OWASP Global AppSec EU 2026 Vienna

Introduction

File Integrity Monitoring is still a critical part of runtime security, but in Kubernetes it comes with new challenges. A single cluster can generate thousands of file system events per second across containers, nodes, and workloads. While eBPF allows us to safely and efficiently capture these events at the kernel level, interpreting them remains a hard problem.

OWASP KubeFIM AI is built to address this gap.

This session presents how KubeFIM AI sits on top of the OWASP KubeFIM Agent and analyzes kernel-level File Integrity Monitoring events collected via eBPF. Instead of treating each event as an alert, KubeFIM AI focuses on reasoning over events by correlating them with Kubernetes context such as pods, namespaces, images, and workload behavior.

Technical Details and Future Roadmap

The talk will cover:

1. Why raw eBPF-based FIM events are difficult to use at scale

2. What kernel-level file operations actually tell us during real attacks

3. How KubeFIM AI models file behavior over time instead of reacting to single events

4. Using Kubernetes context to distinguish expected behavior from suspicious activity

5. How AI can reduce noise, explain intent, and improve triage without hiding technical details

Rather than using a generic large language model, KubeFIM AI is designed around a domain-specific approach, trained to understand file system behavior, container lifecycles, and Kubernetes runtime patterns. The focus is on producing human-readable security insights.

The session will also discuss the roadmap for the project, including plans to improve detection accuracy, reduce alert fatigue, and assist security teams with faster incident response in cloud-native environments.

Explain why KubeFIM AI Is Not a SIEM Replacement

KubeFIM AI is not designed to replace a SIEM. It solves a different problem at a different layer of the stack.

SIEM platforms focus on collecting, storing, and correlating logs and alerts from many sources across an organization. They are built for visibility, compliance, long-term retention, and investigation across applications, cloud services, networks, and users.

KubeFIM AI operates much closer to the system. It works at the Linux kernel level using eBPF to observe file system behavior inside Kubernetes nodes and containers. Its primary role is to generate high-quality runtime security signals, not to aggregate logs or manage incidents.

The project intentionally avoids becoming a central log store or alerting platform. Instead, it focuses on understanding why a file change occurred, whether it matches expected workload behavior, and whether it may indicate a security issue. This analysis happens before data is sent anywhere else.

In practice,