TABLE OF CONTENTS


Introduction 

Aqua Security’s Dynamic Threat Analysis (DTA) is an add-on capability to Aqua Enterprise scanning capabilities. DTA dynamically assesses the risks that container images pose before they are run as containers in a live environment. DTA runs container images in a safe and isolated sandbox environment, and monitors behavioral patterns and Indicators of Compromise (IoCs) such as malicious behavior and network activity, in order to detect container escapes, malware, cryptocurrency miners, code injection backdoors, and additional threats.


See the Aqua blog on Dynamic Threat Analysis for Container Images: Uncovering Hidden Risks for a product overview.


Why use DTA?

DTA can do the following, which is beyond the capabilities of static image scanning:

  1. Discovering malware that’s downloaded dynamically into running containers.
  2. Handling Advanced Persistent Threats (APT) and multi-stage attacks.
  3. Detecting malware and zero-day attacks without known signatures.


DTA is an important additional form of image assurance. When integrated with Aqua Enterprise, DTA scanning complements Aqua Enterprise image scanning; it does not replace it. 


Data uploaded to the DTA endpoint

The image to be scanned is uploaded to an isolated sandbox environment on the DTA endpoint.

  1. Aqua protects your data and keeps it private.
  2. This sandbox environment is not used for any other customers or users.
  3. Once the image is scanned, it is deleted from our servers.


Configuring Aqua Enterprise to use DTA

Configuring Aqua Enterprise to use DTA is fast and easy. See Configure Dynamic Threat Analysis (DTA) for instructions.


Licensing requirements

A special license token, obtained from Aqua Security, is required for integrating Aqua Enterprise with DTA. This license:

  1. Includes a specified number of image (sand-boxed container) scans.
  2. Is valid for a specified amount of time (generally one year).


DTA integration licenses are not shown on the Licenses UI screen.


If you run out of DTA image scans

If you have used all of your license limit of image scans:

  1. Images scanned with DTA will fail the relevant Image Assurance Policy (or Policies).
  2. The failure will be logged as an audit event.


If this happens, you should either renew your license or disable DTA scanning, to avoid getting additional audit events about the failures.


For more information

See DTA operation and Multi-region DTA.