Kubernetes Security That Just Works
Juliet maps your clusters as a security graph, surfacing real attack paths, scanning vulnerabilities, enforcing admission policies, and detecting runtime threats. One CNAPP platform, five-minute setup.
Free tier — no credit card required. Results in 5 minutes.
Scanners Give You Lists. Juliet Gives You Answers.
Traditional container security tools dump thousands of CVEs on your team with no context. Juliet automatically maps your entire Kubernetes environment as a connected graph. A KSPM approach that shows how resources relate to each other and which vulnerabilities are actually dangerous.
- Context, not just alerts. A medium-severity CVE on a pod with elevated permissions and internet exposure is actually critical. Juliet connects these dots automatically, with no manual investigation needed.
- Fix what matters first. Attack path analysis shows which vulnerabilities are actually reachable from outside your cluster, so your team stops chasing false priorities.
- See the full impact. When something is vulnerable, instantly see every workload and namespace in the potential impact zone, not just the single affected resource.
Deploy in Under 5 Minutes
One Helm chart. Zero infrastructure to manage. Full visibility.
Deploy Agents
One Helm chart deploys lightweight agents across your cluster. Minimal RBAC permissions, no privilege escalation, zero impact on running workloads.
Automatic Discovery
Juliet maps every resource, relationship, and vulnerability into a connected graph, automatically. No configuration, no tuning, no query language to learn.
Find and Fix
See exactly what's exposed, why it matters, and who should fix it. Actionable results from day one, not a backlog of unranked alerts.
See How Attackers Actually Get In
Not just a list of CVEs — Juliet traces the exact chain an attacker would follow from internet exposure to your most sensitive assets. Every path is verified, risk-scored, and comes with specific remediation steps.
- Verified attack chains — see the exact hop-by-hop path from entry to target
- One-click fixes — "Add a NetworkPolicy" breaks 16 of 20 attack paths
- Risk scoring — prioritize by real-world exploitability, not just CVSS
Ask Questions in Plain English
"Show me pods running as root with critical CVEs" — type what you're looking for and get instant results. Juliet translates natural language into multi-hop graph queries across your entire fleet.
- Natural language queries — no query language to learn
- Multi-hop traversals — Pod → Container → Image → CVE in one query
- Pre-built quick queries — one click to find privileged containers, exposed services, and more
Continuous Compliance, Not Checklists
Measure your clusters against CIS Benchmarks, NSA/CISA Kubernetes Hardening Guidance, SOC 2, and Pod Security Standards — continuously. Those controls map to a substantial portion of PCI DSS, HIPAA, and ISO 27001 requirements. One-click scans with clear pass/fail results and framework-specific remediation guidance.
- Multiple frameworks tracked simultaneously with live posture scores
- One-click scanning — scans run server-side, no extra pods to deploy
- Attention alerts — instantly see which framework needs focus
Stop Bad Deploys Before They Land
40 built-in security policies that block misconfigurations at deploy time. Enforce, audit, or warn — test against existing workloads before turning policies on. Includes a simulator to preview impact.
- Validate, mutate, enforce — choose your enforcement level per policy
- Policy simulator — preview what would be blocked before enabling
- 5 categories — workload security, access control, best practices, image security, network
Kubernetes Security Posture Management. Complete Visibility.
From container vulnerability scanning to runtime detection, everything you need to secure Kubernetes, without the tool sprawl. One CNAPP for your entire fleet.
Attack Path Analysis
See exactly how an attacker could move through your cluster, from internet exposure to privilege escalation to sensitive data. Prioritize remediation by real-world exploitability, not just CVSS scores.
AI-Powered Explorer
Ask questions about your security posture in plain English. Juliet translates natural language into multi-hop graph queries, finding exactly what you need across clusters, namespaces, and resources.
Vulnerability Management
Scan every container image for CVEs with SBOM-based analysis. Group by image, package, or namespace. Filter by severity, exploitability, and whether a fix is available.
Runtime Security
Detect threats as they happen with eBPF-based runtime sensors. Monitor process execution, network connections, and file access across your fleet with real-time event streaming and configurable policies.
Admission Control
Stop misconfigurations before they deploy. Fifteen built-in security policies plus custom Rego rules, with enforce, audit, and warn modes. Test policies against existing workloads before turning them on.
SBOM & Supply Chain
Full software bill of materials for every container image. Track packages, licenses, and known vulnerabilities across your fleet. Export in CycloneDX format for supply chain audits.
Compliance Frameworks
Continuously measure your clusters against CIS Benchmarks, EKS CIS, NSA/CISA Kubernetes Hardening Guidance, Pod Security Standards, and SOC 2. Always-on monitoring with clear pass/fail results, plus control mapping to PCI DSS, HIPAA, and ISO 27001 for audit evidence.
Identity & RBAC Analysis
Find over-permissioned service accounts, detect lateral movement paths, and spot RBAC misconfigurations. Risk-score every identity and prioritize by actual exposure.
Multi-Cluster Management
Connect EKS, GKE, AKS, and self-managed clusters into a single view. Compare security posture across environments, track drift, and manage everything from one dashboard.
Enterprise Ready
Built for organizations that need security, compliance, and control at scale.
