* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Runtime Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/)
* Agentless Vs. Agent-Based...

# Agentless Vs. Agent-Based Scanning in Kubernetes: A Deep Dive

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fagentless-vs-agent-based-scanning-in-kubernetes-a-deep-dive%2F)  
[](https://twitter.com/share?text=Agentless+Vs.+Agent-Based+Scanning+in+Kubernetes%3A+A+Deep+Dive&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fagentless-vs-agent-based-scanning-in-kubernetes-a-deep-dive%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fagentless-vs-agent-based-scanning-in-kubernetes-a-deep-dive%2F&title=Agentless+Vs.+Agent-Based+Scanning+in+Kubernetes%3A+A+Deep+Dive&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/agentless-vs-agent-based-scanning-in-kubernetes-a-deep-dive/&ts=markdown)  
\[\](mailto:?subject=Agentless Vs. Agent-Based Scanning in Kubernetes: A Deep Dive)  
Link copied  
By [Bruno Almeida](https://www.paloaltonetworks.com/blog/author/bruno-almeida/?ts=markdown "Posts by Bruno Almeida")  
Nov 13, 2025  
5 minutes  
[Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown)  
[CWPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cwpp/?ts=markdown)

With container lifecycles measured in minutes, vulnerabilities can spread fast if not detected and addressed early. One of the key decisions security teams face is whether to use agentless or agent-based vulnerability scanning solutions. Both approaches aim to reduce risk, but they differ significantly in how they operate, what they uncover, and the trade-offs they introduce.

Today's blog post explores both models, highlighting where each excels, where each falls short, and how organizations can decide between them.

## **Understanding the Two Approaches**

### **Agentless Scanning**

Agentless tools work without installing software on nodes or containers. They typically integrate via:

* **APIs** (e.g., connecting to the Kubernetes API server or cloud provider API)
* **Registry scanning** (inspecting container images before deployment)
* **Snapshot or remote scanning** (analyzing volumes, manifests or configurations externally)

For example, a DevSecOps team integrates an agentless scanner with their continuous integration and continuous delivery (CI/CD) pipeline. Every image pushed to the registry is scanned as soon as it is built, blocking vulnerable or noncompliant builds from reaching the registry.

### **Agent-Based Scanning**

Agent-based solutions install lightweight software (agents/sensors) on cluster nodes. These agents collect runtime data such as:

* Processes running inside containers
* File system and package changes
* Network connections and system calls (syscalls)

For example, a runtime security tool runs agents across the cluster. When a compromised pod tries to open a reverse shell, the agent detects and blocks the behavior in real time.

## **Pros and Cons at a Glance**

|-----------------|-------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
| **Approach**    | **Pros**                                                                                  | **Cons**                                                                      | **Best For**                                                                                     |
| **Agentless**   | Easy deployment, no workload impact, broad coverage via APIs                              | Limited runtime visibility, may miss ephemeral containers, slower detection   | Pre-deployment checks, compliance, low-touch environments                                        |
| **Agent-Based** | Deep runtime visibility, real-time detection and prevention, captures ephemeral workloads | Requires installation/updates, potential performance and operational overhead | Runtime protection \& advanced threat detection, zero-days detection, high-security environments |

## **When to Use Agentless**

Agentless scanning shines when simplicity and speed of adoption matter. Typical scenarios include:

1. **Pre-deployment security in CI/CD**
   
   * For example, using tools like Checkov, Trivy or Cortex CLI in pipelines to scan container images and Kubernetes manifests before they're deployed.
   * Benefit: Shifts security left, reducing the cost of fixing vulnerabilities and misconfigurations later.

2. **Cloud-native compliance and audits**
   
   * For example, running agentless scans across clusters to check for compliance with CIS Benchmarks or PCI DSS.
   * Benefit: Broad coverage with minimal operational friction.

3. **Multicluster visibility**
   
   * For example, a security team managing multiple Kubernetes clusters across AWS, Azure and GCP can get a quick snapshot of posture without installing agents everywhere.

