# Juliet — Kubernetes Security Platform > Juliet is a graph-based Kubernetes security platform (a Kubernetes-first CNAPP). It maps each cluster as a security graph in a per-tenant Neo4j instance and runs attack path analysis, vulnerability scanning, compliance checks (CIS Kubernetes, NSA/CISA Hardening Guidance, Pod Security Standards, SOC 2 — with control mapping to PCI DSS, HIPAA, and ISO 27001), bundled admission control, and eBPF-based runtime threat detection. Free tier covers one cluster; paid tiers start at $349/month. Install is one Helm chart with first results in under 15 minutes. Juliet is operated by Two Point Solutions LLC. Primary domain: https://juliet.sh. Product app: https://app.juliet.sh. This file follows the llmstxt.org convention. ## About this file - Format: llmstxt.org v0 (https://llmstxt.org). - Every canonical page below has a plain-text markdown equivalent at the same URL with a `.md` suffix (e.g. `/kubernetes-security/what-is-kspm.md`). Prefer the `.md` variant for RAG and embedding pipelines. - AI content-use policy: /.well-known/ai.txt. Retrieval, citation, and summarization are permitted. Training commercial generative models on Juliet content requires a separate written agreement. - Last updated: 2026-04-18T13:04:49.326Z ## Products & Pricing - [Homepage](https://juliet.sh/): Platform overview, capabilities (attack paths, AI explorer, compliance, admission, runtime), and deploy-in-5-minutes workflow. - [Pricing](https://juliet.sh/pricing): Four tiers — Starter (free), Team ($349/mo), Pro ($749/mo), Enterprise (custom). Includes feature comparison table and 15-item FAQ. - [About](https://juliet.sh/about): Mission, team composition, and company background. - [Sign up (free tier)](https://app.juliet.sh/register?plan=starter): One-cluster free account. No credit card. ## Kubernetes Security Guide (definitional answer pages) - [Kubernetes Security Guide (hub)](https://juliet.sh/kubernetes-security): Top-level index organized by Foundations, Core Concepts, Controls, and Compliance. ### Foundations - [What is KSPM?](https://juliet.sh/kubernetes-security/what-is-kspm) ([md](https://juliet.sh/kubernetes-security/what-is-kspm.md)): KSPM (Kubernetes Security Posture Management) continuously inspects Kubernetes clusters for misconfigurations, risky permissions, and policy drift. - [What is CNAPP?](https://juliet.sh/kubernetes-security/what-is-cnapp) ([md](https://juliet.sh/kubernetes-security/what-is-cnapp.md)): CNAPP (Cloud-Native Application Protection Platform) bundles CSPM, KSPM, vulnerability scanning, IaC scanning, and runtime security into one platform. - [KSPM vs CNAPP](https://juliet.sh/kubernetes-security/kspm-vs-cnapp) ([md](https://juliet.sh/kubernetes-security/kspm-vs-cnapp.md)): KSPM inspects Kubernetes clusters specifically. - [Container security](https://juliet.sh/kubernetes-security/container-security) ([md](https://juliet.sh/kubernetes-security/container-security.md)): Container security spans image hardening, supply chain integrity (SBOM, signing), runtime monitoring, and the orchestrator itself. ### Core Concepts - [Kubernetes attack path analysis](https://juliet.sh/kubernetes-security/attack-path-analysis) ([md](https://juliet.sh/kubernetes-security/attack-path-analysis.md)): Attack path analysis traces reachable chains from an entry point to a high-value target across your Kubernetes cluster. - [Kubernetes RBAC analysis](https://juliet.sh/kubernetes-security/rbac-analysis) ([md](https://juliet.sh/kubernetes-security/rbac-analysis.md)): Kubernetes RBAC is a common source of cluster compromise paths. - [Blast radius analysis](https://juliet.sh/kubernetes-security/blast-radius) ([md](https://juliet.sh/kubernetes-security/blast-radius.md)): Blast