Single Sign-On
Google OAuth integration for seamless team access. No separate credentials to manage.
Multi-Factor Authentication
TOTP-based MFA with recovery codes for every account. Enforce across your organization.
Full Audit Trail
Every action logged and searchable. User management with admin, developer, and viewer roles.
Multi-Tenant Isolation
Every customer gets a dedicated graph database. Complete data isolation at every layer.
Alerts & Reporting
Route alerts to Slack, Teams, PagerDuty, or email. Generate PDF security reports with letter-grade scoring.
API & Automation
Scoped API keys with read, write, and admin permissions. Full REST API for integrating with your toolchain.
Built with Security First
We built Juliet with the same rigor we expect from the infrastructure it protects.
- Per-customer data isolation with dedicated graph databases
- SSO and multi-factor authentication for every account
- Agent credentials scoped to minimum permissions with key rotation
- Full audit trail of every action for compliance reviews
- Enterprise-grade backup and retention with legal hold support
- Always-on health monitoring across all customer environments
Continuous monitoring against:
Frequently asked about Juliet
What is Juliet?
Juliet is a graph-based Kubernetes security platform (a Kubernetes-first CNAPP). It maps your clusters as a security graph, finds real attack paths, scans vulnerabilities, enforces admission policies, detects runtime threats, and continuously monitors compliance against CIS Kubernetes, NSA/CISA Hardening Guidance, Pod Security Standards, and SOC 2 — with control mapping to PCI DSS, HIPAA, and ISO 27001 for audit evidence. Install is one Helm chart; first results arrive in under 15 minutes.
How is Juliet different from other Kubernetes security tools?
Flat scanners produce a list of CVEs with no context. Juliet builds a graph of every cluster resource and uses attack path analysis to rank findings by real exploitability: internet exposure, RBAC reachability, and blast radius. The result is prioritization tied to actual paths an attacker could take, instead of triaging CVSS scores in isolation. See comparisons against Falco, Wiz, Snyk, Prisma Cloud, Kubescape, Trivy, and Tetragon.
How long does Juliet take to deploy?
Five minutes to install the Helm chart. First results arrive within 15 minutes: attack paths, vulnerabilities, and compliance posture populated in the dashboard. No separate scanner pods, and no sidecars per workload.
Does Juliet require a privileged agent?
The runtime sensor (Pro and Enterprise tiers) runs as a DaemonSet with elevated capabilities required to attach eBPF programs to the kernel. Your application workloads stay unprivileged. The posture-only agent (Starter tier) uses a read-only ServiceAccount with no elevated permissions.
Is there a free tier?
Yes. The Starter tier is free forever: 1 cluster, 5 nodes, 5 users, full posture and vulnerability scanning, Pod Security Standards compliance, attack paths, blast radius, and graph explorer. No credit card required. See pricing for the full plan matrix.
What compliance frameworks does Juliet cover?
Pod Security Standards Baseline and Restricted on every tier. CIS Kubernetes Benchmark and NSA/CISA Hardening Guidance on Team. SOC 2 plus PCI DSS / HIPAA / ISO 27001 control mapping on Pro. Custom Rego policies on Enterprise. Juliet's CIS, NSA/CISA, and SOC 2 controls can be used as evidence under PCI DSS, HIPAA, and ISO 27001 audits today; dedicated first-class profiles for those frameworks are on the roadmap. See the compliance frameworks guide.
Does Juliet scan container images for vulnerabilities?
Yes. Juliet generates SBOMs with Syft and matches against NVD, GitHub Security Advisories, and vendor-specific feeds via Grype. Each CVE is correlated with the running pod, its network exposure, and its RBAC, so prioritization reflects real exploitability rather than CVSS alone. How Kubernetes vulnerability scanning works.
Does Juliet support multiple clusters?
Yes. Team covers 5 clusters, Pro covers 15, and Enterprise is unlimited. All clusters flow into a single tenant graph, so cross-cluster attack paths and blast radius work natively. This is useful for platform teams, MSPs, and multi-tenant SaaS operators.
Can Juliet block bad configurations at deploy time?
Yes, on Pro and Enterprise tiers. Juliet ships with 15 built-in admission policies (privileged pods, root containers, hostPath mounts, image registry allowlists, and others) and supports custom Rego on Enterprise. See admission control explained.
Does Juliet detect runtime threats?
Yes, on Pro (audit mode) and Enterprise (detection and enforcement). Juliet's runtime sensor is eBPF-based: one DaemonSet per cluster, no per-pod sidecars. It watches syscalls, network events, and process execution against a rule library, with every alert correlated to the cluster graph for context. Runtime security for Kubernetes.
How does Juliet handle multi-tenant data isolation?
Per-customer dedicated Neo4j instances. Every graph query is scoped by customer_id and cluster_id. No shared graph, no risk of cross-tenant leakage via a missed WHERE clause.
Can I trial paid features before upgrading?
Yes. Team and Pro tiers include a 30-day free trial with full feature access. No credit card required. After the trial, stay on the free Starter tier or choose a paid plan.
Get Started
Deploy Juliet in your cluster and see your security posture in minutes. One Helm chart, full visibility. No credit card required.
Already have an account? Sign in