Claude, Was My Cluster Breached at Around 12pm Today?

May 18 2026 ~ 10 min read

One prompt. No pod names, no indicators of compromise, no runbook. Just a time window and a concern. An AI agent connected to Kubeshark's MCP server ran a full security audit — 6 compromised workloads identified, attack chain mapped, PCAPs exported, PDF delivered.

The session below is a replay of the actual Claude Code investigation. The agent loaded a security-audit skill, queried live traffic and snapshot data across 7 phases, and produced the findings autonomously.

claude code — security audit session

The full audit report — with executive summary, per-finding evidence, MITRE ATT&CK mappings, and prioritized remediation — was generated as a PDF at the end of the session.

security-audit-k8s-mule-2026-05-18.pdf

Generated by Claude Code + Kubeshark MCP

Kubernetes Network Security Audit Report

Cluster: AWS EKS (us-east-1) • Namespace: k8s-mule • Date: 2026-05-18 12:00 BST
Audit window: 10:55 — 12:46 BST (09:55 — 11:46 UTC, ~1h 51m)
Snapshot: 9b0d4b2b (228MB, full window)

Executive Summary

The k8s-mule namespace is actively compromised with a coordinated, multi-stage attack involving 6 of 21 workloads. The attack chain spans the full MITRE ATT&CK kill chain: C2 communication, cryptomining, systematic K8s API secret enumeration (1MB+ of secrets exfiltrated), data exfiltration to 63+ AWS S3 endpoints, internal port scanning across 20 IPs and 9 service ports, and Redis server reconnaissance.

Threat Summary

#	Severity	Workload	Threat	MITRE ATT&CK
1	CRITICAL	update-checker	C2 Command & Control	T1071.001, T1071.004
2	CRITICAL	batch-processor	Cryptomining	T1496
3	CRITICAL	resource-syncer	K8s API Secret Theft	T1552.007, T1087.004
4	CRITICAL	backup-agent	Data Exfiltration to AWS S3	T1537, T1567.002
5	HIGH	network-diagnostics	Internal Port Scanning	T1046
6	HIGH	session-manager	Redis Reconnaissance	T1018, T1082

Finding 1: C2 Command & Control CRITICAL

Workload: update-checker-595b7848c9-z7pxz (10.0.4.153) • MITRE: T1071.001, T1071.004

Evidence:
• DNS beaconing: 8 queries to c2-callback.attacker-infra.example.com
• C2 data channel: TCP to 146.75.34.132:443 — 2,707 bytes sent, 4,209,120 bytes received (4.0MB)
• 25,674 UDP queries to kube-dns — consistent with C2 polling
• PCAP: update-checker-c2.pcap (447KB)

Finding 2: Cryptomining CRITICAL

Workload: batch-processor-588784bd54-bf7ws (10.0.56.215) • MITRE: T1496

Evidence:
• Mining pool DNS: 4 queries to pool.minexmr.example.com
• Stratum protocol: 4 queries to stratum.pool-mining.example.com
• Two distinct pools suggest failover configuration

Finding 3: K8s API Secret Theft CRITICAL

Workload: resource-syncer-6b9866fb54-mdjpt (10.0.31.132) • MITRE: T1552.007, T1087.004

Evidence: 93 HTTP GET requests to K8s API (172.20.0.1:443)

GET /api/v1/secrets?limit=500	12x	1,048,576B each
GET /api/v1/configmaps?limit=500	18x	149,155B
GET /api/v1/pods?limit=500	15x	139,122B
GET /apis/rbac.../clusterrolebindings	13x	101,171B

Total transferred: ~2.2GB

Finding 4: Data Exfiltration to AWS S3 CRITICAL

Workload: backup-agent-d74c775bb-nbc2p (10.0.42.2) • MITRE: T1537, T1567.002

Evidence:
• 137 external TCP connections to 63+ unique AWS IPs on port 443
• DNS: s3.amazonaws.com, ec2.us-east-1.amazonaws.com
• 108 HTTP requests returning 400/401 — expired/stolen credentials
• Top destination: 67.220.251.181 (1.2MB total)