radius tells you what an attacker can reach if a specific resource is compromised. ### Controls - [Kubernetes admission control](https://juliet.sh/kubernetes-security/admission-control) ([md](https://juliet.sh/kubernetes-security/admission-control.md)): Admission control intercepts Kubernetes API requests before they reach etcd and can reject or mutate bad configurations. - [Runtime security for Kubernetes](https://juliet.sh/kubernetes-security/runtime-security) ([md](https://juliet.sh/kubernetes-security/runtime-security.md)): Runtime security detects malicious behavior in running containers (reverse shells, crypto miners, credential access) using kernel-level eBPF hooks or audit logs. - [Kubernetes vulnerability scanning](https://juliet.sh/kubernetes-security/vulnerability-scanning) ([md](https://juliet.sh/kubernetes-security/vulnerability-scanning.md)): Kubernetes vulnerability scanning finds CVEs in container images, OS packages, and language dependencies across your cluster. - [SBOMs for Kubernetes](https://juliet.sh/kubernetes-security/sbom) ([md](https://juliet.sh/kubernetes-security/sbom.md)): A Software Bill of Materials (SBOM) is a signed inventory of every component, library, and dependency in a container image. - [eBPF for Kubernetes security](https://juliet.sh/kubernetes-security/ebpf-security) ([md](https://juliet.sh/kubernetes-security/ebpf-security.md)): eBPF runs verified programs in the Linux kernel to monitor syscalls, network traffic, and process behavior with low overhead. - [Pod Security Standards](https://juliet.sh/kubernetes-security/pod-security-standards) ([md](https://juliet.sh/kubernetes-security/pod-security-standards.md)): Pod Security Standards (PSS) replace PodSecurityPolicy. ### Compliance - [Kubernetes compliance frameworks](https://juliet.sh/kubernetes-security/compliance-frameworks) ([md](https://juliet.sh/kubernetes-security/compliance-frameworks.md)): A practical guide to the Kubernetes compliance frameworks teams get audited against: CIS Benchmark, NSA/CISA Hardening, Pod Security Standards, SOC 2, PCI DSS, HIPAA, ISO 27001, NIST SP 800-190.. - [CIS Kubernetes Benchmark](https://juliet.sh/kubernetes-security/cis-benchmarks) ([md](https://juliet.sh/kubernetes-security/cis-benchmarks.md)): The CIS Kubernetes Benchmark is the de-facto security checklist for clusters: around 120 controls spanning the control plane, worker nodes, and workload defaults. ## Product Comparisons - [Compare (hub)](https://juliet.sh/compare): Index of all head-to-head product comparisons. - [Juliet vs Falco](https://juliet.sh/compare/juliet-vs-falco) ([md](https://juliet.sh/compare/juliet-vs-falco.md)): Falco is a powerful open-source runtime threat detector. - [Juliet vs Wiz](https://juliet.sh/compare/juliet-vs-wiz) ([md](https://juliet.sh/compare/juliet-vs-wiz.md)): Wiz is a broad CNAPP focused on cloud posture. - [Juliet vs Snyk](https://juliet.sh/compare/juliet-vs-snyk) ([md](https://juliet.sh/compare/juliet-vs-snyk.md)): Snyk is a developer-first code and container scanner. - [Juliet vs Prisma Cloud](https://juliet.sh/compare/juliet-vs-prisma-cloud) ([md](https://juliet.sh/compare/juliet-vs-prisma-cloud.md)): Prisma Cloud is Palo Alto Networks' broad CNAPP, descended from the Twistlock acquisition. - [Juliet vs Kubescape](https://juliet.sh/compare/juliet-vs-kubescape) ([md](https://juliet.sh/compare/juliet-vs-kubescape.md)): Kubescape is a popular open-source KSPM tool from ARMO. - [Juliet vs Trivy](https://juliet.sh/compare/juliet-vs-trivy) ([md](https://juliet.sh/compare/juliet-vs-trivy.md)): Trivy is a popular open-source vulnerability scanner from Aqua Security. - [Juliet vs