential security tooling for cloud native practitioners? Let's jump into it. 1️⃣ Kernel-level memory safety hardening The world talks a lot about memory safety, and indeed it is important. Kernel patches like Edera's OpenPaX or grsecurity include mitigations that significantly raise the difficulty and reliability requirements for memory safety exploitation in many situations. 2️⃣ Isolation and capability-based sandboxing Even the most well-behaved application will likely have a vulnerability during its servicing lifecycle. Running services in isolated sandboxes, like those offered by the Edera platform and others, adds a line of defense against lateral movement after exploitation. 3️⃣ Hardened images Hardened images offer reduced attack surface and fewer components, making them less useful targets for lateral movement after compromise. Hardened image vendors largely talk about CVE reduction in their marketing, but the real advantage is that these images have reduced usability for attackers. An image without a shell, for example, is a much less valuable target because attackers cannot easily pivot or establish operational footholds inside the environment. 4️⃣ Canaries (internal honeypots) How do you even find out you've been compromised? In most instances, people don't until it's far too late. So we need to reduce time-to-detection. Security monitoring tools like Falco are useful for understanding how a compromise happened, acting somewhat like a flight data recorder. But unless your alerting is properly configured, they often generate enormous amounts of noise. I frequently hear about security organizations having entire teams dedicated to manually triaging monitoring alerts. So what actually works? Honeypots acting as early warning systems. These can be built yourself using open source tools like honeyd, but personally I like Thinkst Canary because you can deploy them and largely forget about them until an incident happens, though they are admittedly pretty expensive. I would love to know: what security tooling have you actually seen materially change outcomes during a real incident?

Final day of OSS Summit. One last chance to stop by the Edera booth. We've been talking all week about what it actually takes to isolate workloads at the hardware level. No shared kernels. No blast radius. No shortcuts. If you haven't had that conversation yet, today's your day. And yes, we still have swag: 🌱 RunTHYME seeds (grow your garden, harden your runtime) 💻 Laptop Stickers 📍Ivy Pins for the collectors 🧢 Hyper-VISORS — because every engineer deserves a hot pink visor Come find us & say hi!

I am so excited announce the launch of Edera Native Workload Intelligence for Kubernetes. Strong workload isolation has historically meant losing the operational visibility Kubernetes depends on, because the moment you place a hardware-enforced boundary around a pod, the metrics pipeline starts reporting VM-level numbers instead of workload reality. kubectl top drifts, HPA scales on stale data, dashboards lose visibility into the workloads that matter most, and teams end up heavily overprovisioning just to stay safe. This release closes that gap, making Edera-isolated pods first-class Kubernetes citizens on the same metrics, scheduling, and observability pipeline the rest of the cluster already uses, while keeping the isolation boundary fully intact underneath. Edera exposes a metrics endpoint that joins zone-level resource accounting directly to Kubernetes pod and namespace identity, feeding real per-pod data into the Kubernetes Metrics API so HPA, VPA, and kubectl top work end-to-end without special instrumentation or parallel monitoring pipelines. Datadog, Grafana Alloy, Prometheus Adapter, and existing Kubernetes monitoring stacks continue working without operators rebuilding their observability around isolated workloads. The runtime continuously measures pressure inside each zone and adjusts allocations based on observed behavior, so the numbers reflect the workload's actual operating state instead of static allocations. As a result of this platform teams finally get accurate autoscaling, real workload-level visibility, and the ability to run isolated workloads without treating every deployment like worst-case capacity planning. The NUMA placement work is the other major piece, especially for GPUs, NICs, and HPC environments. Every Edera zone resolves topology before boot and keeps GPU memory traffic and NIC DMA local to the device socket instead of crossing the interconnect, while still expanding topology-aware when workloads outgrow local cores. Operators do not need pinning scripts, affinity annotations, or constantly maintained topology rules to get there. More importantly, because every Edera workload runs its own kernel, this foundation opens the door for per-workload kernel telemetry and memory pressure visibility that shared-kernel runtimes fundamentally cannot provide. For the platform engineers who want to learn deeper: Technical overview of the DRA driver: https://lnkd.in/epAv5jcg Installation guide: https://lnkd.in/eqDV3QPt CPU workload annotations for tuning placement: https://lnkd.in/eHZBScx8. Launch announcement: https://lnkd.in/eF5yFCSB

𝐄𝐝𝐞𝐫𝐚 𝐚𝐧𝐝 𝐌𝐢𝐧𝐢𝐦𝐮𝐬 𝐏𝐚𝐫𝐭𝐧𝐞𝐫 𝐭𝐨 𝐒𝐭𝐫𝐞𝐧𝐠𝐭𝐡𝐞𝐧 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐟𝐨𝐫 𝐂𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐈𝐧𝐟𝐫𝐚𝐬𝐭𝐫𝐮𝐜𝐭𝐮𝐫𝐞 Edera and Minimus have announced a strategic partnership to deliver end-to-end container security for critical infrastructure, combining hardened container images with strong runtime isolation to help enterprises defend against AI-accelerated vulnerability threats. The joint solution is designed for regulated sectors including financial services, government, and critical infrastructure where containment is becoming as critical as prevention. “AI-powered vulnerability discovery has changed the math on open source risk. The question isn't whether adversaries will find exploitable flaws in widely deployed software, it's how fast, and what happens next,” said Ben Bernstein, CEO and Co-Founder of Minimus. Read more: https://lnkd.in/djsDuwB3 #CyberSecurity #ContainerSecurity #CloudSecurity #OpenSourceSecurity #CriticalInfrastructure #DevSecOps #AI #RuntimeSecurity #SupplyChainSecurity #CyberTech

Day 2 at The Linux Foundation's OSS Summit North America, and we're blooming 💐 Today we're launching Native Workload Intelligence. Bringing deeper runtime visibility to the hardened environments you already run with Edera. More signal. Less noise. Full isolation still intact. Stop by Booth G/S 13 to see it live and talk to the team about what workload intelligence actually means when your runtime is hardware-enforced from the ground up. 📍 At 3:25 PM CT in Room 200C, our co-founder and CTO Alex Zenla takes the stage with Adolfo García Veytia for a lightning talk: "Built Clean. Receipts Attached" They'll demonstrate how to cryptographically verify build isolation — attested machine identity via SPIFFE SVIDs, SBOM completeness, provenance tracing back to the exact VM that ran the build. If you care about SLSA, supply chain integrity, or just being able to prove your builds are hermetic, this talk is for you. Then come find us at Flora Room tonight with our friends from Minimus for happy hour. Good drinks, good food, better conversation.

Day 2 at OSS Summit and we've got new FEATURES! Today we launched Edera Native Workload Intelligence (NWI). Designed to eliminate the security and operability trade off that comes with container isolation. NWI gives platform teams hardware-enforced isolation with working HPA, accurate per-pod metrics, NUMA-aware GPU placement, all while keeping your existing monitoring stack intact. One Helm install. No sidecars. No re-platforming. Oh, and we're also the first non-GPU runtime to ship a production DRA driver. NBD. Edera isolated pods are now first-class Kubernetes citizens. You're welcome. Dets in comments. If you're here in Minneapolis, come hang with us tonight. We're hosting a happy hour at Flora Room with our partners at Minimus and we'd love to see you.