Finding 5: Internal Port Scanning HIGH

Workload: network-diagnostics-67bf4c7878-tmjks (10.0.17.30) • MITRE: T1046

Evidence:
• 100 TCP flows to 20 unique IPs across 9 ports (80, 443, 3306, 5432, 6379, 8080, 8443, 9090, 27017)
• Target range: 10.244.0.x (cross-namespace pod CIDR)
• All flows: 0 bytes — TCP SYN scan

Finding 6: Redis Reconnaissance HIGH

Workload: session-manager-677b78dc48-nlb42 (10.0.53.219) • MITRE: T1018, T1082

Evidence: redis-cli against redis-cache (10.0.1.246:6379)
• INFO — server fingerprinting
• CONFIG GET * — full config dump (7KB)
• KEYS * — 111,650 bytes of keys
• CLIENT LIST — connection enumeration
• DBSIZE — capacity assessment

Attack Chain Analysis

STAGE 1: COMMAND & CONTROL
  └&horz; update-checker → c2-callback.attacker-infra.example.com (4MB received)

STAGE 2: RECONNAISSANCE
  └&horz; network-diagnostics → Port scan: 20 IPs × 9 ports
  └&horz; session-manager → Redis CONFIG/KEYS/CLIENT dump
  └&horz; resource-syncer → K8s API: secrets, RBAC, pods, services, namespaces

STAGE 3: CREDENTIAL ACCESS
  └&horz; resource-syncer → Harvested 1MB+ of K8s Secrets (12 requests)

STAGE 4: EXFILTRATION
  └&horz; backup-agent → 137 connections to 63+ AWS S3 IPs (failing 401)

STAGE 5: MONETIZATION
  └&horz; batch-processor → Cryptomining via minexmr + stratum pool

Immediate Actions

Isolate the namespace: Default-deny NetworkPolicy on k8s-mule (ingress + egress)
Kill compromised pods: Delete all 6 pods
Rotate all secrets cluster-wide: K8s Secrets harvested (1MB+ × 12 requests)
Revoke AWS IAM credentials: IRSA/service account creds for k8s-mule pods
Rotate Redis session tokens: All keys enumerated
Block C2 domains at DNS: c2-callback.attacker-infra.example.com, pool.minexmr.example.com, stratum.pool-mining.example.com
Audit RBAC: Revoke cluster-admin bindings for resource-syncer's service account
Scan container images: All k8s-mule Deployment images for tampering

Evidence Preservation

Snapshot	9b0d4b2b (228MB, fully dissected)
Dissection	6bf87b81 (100% complete)
PCAP: C2	update-checker-c2.pcap (447KB)
PCAP: API enum	resource-syncer-api-enum.pcap

The Prompt

find traces for a compromise in the k8s-mule namespace at around 12pm

That was the entire input. The agent executed a systematic 7-phase sweep: DNS threat analysis, external communication mapping, lateral movement detection, protocol abuse inspection, credential access monitoring, and attack chain correlation. The output: 6 findings (4 CRITICAL, 2 HIGH), PCAP evidence files, and specific remediation steps naming exact ClusterRoleBindings to revoke.

What the Agent Found

The 6 compromised workloads form a coordinated attack chain spanning the full kill chain:

Stage 1 — Command & Control. update-checker resolved c2-callback.attacker-infra.example.com 8 times and maintained a persistent TCP connection to 146.75.34.132:443, receiving 4.2MB of inbound data. 25,674 DNS queries — consistent with high-frequency C2 polling.

Stage 2 — Reconnaissance. network-diagnostics ran a SYN scan across 20 IPs and 9 service ports (MySQL, PostgreSQL, Redis, MongoDB, Prometheus). session-manager executed CONFIG GET *, KEYS *, CLIENT LIST, and DBSIZE against the Redis cache — dumping 111KB of session keys. resource-syncer queried the Kubernetes API server for secrets (12 requests, 1MB each), pods, configmaps, services, namespaces, and RBAC clusterrolebindings — 93 requests totaling 2.2GB.

