* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www2.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Unveiling a Comprehensive...

# Unveiling a Comprehensive Attack Explorer for Cloud Native Apps

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcomprehensive-attack-explorer-for-cloud-native-apps%2F)  
[](https://twitter.com/share?text=Unveiling+a+Comprehensive+Attack+Explorer+for+Cloud+Native+Apps&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcomprehensive-attack-explorer-for-cloud-native-apps%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcomprehensive-attack-explorer-for-cloud-native-apps%2F&title=Unveiling+a+Comprehensive+Attack+Explorer+for+Cloud+Native+Apps&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/comprehensive-attack-explorer-for-cloud-native-apps/&ts=markdown)  
\[\](mailto:?subject=Unveiling a Comprehensive Attack Explorer for Cloud Native Apps)  
Link copied  
By [Yuval Avrahami](https://www.paloaltonetworks.com/blog/author/yuval-avrahami/?ts=markdown "Posts by Yuval Avrahami")  
Apr 28, 2021  
6 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)

Cloud computing, containers and Kubernetes have fueled innovation through flexibility, scalability and ease of use. Software-focused enterprises weren't the only beneficiaries, though. Adversaries soon adapted to capitalize on the new landscape through tailored techniques and novel attacks. For security teams to effectively defend cloud native applications, they must understand how attackers target the new environment.

MITRE ATT\&CK^®^ is a framework for describing adversarial behavior. It categorizes adversarial **techniques** into the various **tactical** objectives of an attack. ATT\&CK [helps security teams](https://www.paloaltonetworks.com/blog/prisma-cloud/mitre-attck-for-cloud-improve-threat-detection/) map their attack surface, review their detection and prevention mechanisms, and investigate ongoing incidents.

**We are happy to announce our own Attack Explorer for Prisma Cloud**. Going forward, Prisma Cloud will map audits covering hosts, containers and serverless to the appropriate tactics and techniques within our Attack Explorer, and will provide an overview of the techniques impacting your environment. We believe customers could utilize the added context to better understand, investigate and remediate attacks on their cloud workloads.

## The Cloud Native Threat Matrix

Prisma Cloud protects cloud native applications running in Kubernetes clusters, serverless functions, container-as-a-service (CaaS) offerings and virtual machines. We have worked hard to create a threat matrix that covers the different techniques that impact cloud native applications across those environments. The Cloud Native Threat Matrix, or Attack Explorer, is composed from ATT\&CK for Linux, the recent community efforts around ATT\&CK for Containers and Kubernetes, and a few techniques of our own.

![The new Attack Explorer in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-57.png)
The new Attack Explorer in Prisma Cloud

The relationship between tactics and techniques creates a threat matrix. Techniques (individual cells) represent "how" an adversary achieves a tactical objective by performing an action, while the tactics (column headers) represent the "why," that is, the tactical objective for an action. For example, the technique *exploit public-facing application* is a means by which an attacker can gain initial access.

The Cloud Native Threat Matrix includes most of the ATT\&CK for Linux techniques, but not all. ATT\&CK for Linux covers techniques targeting Linux servers and endpoints. Among those, the techniques that exclusively impact endpoints aren't relevant for applications running in the cloud. The *clipboard data* technique, for example, describes an attacker that steals clipboard data from a user. While relevant for attacks targeting Linux endpoints, it doesn't impact the cloud native applications protected by Prisma Cloud.

## Exploring Attacks

Navigating to **Monitor \> Attack** will reveal the Cloud Native Threat Matrix (aka Attack Explorer). You may filter techniques by collections or time, or only show the techniques currently impacting your environment.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-58.png)

Clicking on a technique will open up the technique dialog, where you can read the technique's description and see all audit types mapped to it.

![Kubernetes Secrets technique dialog](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-59.png)
Kubernetes Secrets technique dialog

And in the **Monitor \> Event**page, audits are now mapped to techniques when appropriate.

![An audit is mapped to the network service scanning technique](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-60.png)
An audit is mapped to the network service scanning technique.

## Example Incident: Attack in Action

Let's see an example of how the Cloud Native Threat Matrix fast tracks incident response. In our demo environment, we've run a frontend application in a Kubernetes pod and exposed it to the internet. We've enabled [Web Application and API Security](https://www.paloaltonetworks.com/blog/prisma-cloud/secure-cloud-native-api-microservices/) (WAAS) to protect our pod and toggled all runtime protections into alert mode to allow the attack to play out.

