Free Kubernetes Exposure Review

Find out whether Copy Fail still reaches your clusters.

We will help you map affected node families, pods scheduled there, and whether your seccomp posture actually denies AF_ALG. No exploit code, no scareware, no sales deck.

Request Review Read the Research
What we check
  • 1Affected or unknown node kernel families
  • 2Pods scheduled on those nodes
  • 3RuntimeDefault, Unconfined, or Localhost seccomp posture
  • 4Whether Localhost profiles prove an AF_ALG deny

Why this review is specific

Copy Fail is host-kernel attack surface. Image scanning and workload hardening are still useful, but they do not answer the reachability question by themselves.

Reachability

Can a workload on an affected node create or bind AF_ALG sockets?

Blast radius

Do controls such as allowPrivilegeEscalation: false or user namespaces reduce impact?

Compensating control

Does a node-local seccomp profile explicitly deny socket(AF_ALG, ...)?

What happens after you connect Juliet?

Juliet turns the review into a concrete finding path, not a generic vulnerability scan.

  1. Open the Copy Fail filtered view in Security → All Findings.
  2. Review high-severity findings titled Copy Fail exposure: AF_ALG reachable from workload.
  3. Use Explorer to ask which pods are exposed to Copy Fail?
Open Copy Fail findings in Juliet