CaaS Workloads - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation
Product
Cortex XDR
License
XDR + Cloud
Creation date
2025-07-13
Last date published
2026-06-11
Category
Administrator Guide

Deploy the Cortex XDR container-embedded agent on Container as a Service (CaaS) environments to extend runtime security and vulnerability scanning to containerized workloads. The container-embedded Cortex XDR agent provides malware prevention, exploit protection, vulnerability assessment, and altered binary execution restriction for containers running on managed container services.

The Cortex XDR container-embedded agent is a purpose-built agent designed for containerized environments. The agent embeds directly into your existing workflows.

The container-embedded agent is embedded directly into your container image during the Docker build process. The agent runs as an entry point within your application container, providing runtime security and vulnerability scanning without requiring a separate container.

This topic explains the process of how to embed the Cortex XDR agent in your dockerfile:

CaaS container-embedded agent installer
Abstract

learn how to create the CaaS container-embedded agent installer.

Before you deploy the container-embedded agent, verify the following:

Notice

Requires the Cortex Cloud Runtime Security add-on. Every 10 container-embedded agents will consume a single Cortex Runtime Security license.

Prerequisites

Supported Environments

The following managed container services are supported:

  • AWS ECS Fargate; containers using x86_64 and AArch64 architecture

Requirements

Cortex XDR agent version 9.2.0 or later

Required resources per container:

  • Disk space: 1.5 GB

  • 1 CPU

  • Memory: 512 MB

Dockerfile requirements:

  • SYS_PTRACE must be enabled

Assets discovery: Onboard the relevant AWS environments

Drift detection: Container registry image scanning

Limitations

  • ENTRYPOINT/CMD must not be added to the task_definition.

  • ENTRYPOINT cannot be run in exec format with the CMD shell command.

  • AArch64-based architecture does not support exploit protection mechanisms.

  • Alpine Linux and other musl-based distributions are not supported for container-embedded deployments.

Create the Cortex XDR container-embedded agent Dockerfile via user interface:

  1. In your Cortex management console, navigate to InventoryEndpointsInstallations, click Create.

  2. Select CaaS Deployment as the Package Type and Container Embedded as the Deployment Type.

    1. Select the installer details to define the configuration settings for version and proxy (optional).

    2. Upload your Dockerfile. Cortex XDR validates your Dockerfile against the technical prerequisites.

  3. A new Agent Installation instance will be created - right click it and download the newly generated Dockerfile.

Embed the Cortex XDR container-embedded agent Dockerfile into your container image:

  1. Select the newly generated Dockerfile.

  2. Re-build your container image using the newly generated Dockerfile.

  3. During the build process, the agent binary will be fetched from the Cortex repository and baked into the image.

  4. Once the build process is successfully finished, you are ready to use the new container image in your CaaS environments, based on the prerequisites above.