**Limitation** : While agentless tools can tell you an image has *openssl* version X (which is vulnerable), they can't always tell you if that package is being executed or exploited in a live pod.

## **When to Use Agent-Based**

Agent-based scanning is critical when runtime visibility and real-time protection are required.

1. **Detecting runtime attacks**
   
   * For example: A pod is exploited via Log4j, and the attacker runs *wget* to download malware or attempts to run fileless malware. An agent captures the suspicious process, detects the in-memory attack, and alerts or blocks it.
   * Benefit: Direct visibility into what's happening inside the pod.

2. **Protecting ephemeral workloads**
   
   * For example, in environments using serverless Kubernetes patterns or short-lived pods, agents catch behaviors that API-based scans would miss after the workload is gone.
   * Benefit: Even if a pod only lives for 5 minutes, it will still be protected.

3. **Zero-day detection and anomaly detection**
   
   * For example, even if no CVE exists, an agent can flag unusual behavior (e.g., a database pod spawning a shell).
   * Benefit: Goes beyond known vulnerabilities and focuses on *behavior*.

**Limitation**: Agents introduce operational overhead. Teams must manage installation, upgrades and compatibility across diverse Kubernetes environments.

## **The Hybrid Reality**

In practice, most security-conscious organizations don't choose one or the other, they combine both.

* **Agentless for breadth**: Ensure that no vulnerable images get deployed, configs follow best practices, and compliance is met across multiple clusters.
* **Agent-based for depth**: Gain runtime assurance, detect attacks in progress, and respond in real-time.

Example of a hybrid workflow:

1. An image is scanned agentlessly in the CI/CD pipeline (catches known CVEs).
2. Once deployed, an agent monitors the pod. If an attacker bypasses the image scan by exploiting a runtime vulnerability, the agent detects and blocks it.

This layered defense provides both **preventive** and **detective** controls.

## **Final Thoughts**

* If you want low-touch coverage and compliance, start with agentless scanning. It's easy to adopt and provides immediate value across registries, clusters and pipelines.
* If you need runtime visibility and real-time defense, invest in agent-based scanning. It's more complex but essential for detecting advanced threats.
* For robust Kubernetes security, a hybrid model delivers the best of both worlds: agentless for breadth, agent-based for depth.

Kubernetes is dynamic, and so are its threats. By carefully balancing both approaches, security teams can stay ahead of vulnerabilities without drowning in operational complexity.

Don't choose between breadth and depth. See how [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud) delivers both: agentless scanning for full posture visibility and agent-based protection for real-time runtime defense. [Sign up for a demo](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response) to learn more.

*** ** * ** ***

## Related Blogs

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### Taking Cloud Security from Visibility to Prevention with eBPF](https://www2.paloaltonetworks.com/blog/cloud-security/ebpf-cloud-security-real-time-protection/)

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown)

[#### Understanding API Risk in the Age of AI](https://www2.paloaltonetworks.com/blog/cloud-security/api-security-ai-risk/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Supply Chain Security](https://www.paloaltonetworks.com/blog/cloud-security/category/supply-chain-security/?ts=markdown)

[#### Shai-Hulud 2.0: How Cortex Helps Protect Against the Resurgent npm Worm](https://www2.paloaltonetworks.com/blog/cloud-security/shai-hulud-2-0-npm-worm-detection-blocking/)

### [CDR](https://www.paloaltonetworks.com/blog/cloud-security/category/cdr/?ts=markdown), [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Lessons Ted Lasso Can Teach You About CDR](https://www2.paloaltonetworks.com/blog/cloud-security/lessons-ted-lasso-can-teach-you-about-cdr/)

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [CWPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cwpp/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### The Expanding API Attack Surface](https://www2.paloaltonetworks.com/blog/cloud-security/api-security-visibility-prioritization-protection/)

### [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Cloud Workload Protection, Now Operating at Full Context](https://www2.paloaltonetworks.com/blog/cloud-security/beyond-cloud-workload-protection-cwp/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language