**Step 1**

Emulating a SOC team, we navigate to Radar to check the status of our cluster and see that our front-end pod is red, indicating that it has triggered multiple runtime audits.

![Radar shows the front-end pod triggered runtime audits](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-61.png)
Radar shows the front-end pod triggered runtime audits.

**Step 2**

Before diving into the technical details, we can use the Attack Explorer to see a high-level overview of the incident. Without spending too much time, we gain valuable insight into what now seems like an attack.

![Attack Explorer view of the front-end collection](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-62.png)
Attack Explorer view of the front-end collection.

*Initial access* techniques are a good place to start, as they often highlight the entry point of an attack. Seeing that both the *exploit public-facing application* and *application exploit (RCE)* techniques affect our front-end app, we can assume it was compromised by some network payload.

We can also see what looks like post-compromise behavior -- the attacker used *ingress tool transfer* to download some tools into our environment. Finally, it seems like the attacker accessed some credentials, specifically *Kubernetes secrets,* from the API server (*access the Kubernetes API server*).

**Step 3**

We can click any specific technique that interests us and see the audits mapped to it. Let's look at *exploit public-facing application* to see how the attacker infiltrated our cluster:

[![Dialog for "exploit public-facing application" technique](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/exploit-public-facing-app.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/exploit-public-facing-app.png) Dialog for "exploit public-facing application" technique

It looks like there's a command injection vulnerability in our web application. From the forensic message, it appears like the attacker tried to run a [reverse shell](https://www.techslang.com/definition/what-is-a-reverse-shell/).

Let's also inspect the *Kubernetes secrets* technique:

![Dialog for "Kubernetes secrets" technique.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-64.png)
Dialog for "Kubernetes secrets" technique.

Here it seems like the attacker retrieved secrets in the app-frontend namespace.

**Step 4**

Rather than continuing to look at each technique, we switch to the **Monitor \> Event** page for a more drilled-down view of the pod:

![Web Application and API Security (WAAS) audits.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-65.png)
Web Application and API Security (WAAS) audits.

![Container audits](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-66.png)
Container audits

Looking at the events, we can see that the attack matched the high-level picture seen in Attack Explorer in step 2. The attacker compromised our pod, deployed a reverse shell, downloaded kubectl and used the pod service account to retrieve cluster secrets.

It's worth noting that Prisma also generated two incidents during the attack:

![Two incidents trigged by Prisma Cloud.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-67.png)
Two incidents trigged by Prisma Cloud.

**Step 5**

We can now start actively responding, investigating whether compromised secrets were used, patching the vulnerable web application and rotating all secrets. If possible, we should also consider restricting our pod's privileges within the cluster. Finally, we'd want to take a look at the forensics of the compromised pod to make sure we understand every step the attacker took.

## Conclusion

Attack Explorer helps security teams even the playing field with adversaries. Understanding how these adversaries operate helps fast-track incident response and highlights weak points that can be patched before they're abused.

The Cloud Native Threat Matrix will further position our customers to securely enjoy the benefits of the cloud. If you're a Prisma Cloud customer, we'd love to hear your feedback! You can begin using the new Attack Explorer as part of the Prisma Cloud 21.04 update. And you can read more about how it works in [our technical documentation](https://www.google.com/url?q=https://docs.paloaltonetworks.com/prisma/prisma-cloud/21-04/prisma-cloud-compute-edition-admin/runtime_defense/attack.html&sa=D&source=editors&ust=1619472202332000&usg=AOvVaw3hzlWtrtW9MM7y-tGmnnJG).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### How to Set Up Prisma Cloud Threat Detection in 6 Steps](https://www2.paloaltonetworks.com/blog/cloud-security/how-to-set-up-prisma-cloud-threat-detection/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### Prisma Cloud Support for Docker DISA STIG](https://www2.paloaltonetworks.com/blog/cloud-security/support-for-docker-disa-stig/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### WAAS-Up with Cryptojacking Microservice-Based Web Apps?](https://www2.paloaltonetworks.com/blog/cloud-security/waas-cryptojacking-microservice-based-web-apps/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Better Together With IBM and Prisma Cloud Compute Edition](https://www2.paloaltonetworks.com/blog/cloud-security/better-together-ibm-prisma-cloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Automating Visibility and Protection for Cloud VMs](https://www2.paloaltonetworks.com/blog/cloud-security/automating-visibility-protection-cloud-vms/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Open Source License Detection and Expanded Git Repo Scanning](https://www2.paloaltonetworks.com/blog/cloud-security/open-source-license-detection-expanded-git-repo-scanning/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language