Let's review several technical concepts behind Aqua's Dynamic Threat Analysis (DTA)


DTA Scanning Results

The following terms are key in understanding the scan results:

Behaviors and Findings: Aqua DTA runs and monitors container image behaviors by running the container in an isolated sandbox environment. The behaviors are classified by category and risk severity, so you can understand their context.

In addition, DTA provides evidence to substantiate each behavior. For example, a possible behavior might be “Detection of network activity without performing DNS lookup”; the evidence for this behavior could include the ID of the process that initiated the network activity, as well as the destination IP address.


Behaviors categories

Each behavior is classified by one of 5 categories. To align with the MITRE attack framework, each category is mapped to one or more MITRE categories.

Behavior category


MITRE category mapping

Initial Execution

Consists of techniques that use various entry vectors to gain their initial foothold

Example: Crypto Mining binaries found in the image

Initial access, Execution


Includes unusual techniques to gain more control

Example: Privilege escalation and credential access

Persistence, Privilege escalation, Defense evasion, Credential access


Discovering local or remote resources to exploit them or perform lateral movement

Example: Executing "Shodan search" on internet-connected devices in runtime

Discovery, lateral movement


Suspicious network activity

Example: Accessing an unreachable IP address might indicate communication with a C&C

Command and control

Collection & Exfiltration

Collecting resources and reaching an end-game objective

Example: Resource hijacking to validate transactions of cryptocurrency networks and earn virtual currency

Collection, Exfiltration, Impact

Process Flow

The following is a conceptual description of the DTA scanning flow:

  1. New images are periodically discovered and pulled into the Aqua service
  2. The service spins up a new Virtual Machine (VM) instance dedicated for each image scan
  3. The service runs the image as a container on the VM for several minutes
  4. The service records and monitors all aspect of the run time such as network, disk activity, memory utilization, and system calls
  5. The service classifies these activities in the form of behaviors and saves the scan result
  6. The VM is tear down and the image is deleted from Aqua servers

Supported Types of Images

DTA supports Linux-based container images created according to the docker format.