Kubernetes Security That Just Works
Juliet maps your clusters as a security graph, surfacing real attack paths, scanning vulnerabilities, enforcing admission policies, and detecting runtime threats. One CNAPP platform, five-minute setup.
Every feature free during early access — no credit card. Install in 5 minutes, first results in 15.
Scanners Give You Lists. Juliet Gives You Answers.
Traditional container security tools dump thousands of CVEs on your team with no context. Juliet automatically maps your entire Kubernetes environment as a connected graph. A KSPM approach that shows how resources relate to each other and which vulnerabilities are actually dangerous.
- Context, not just alerts. A medium-severity CVE on a pod with elevated permissions and internet exposure is actually critical. Juliet connects these dots automatically, with no manual investigation needed.
- Fix what matters first. Attack path analysis shows which vulnerabilities are actually reachable from outside your cluster, so your team stops chasing false priorities.
- See the full impact. When something is vulnerable, instantly see every workload and namespace in the potential impact zone, not just the single affected resource.
Deploy in Under 5 Minutes
One Helm chart. Zero infrastructure to manage. Full visibility.
Deploy Agents
One Helm chart deploys lightweight agents across your cluster. Minimal RBAC permissions, no privilege escalation, zero impact on running workloads.
Automatic Discovery
Juliet maps every resource, relationship, and vulnerability into a connected graph, automatically. No configuration, no tuning, no query language to learn.
Find and Fix
See exactly what's exposed, why it matters, and who should fix it. Actionable results from day one, not a backlog of unranked alerts.
See How Attackers Actually Get In
Not just a list of CVEs — Juliet traces the exact chain an attacker would follow from internet exposure to your most sensitive assets. Every path is verified, risk-scored, and comes with specific remediation steps.
- Verified attack chains — see the exact hop-by-hop path from entry to target
- One-click fixes — "Add a NetworkPolicy" breaks 16 of 20 attack paths
- Risk scoring — prioritize by real-world exploitability, not just CVSS
Ask Questions in Plain English
"Show me pods running as root with critical CVEs" — type what you're looking for and get instant results. Juliet translates natural language into multi-hop graph queries across your entire fleet.
- Natural language queries — no query language to learn
- Multi-hop traversals — Pod → Container → Image → CVE in one query
- Pre-built quick queries — one click to find privileged containers, exposed services, and more
Continuous Compliance, Not Checklists
Measure your clusters against CIS Kubernetes, NSA/CISA Hardening Guidance, SOC 2, the HIPAA Security Rule, and Pod Security Standards — continuously. Those controls map to a substantial portion of PCI DSS and ISO 27001 requirements. One-click scans with clear pass/fail results and framework-specific remediation guidance.
- Multiple frameworks tracked simultaneously with live posture scores
- One-click scanning — scans run server-side, no extra pods to deploy
- Attention alerts — instantly see which framework needs focus
Stop Bad Deploys Before They Land
More than 40 built-in validation and mutation policies that block misconfigurations at deploy time. Enforce, audit, or warn — test against existing workloads before turning policies on. Includes a simulator to preview impact.
- Validate, mutate, enforce — choose your enforcement level per policy
- Policy simulator — preview what would be blocked before enabling
- Born from our lab research — includes hardening policies for the CVE classes we test and publish, like Copy Fail and Dirty Frag
Kubernetes Security Posture Management. Complete Visibility.
From container vulnerability scanning to runtime detection, everything you need to secure Kubernetes, without the tool sprawl. One CNAPP for your entire fleet.
Attack Path Analysis
See exactly how an attacker could move through your cluster, from internet exposure to privilege escalation to sensitive data. Prioritize remediation by real-world exploitability, not just CVSS scores.
AI-Powered Explorer
Ask questions about your security posture in plain English. Juliet translates natural language into multi-hop graph queries, finding exactly what you need across clusters, namespaces, and resources.
Vulnerability Management
Scan every container image for CVEs with SBOM-based analysis. Group by image, package, or namespace. Filter by severity, exploitability, and whether a fix is available.
Runtime Security
Detect threats as they happen with eBPF-based runtime sensors. Monitor process execution, network connections, and file access across your fleet with real-time event streaming and configurable policies.
Admission Control
Stop misconfigurations before they deploy. More than 40 built-in validation and mutation policies plus custom Rego rules, with enforce, audit, and warn modes. Test policies against existing workloads before turning them on.
SBOM & Supply Chain
Full software bill of materials for every container image. Track packages, licenses, and known vulnerabilities across your fleet. Export in CycloneDX format for supply chain audits.
Compliance Frameworks
Continuously measure your clusters against CIS Kubernetes, NSA/CISA Kubernetes Hardening Guidance, Pod Security Standards, SOC 2, and the HIPAA Security Rule. Always-on monitoring with clear pass/fail results, plus control mapping to PCI DSS and ISO 27001 for audit evidence.
Identity & RBAC Analysis
Find over-permissioned service accounts, detect lateral movement paths, and spot RBAC misconfigurations. Risk-score every identity and prioritize by actual exposure.
Multi-Cluster Management
Connect EKS, GKE, AKS, and self-managed clusters into a single view. Compare security posture across environments, track drift, and manage everything from one dashboard.
Enterprise Ready
Built for organizations that need security, compliance, and control at scale.
Single Sign-On
Google OAuth integration for seamless team access. No separate credentials to manage.