Tetragon](https://juliet.sh/compare/juliet-vs-tetragon) ([md](https://juliet.sh/compare/juliet-vs-tetragon.md)): Tetragon is an eBPF-based runtime detection and enforcement tool from Isovalent (now Cisco). ## Blog (security research and engineering) - [Blog index](https://juliet.sh/blog): All posts. - [RSS feed](https://juliet.sh/blog/feed.xml) - [Kyverno's 2026: Five Bugs, Eight Advisories, One Design Flaw](https://juliet.sh/blog/eight-kyverno-advisories-one-recurring-pattern) ([md](https://juliet.sh/blog/eight-kyverno-advisories-one-recurring-pattern.md)): Ten Kyverno security advisories have been published in 2026. Eight of them trace to five distinct bugs in the same subsystem: user-controlled fields in a namespaced Policy that the admission controller's cluster-privileged ServiceAccount resolves without scope checks. The ConfigMap bypass disclosed this week (GHSA-cvq5-hhx3-f99p) is the newest variant. - [Building Runtime Enforcement for Kubernetes with eBPF](https://juliet.sh/blog/building-runtime-enforcement-for-kubernetes-with-ebpf) ([md](https://juliet.sh/blog/building-runtime-enforcement-for-kubernetes-with-ebpf.md)): How we replaced a Falco sidecar with an embedded eBPF sensor, built a five-stage event pipeline, and learned the hard way why namespace scoping matters for enforcement. - [Axios Compromised: Finding It in Your Running Kubernetes Clusters](https://juliet.sh/blog/axios-npm-supply-chain-compromise-finding-it-in-your-kubernetes-clusters) ([md](https://juliet.sh/blog/axios-npm-supply-chain-compromise-finding-it-in-your-kubernetes-clusters.md)): Malicious axios versions deployed a cross-platform RAT via npm for three hours. Your lockfile might be clean, but what about the container images already running in your clusters? - [Introducing the ABOM: Why Your CI/CD Pipelines Need a Bill of Materials](https://juliet.sh/blog/introducing-the-abom-why-your-ci-cd-pipelines-need-a-bill-of-materials) ([md](https://juliet.sh/blog/introducing-the-abom-why-your-ci-cd-pipelines-need-a-bill-of-materials.md)): SBOMs catalog your application dependencies. ABOMs catalog your pipeline dependencies. After the Trivy supply chain compromise, we built a tool to close that gap. - [The Trivy Compromise: What Kubernetes Security Teams Need to Know](https://juliet.sh/blog/trivy-supply-chain-compromise-what-kubernetes-teams-need-to-know) ([md](https://juliet.sh/blog/trivy-supply-chain-compromise-what-kubernetes-teams-need-to-know.md)): Trivy, the most widely used open-source container vulnerability scanner, was hit by a multi-stage supply chain attack. Here's what happened, who's affected, and what to do right now. ## Machine-readable - [Sitemap](https://juliet.sh/sitemap.xml): Full URL index with lastmod timestamps. - [llms-full.txt](https://juliet.sh/llms-full.txt): Concatenated long-form content for retrieval pipelines. - [ai.txt](https://juliet.sh/.well-known/ai.txt): AI training and retrieval content-use policy. - [robots.txt](https://juliet.sh/robots.txt): Crawler directives (GPTBot, ClaudeBot, PerplexityBot, Google-Extended, etc. explicitly allowed). - [Security contact](https://juliet.sh/.well-known/security.txt): Responsible disclosure information. ## Content license Juliet marketing content (the pages listed above) may be cited, quoted in context, and summarized by AI answer engines and retrieval systems, provided that the answer attributes the source to Juliet (juliet.sh) and links to the canonical URL. Training commercial generative models on Juliet content requires a separate written agreement — contact contact@juliet.sh. ## Contact - Email: contact@juliet.sh - Demo: https://calendly.com/juliet-security/30min - Company: Two Point Solutions LLC, 418 Broadway #7814, Albany, NY 12207, USA