Security Posture Management
- Latest Dynatrace
- How-to guide
Dynatrace Security Posture Management (SPM) enables you to assess, manage, and take action on misconfigurations and violations against security hardening guidelines and regulatory compliance standards.
Capabilities
Security Posture Management provides comprehensive visibility into the security posture of your Kubernetes, cloud, and VMware environments. Depending on your infrastructure, the following flavors are available:
-
Dynatrace Kubernetes Security Posture Management (KSPM): Enables you to detect, analyze, and monitor misconfigurations, security hardening guidelines, and potential compliance violations across your Kubernetes deployments.
-
Runecast Cloud Security Posture Management (CSPM): Provides in‑depth insights into the security posture of your AWS, Azure, and GCP environments.
-
Runecast VMware Security Posture Management (VSPM): Provides in‑depth insights into the security posture of your VMware environments, including vCenter and NSX‑T.
Across these flavors, SPM delivers a consistent set of core capabilities:
- Automated assessments against supported compliance standards, enabling you to manage and report on the most critical findings.
- Continuous analysis and evidence creation for internal and external auditing purposes.
- Actionable findings that help you to
- Prioritize compliance efforts
- Create audit evidence and reporting for auditors and internal security and compliance teams
How it works
Security Posture Management continuously evaluates your environment for misconfigurations, policy violations, and compliance risks. Dynatrace collects configuration data from your infrastructure and cloud platforms, streams it into Grail, and normalizes it into security events. These are then evaluated against hardening guidelines and compliance standards. Results update in real time as your environment changes, helping you stay secure and audit-ready.
For a quick walkthrough, see Dynatrace Cloud Security Posture Management elevates cloud security with real-time compliance across hyperscalers.
Support matrix
Security Posture Management supports a range of compliance standards through two types of coverage: Dynatrace native support and Runecast‑integrated support. Native standards are maintained directly by Dynatrace and kept up to date.
The table below shows which standards are supported and how each one is provided.
For detailed explanations of each compliance standard and how Dynatrace supports them, see Security Posture Management compliance standards.
Support includes upstream Kubernetes, Amazon EKS, and Azure AKS, on the following Linux CPU architectures: x86-64, ARM64, ppc64le, and s390x, and requires Kubernetes version according to Dynatrace support lifecycle (unless defined otherwise in the specific standard).
Supported versions are VMware ESXi 8.0 v1.1.0, VMware ESXi 7.0 v1.4.0, VMware ESXi 6.7 v1.2.0, and VMware ESXi 6.5 v1.0.0.
NSX-T support is limited to version 3.2 and later.
Get started
- To get started with Kubernetes Security Posture Management, see Kubernetes Security Posture Management.
- To get started with Cloud Security Posture Management and/or VMware Security Posture Management, see Ingest Runecast Analyzer compliance findings.
What's next
Next with KSPM
Once you set up Kubernetes Security Posture Management, you can
- Detect, manage, and take action on security and compliance findings with
Security Posture Management - Query compliance events with
Investigations or 
Notebooks
- For a list of DQL examples based on compliance events that you can use for further investigation or reporting, see Query compliance events.
Try Security Posture Management and share your feedback to help us improve.
Next with CSPM/VSPM
Once you set up CSPM/VSPM, you can
-
Visualize data with our Security Posture Overview dashboard. For details, see Next steps.
-
Query compliance events with
Investigations or Notebooks.- For a list of DQL examples based on compliance events that you can use for further investigation or reporting, see Query compliance events.
Use cases
Stay compliant with Security Posture Management
FAQ
How can I check my Kubernetes cluster against security compliance standards?
- To review the compliance status of your cluster, see Review compliance status per system.
- To review findings on your cluster, you can filter and sort results.
- For contextual information that can help you fix findings on your cluster, see Gain insights.
Can I enable or disable compliance standards?
- For Dynatrace Kubernetes Security Posture Management (KSPM), you can manage compliance standards in the Dynatrace Settings, see Configure assessment scope.
- For Runecast Cloud Security Posture Management (CSPM) and Runecast VMware Security Posture Management (VSPM), adjust standard selection directly in the Runecast Analyzer.
What can I do with the findings generated by Dynatrace?
For an overview of how to use compliance findings, see Stay compliant with Security Posture Management.
How can I be compliant with the high-severity findings generated by Dynatrace?
For guidelines on how to increase compliance, see Stay compliant with Security Posture Management.
How can I improve Security Posture Management coverage?
For instructions, see Improve coverage.
Why am I getting failed results on my system?
Resources on your system are assessed as Failed (not compliant) according to rules specified in the supported standards.
- To better understand resource configuration and review the source of the rule, see Gain insights.
- To better understand result types, see Concepts: Results.
What happens if I don't fix my system based on the findings?
Maintaining your security posture is fundamental to your overall security strategy. Think of it as basic security hygiene—without it, all other security measures you implement will be significantly less effective. On the compliance side, not addressing these findings means you won't be able to identify, assess, and fix potential issues that could lead to audit failures.
Manually handling the numerous checks required for audits quickly becomes an overwhelming task, consuming countless hours. With our Security Posture Management solution, this entire process is automated, ensuring both security and compliance are effectively managed.
Ignoring compliance issues presents potential exposure risk or compliance failure risk.
How to fix the problems detected in my environment?
For guidelines on how to fix findings, see Stay compliant with Security Posture Management.
What environments can be monitored with Security Posture Management?
For a list of supported systems and their versions and distributions, see Security Posture Management.
In what monitoring modes can I deploy Security Posture Management on Kubernetes?
Running Security Posture Management on Kubernetes is entirely independent of OneAgent and thus independent of the Monitoring modes.
Analyzed data originates from the Kubernetes API Server and the Kubernetes Node Configuration Collector via ActiveGate.
Therefore, you can use Security Posture Management with Kubernetes Platform Monitoring, where OneAgent isn't deployed.
How can I set up Security Posture Management for cloud environments?
Set up the Dynatrace integration with Runecast Analyzer.
Further resources
-
Kubernetes security essentials: Container misconfigurations – From theory to exploitation
-
Revolutionizing cloud security with observability context: Dynatrace Cloud Security addressing CADR
-
Empowering SREs with runtime vulnerability analytics and security posture management
-
What is Kubernetes security posture management? Driving business security with KSPM
-
Which IT security solution is right for your organization? CSPM vs. KSPM vs. CNAPP
-
Dynatrace KSPM: Transforming Kubernetes security and compliance