Get the latest, first
arrowBlog
  • Home
  • Blog
  • What Is an Anomaly? Rethinking Runtime Detection in Cloud-Native Environments
What Is an Anomaly? Rethinking Runtime Detection in Cloud-Native Environments

What Is an Anomaly? Rethinking Runtime Detection in Cloud-Native Environments

Apr 15, 2025

Oshrat Nir
Head of Product Marketing

“Anomaly detection” has become a core capability in modern cloud security. Yet despite its ubiquity in product marketing and platform docs, one basic question remains surprisingly unsettled: What exactly is an anomaly?

The answer depends on who you ask – and how they approach threat detection.

Two Definitions, Two Philosophies

Broadly speaking, there are two prevailing schools of thought in defining what constitutes an anomaly:

1. The Rules-Based Perspective

From this viewpoint, an anomaly is any deviation from established norms that are defined and documented – often in the form of known attack chains, compliance requirements, or behavioral policies. These are encoded into rules or signatures:

  • “This process should never touch that file.”
  • “These ports should never be open simultaneously.”
  • “This sequence of events indicates lateral movement.”

Rules-based detection is grounded in experience, research, and real-world incident data. It’s methodical, explainable, and often tightly aligned with compliance needs.

2. The Behavioral-Based Perspective

This school takes a more adaptive approach. Here, an anomaly is any behavior that meaningfully deviates from what the system normally does, regardless of whether it’s been seen before or fits a known pattern.

This model is designed to detect the unknown:

  • Previously unseen vulnerabilities (zero-days)
  • Novel attack techniques that don’t follow known patterns
  • Evasive threats like fileless malware or cryptojacking

Why This Matters: Cloud-Native Environments Break Traditional Assumptions

In traditional, relatively static IT environments, rules-based approaches worked well. You could define what was allowed, build a library of threat indicators, and enforce them reliably.

But cloud-native environments – especially those built with Kubernetes, containers, and microservices – don’t play by the same rules.

  • Applications are constantly deployed, scaled, and updated.
  • Infrastructure is dynamic and ephemeral.
  • Behavior varies across environments and workloads.

In short, there are many, many workloads out there, and they all behave differently. In addition, they are always changing. This new reality makes it nearly impossible to predefine every legitimate behavior – or every possible malicious one. Creating and maintaining rules to cover the well-known is hard enough, writing rules to cover the unknown is impossible.

The Cost of Coverage: Rules-Based Overhead

Rules-based systems bring another challenge: operational complexity.
 Maintaining thousands of rules is:

  • Time-consuming
  • Error prone
  • Context-dependent – a rule for one environment may be irrelevant or noisy in another

False positives become a major problem, and threat detection starts to feel like a constant game of tuning alerts and silencing noise.

Behavioral Detection: Adaptive by Design

This is where behavioral-based anomaly detection shines.

Rather than trying to predict and predefine everything, it observes what’s normal, builds a model (like ARMO’s Application Profile DNA), and flags anything that deviates from that baseline.

For example:

  • A workload invokes a process that it never has before
  • A workload accesses an endpoint that it never has before

None of these require prewritten rules to detect. The behavior itself is the signal.

So, Which One Is Better?

Neither approach is sufficient alone.

  • Rules-based detection is precise and necessary for catching known threats.
  • Behavioral detection is flexible and essential for catching unknowns – especially zero-days.

That’s why ARMO combines both. But increasingly, as cloud environments grow more dynamic and attackers grow more sophisticated, behavioral anomaly detection is becoming the first line of defense.

It catches what rules can’t predict.

Rethinking the Definition

So, what is an anomaly?

Maybe it’s time we moved past trying to define it in rigid terms.
Instead, we should think about it more like this:

An anomaly is any behavior that doesn’t belong – whether we’ve seen it before or not.

In a world of zero-days, supply chain attacks, and cloud complexity, the unknown is the new normal
 And anomaly detection needs to evolve accordingly.

Try ARMO CADR and see what Behavioral-based anomaly detection can do for you.

Related Articles

  • Mar 31, 2025

Enhancing Application Security with Container Runtime Security

Understanding Containerization and Container Runtime Containerization, a form of lightweight virtualization, lets applications inhabit their...

Oshrat Nir

Head of Product Marketing
  • Mar 20, 2025

What Is ARMO Behavioral CADR?

As organizations increasingly adopt cloud-native architectures, they face a sprawling attack surface with novel threats...

Oshrat Nir

Head of Product Marketing
  • Mar 10, 2025

CVE-2025-1094: SQL Injection Vulnerability in PostgreSQL’s Escaping Functions

Introduction CVE-2025-1094 presents a critical challenge to established SQL security paradigms, effectively circumventing fundamental best...

Amit Schendel

Security Researcher
Close

Join the First Cloud Runtime Security Summit

Save your Spot city
slack_logos Continue to Slack

Get the information you need directly from our experts!

new-messageContinue as a guest