Stage 3 — Credential Access. The secret harvest from resource-syncer returned 1MB+ per request. Every Kubernetes Secret in the cluster — database passwords, API keys, TLS certificates — should be considered compromised.

Stage 4 — Exfiltration. backup-agent opened 137 connections to 63+ unique AWS S3/STS IP addresses. DNS queries confirmed s3.amazonaws.com and ec2.us-east-1.amazonaws.com. The 108 HTTP responses returned 400/401 — the stolen credentials had expired, but the exfiltration infrastructure was operational.

Stage 5 — Monetization. batch-processor resolved pool.minexmr.example.com and stratum.pool-mining.example.com — an active cryptomining operation with failover pool configuration.

The Security-Audit Skill

he security-audit skill encodes a complete Kubernetes network security audit methodology.

Two-section architecture. Section A queries live dissected traffic for fast initial results. Section B creates immutable snapshots, dissects them at L7, and produces evidence-grade analysis. Intermediate findings appear within seconds; the full report follows after snapshot processing.

7-phase threat sweep per snapshot:

The skill loads the KFL (Kubeshark Filter Language) reference before constructing any filter. If a CEL expression fails, it falls back to port-based or name-based filtering. Every finding includes the snapshot ID, timestamp, raw evidence, and a specific remediation action.

The Cluster: k8s-mule

The attack traffic is real — generated by k8s-mule, an open-source network threat simulation platform for Kubernetes. It deploys 22 pods that generate realistic attack traffic mapped to MITRE ATT&CK techniques across 7 tactical categories:

Each pod runs a single scenario at a configurable difficulty level. In this session, the agent identified 6 of the 22 scenarios from network traffic alone — mapping directly to k8s-mule's scenario labels: NET-002 (C2 callback), NET-009 (API enumeration), NET-011 (port scanning), NET-014 (S3 exfiltration), NET-016 (cryptomining), and NET-019 (Redis reconnaissance).

How It Works

The investigation runs through Kubeshark's MCP server. The agent does not access the cluster directly — no kubectl, no SSH, no API server credentials. Every query flows through MCP tools that expose indexed traffic data:

list_api_calls — queries L7 dissected traffic (DNS, HTTP, Redis, gRPC) using KFL filters
list_l4_flows — TCP/UDP flow data with byte counts and connection state
create_snapshot / start_snapshot_dissection — immutable traffic captures indexed at L7
export_snapshot_pcap — filtered PCAP files for forensic evidence

The agent made 30+ tool calls during the session, running independent queries in parallel. The skill's methodology ensured systematic coverage — no threat category was skipped, and findings were cross-correlated across both real-time and snapshot data.

Getting Started

1. Deploy k8s-mule

# Clone and deploy k8s-mule
git clone https://github.com/kubeshark/k8s-mule.git
cd k8s-mule
./setup-k8s-mule.sh

# Optional: set difficulty level
./setup-k8s-mule.sh -s hard

2. Install Kubeshark

brew install kubeshark
kubeshark start

3. Configure MCP

# Claude Code
kubeshark mcp install claude

# Remote cluster (no kubectl access)
kubeshark mcp install claude --url http://<kubeshark-host>:8899

# Download the security-audit skill
git clone https://github.com/kubeshark/kubeshark.git
cp -r kubeshark/skills/security-audit .claude/skills/

4. Run the Audit

> find traces for a compromise in the k8s-mule namespace

find traces for a compromise in the k8s-mule namespace

The security-audit skill is available in the Kubeshark skills repository. Install it in your Claude Code project's .claude/skills/ directory.

Kubeshark provides continuous cluster-wide traffic recording, Kubernetes-enriched packet data, and AI-powered forensic analysis via MCP. Integrates with Claude Code, Cursor, and any MCP-compatible AI tool. Get started.