Unlock Runtime Visibility for gVisor Sandboxed Containers

A blue and orange graphic with the Upwind logo in the top left. In the center, an astronaut helmet with a small star is next to the text “gVisor” on a dark blue background with a large orange semi-circle on the left.
Smiling man with short dark hair and a trimmed beard, wearing a black shirt, poses in front of a plain, textured gray background. A man with short brown hair and a beard smiles at the camera. He is wearing a blue denim shirt and is standing in front of a light gray wall.

By Omer Levin & Sigmar Stefansson

May 08, 2025

Upwind Sensor now brings runtime visibility to gVisor sandboxed containers, proactively identifying threats in environments built for maximum isolation. gVisor acts as a security layer between containerized apps and the host OS, improving security and isolation, which is especially important for containers running sensitive workloads. With our new support for gVisor, strong isolation no longer comes at the cost of reduced security telemetry, enabling effective threat detection and runtime analysis across all containerized workloads.

What is gVisor?

gVisor is an open source security-focused container runtime, originally developed by Google and written in Go, that provides isolation between applications and their host operating system. Unlike traditional container runtimes that rely on kernel namespaces and cgroups, gVisor implements a user-space kernel, effectively acting as a “sandbox” for your containers. 

Here’s how gVisor strengthens container security: 

  • Sandbox containers: gVisor acts as a security boundary between your container and its host OS. gVisor intercepts syscalls made by the container, reducing container attack surface.
  • Reduce kernel exposure: Since the host kernel isn’t directly exposed to the container while utilizing gVisor, the kernel is less susceptible to container escape vulnerabilities.
  • Mitigate kernel-level exploits: Even if the container is compromised, the attacker would still be restricted by gVisor’s user-space kernel.

Why are we enabling gVisor within the Upwind Sensor?

With gVisor operating as a sandboxed kernel, Upwind now supports tracing inside these secure environments, which delivers the deep runtime visibility teams expect, without sacrificing container isolation.

A comparison diagram showing two architectures: on the left, eBPF in the Kernel; on the right, gVisor tracing in Sentry Userspace Kernel. Both interact with sensors, applications, cluster managers, and the Upwind Backend.
By enabling gVisor tracing within the Upwind Sensor, we’ve extended observability into sandboxed container environments that were previously opaque.

Our integration taps into gVisor’s remote sink protocol and syscall trace points to deliver real-time visibility into container behavior. Even within a user-space kernel, you get the runtime insights needed for effective threat detection – ensuring comprehensive protection for isolated workloads.

AD_4nXd-r2PJD4NRud9Eak9DHBxZxESj4ZGM6cxEXzkjpbHniefw5jOf9LfYvf8EZW67ULsGh_kqGbGIxa7f5msQ73ao65w_wZLqFGbAb3x8N5T5KAriQm9jp9YhmLeGG2sPGmhcf3A3?key=cmyymCzar0UG8WcUcrXS372f
Container image vulnerability detection in the Upwind Platform

Running gVisor? Let us show you how to gain full runtime visibility without giving up the isolation your security depends on – schedule a demo or drop us a line at [email protected]

Unlock Runtime Visibility for gVisor Sandboxed Containers

Further Reading

Product

How to Deploy the Upwind Sensor in 5 Minutes

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

May 06, 2025

The Upwind Platform is a hybrid solution, enabling a best of both worlds approach with agentless deployment options for rapid time-to-value and a sensor for industry-leading realtime and runtime security. While we’ve previously covered our agentless cloud sensors, this post focuses on how quickly you can deploy the Upwind sensor and gain deep, real-time visibility […]

A user interface for creating a rule in Upwind, showing options to select a framework, rule category, rule name, and override severity level. Buttons for Cancel and Save appear at the bottom.
Product

A New Era of Cloud Risk Detection: Custom Posture Rules & Frameworks in Upwind

Denise Ashur

By Denise Ashur

Apr 30, 2025

Cloud environments continue to grow in complexity—and with them, the risk surface expands. CISOs and security leaders are now contending with an increasing volume of posture alerts, many of which fail to account for real-world exploitability. Traditional posture frameworks, while rooted in best practices, often fail to prioritize real risks. They evaluate risk by individual […]

Inventory 2-0-c
Product

Upwind Inventory 2.0: Discover, Query, and Enforce with Runtime Context

Joshua

By Joshua Burgin

Apr 29, 2025

Today, we’re introducing one of the most important upgrades we’ve ever made to the Upwind platform – designed to solve a persistent problem for security teams: connecting inventory data with real-time enforcement and meaningful policy impact. This release brings a new level of enhanced inventory management that redefines how security teams discover, query, and enforce […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security