Security that speaks Kubernetes. Introducing the new SUSE Security Vulnerability Scanner and Process Enforcer.

Security tooling has a belonging problem. Your infrastructure runs on Kubernetes, your deployments are GitOps-driven, your developers ship through automated pipelines, and then there’s your security platform sitting off to the side, requiring its own workflows, its own expertise, and its own management plane. It’s not that the tools don’t work. It’s that they don’t belong.

Security that operates outside the platform gets bypassed, delayed, or bolted on after the fact. For platform and security engineers, it’s operational drag, a second system to learn, maintain, and reconcile with everything else.

Your teams deserve better than security silos

SUSE Security has protected Kubernetes environments for years, and continues on that foundation with one clear goal: making security a native part of how your platform already operates rather than something running alongside it.

The two new capabilities announced today reflect what customers told us they wanted more of. Security visibility is unified inside Rancher, so platform teams and security teams are working from the same interface and the same source of truth rather than context-switching between tools.

Policy management fits naturally into GitOps workflows. With the move to CRDs and operators, security policies can be version-controlled, reviewed in pull requests, and applied through Fleet Continuous Delivery the same way your application configs are. Security becomes part of the delivery process rather than a checkpoint outside it.

And for teams who want to adopt these capabilities gradually, the dual-track approach lets you run the new components alongside your existing deployment. There is no pressure to cut over all at once. You validate at your own pace and move when you are ready.

The thread running through all of it is the same. A strong security platform becomes even more valuable when it speaks the language of the rest of your infrastructure.

Built for how Kubernetes actually works

The new capabilities are built on a ground-up Kubernetes-native architecture. The move to CRDs and operators means security policies are Kubernetes resources. Your team manages them with kubectl, applies them through Rancher Fleet or other Continuous Delivery tooling, and reviews them in pull requests alongside application code. There is no separate security management plane to learn.

If your team knows how to operate a Rancher cluster, they already know the operational model.

A new Vulnerability Scanner built on Trivy

The new Vulnerability Scanner is built on Trivy, the widely adopted open-source scanner trusted across the Kubernetes community. Scans run faster, results are more accurate, and the scanner integrates directly into the Kubernetes resource lifecycle rather than running as an external process. The Vulnerability Scanner has its own UI Extension available within Rancher.

A new Process Enforcer built on eBPF

The new Process Enforcer is built on eBPF, the same kernel-level technology behind Cilium and Tetragon. It monitors process execution at the node level with minimal overhead, learns what normal looks like for a given workload, and blocks unauthorized execution before it can cause damage. For zero-day threats that bypass signature-based detection, behavioral enforcement is the defense that holds. The Process Enforcer’s UI Extension is in the works.

Where it fits in the Rancher Suite

The new Vulnerability Scanner and Process Enforcer are available as part of SUSE Security, which is an integrated component of the Rancher Suite and available as an add-on to SUSE Rancher Prime. Customers running earlier versions of SUSE Security who want access to these capabilities will find the most direct path through SUSE Rancher Prime or the full Suite.

Now in Technical Preview. Here is how to get in.

Both the Vulnerability Scanner and Process Enforcer are available now in Technical Preview. This phase is focused on gathering real-world feedback from production environments before General Availability. Organizations including ARM, Conoa, PA Media, Belastingdienst, and Publix have already engaged around the roadmap and we are targeting reference customers running active features before the next phase.

If you are at KubeCon EU 2026 in Amsterdam, visit the SUSE booth for a live walkthrough and a direct conversation with the team.

To sign up for the Technical Preview, reach out to your SUSE account representative. The Technical Preview is the right time to get involved. You shape what ships.