Multi-Factor Authentication
TOTP-based MFA with recovery codes for every account. Enforce across your organization.
Full Audit Trail
Every action logged and searchable. User management with admin, developer, and viewer roles.
Multi-Tenant Isolation
Every customer gets a dedicated graph database. Complete data isolation at every layer.
Alerts & Reporting
Route alerts to Slack, Teams, PagerDuty, or email. Generate PDF security reports with letter-grade scoring.
API & Automation
Scoped API keys with read, write, and admin permissions. Full REST API for integrating with your toolchain.
Built with Security First
We built Juliet with the same rigor we expect from the infrastructure it protects.
- Per-customer data isolation with dedicated graph databases
- SSO and multi-factor authentication for every account
- Agent credentials scoped to minimum permissions with key rotation
- Full audit trail of every action for compliance reviews
- Enterprise-grade backup and retention with legal hold support
- Always-on health monitoring across all customer environments
Continuous monitoring against:
Frequently asked about Juliet
What is Juliet?
Juliet is a graph-based Kubernetes security platform (a Kubernetes-first CNAPP). It maps your clusters as a security graph, finds real attack paths, scans vulnerabilities, enforces admission policies, detects runtime threats, and continuously monitors compliance against CIS Kubernetes, NSA/CISA Hardening Guidance, Pod Security Standards, SOC 2, and the HIPAA Security Rule — with control mapping to PCI DSS and ISO 27001 for audit evidence. Install is one Helm chart; first results arrive in under 15 minutes.
How is Juliet different from other Kubernetes security tools?
Flat scanners produce a list of CVEs with no context. Juliet builds a graph of every cluster resource and uses attack path analysis to rank findings by real exploitability: internet exposure, RBAC reachability, and blast radius. The result is prioritization tied to actual paths an attacker could take, instead of triaging CVSS scores in isolation. See comparisons against Falco, Wiz, Snyk, Prisma Cloud, Kubescape, Trivy, and Tetragon.
How long does Juliet take to deploy?
Five minutes to install the Helm chart. First results arrive within 15 minutes: attack paths, vulnerabilities, and compliance posture populated in the dashboard. No separate scanner pods, and no sidecars per workload.
Does Juliet require a privileged agent?
Only if you opt into runtime detection. The optional runtime sensor runs as a DaemonSet with elevated capabilities required to attach eBPF programs to the kernel; your application workloads stay unprivileged. The posture-only agent uses a read-only ServiceAccount with no elevated permissions — you choose which to deploy.
Is there a free tier?
Yes — and right now everything is free. Juliet is in early access: every account gets every feature with no credit card. After GA, the free tier covers 2 clusters, 10 nodes, and 5 users, and founding accounts created during early access keep full-feature access free within those limits. See pricing for the full plan matrix.
What compliance frameworks does Juliet cover?
Six frameworks: Pod Security Standards Baseline and Restricted, CIS Kubernetes Benchmark, NSA/CISA Hardening Guidance, SOC 2, and the HIPAA Security Rule. During early access every account has all of them; the GA tier mapping is PSS on every tier, CIS and NSA/CISA on Team, SOC 2 and HIPAA on Pro, custom Rego frameworks on Enterprise. Controls can be used as evidence under PCI DSS and ISO 27001 audits today; dedicated profiles for those two are on the roadmap. See the compliance frameworks guide.
Does Juliet scan container images for vulnerabilities?
Yes. Juliet generates SBOMs with Syft and matches against NVD, GitHub Security Advisories, and vendor-specific feeds via Grype. Each CVE is correlated with the running pod, its network exposure, and its RBAC, so prioritization reflects real exploitability rather than CVSS alone. How Kubernetes vulnerability scanning works.
Does Juliet support multiple clusters?
Yes. The free tier covers 2 clusters, Team covers 5, Pro covers 15, and Enterprise is unlimited. All clusters flow into a single tenant graph, so cross-cluster attack paths and blast radius work natively. This is useful for platform teams, MSPs, and multi-tenant SaaS operators.
Can Juliet block bad configurations at deploy time?
Yes. Juliet ships with more than 40 built-in validation and mutation policies (privileged pods, root containers, hostPath mounts, seccomp hardening, and others) and supports custom Rego on Enterprise. Admission control sits in the Pro tier at GA — and like everything else, it is free for every account during early access. See admission control explained.
Does Juliet detect runtime threats?
Yes — and during early access it is included free for every account (at GA it sits in Pro for audit mode and Enterprise for enforcement). Juliet's runtime sensor is eBPF-based: one DaemonSet per cluster, no per-pod sidecars. It watches syscalls, network events, and process execution against a rule library, with every alert correlated to the cluster graph for context. Runtime security for Kubernetes.
How does Juliet handle multi-tenant data isolation?
Per-customer dedicated Neo4j instances. Every graph query is scoped by customer_id and cluster_id. No shared graph, no risk of cross-tenant leakage via a missed WHERE clause.
Do I need to pay to try the full platform?
No. During early access, every account includes every feature — runtime detection, admission control, SSO, all compliance frameworks — free, with no credit card and no trial clock. Accounts created now are founding accounts: they keep full access free after GA within the published free-tier limits.
Get Started
Deploy Juliet in your cluster and see your security posture in minutes. One Helm chart, full visibility. No credit card required.
Already have an account? Sign in