Skip to content
Home Container Security Tools NeuVector
NE

NeuVector

Category: Container Security
License: Free (Open-Source, Apache 2.0)
GitHub (1300★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 25, 2026
3 min read
Key Takeaways
  • NeuVector is the first end-to-end open-source container security platform, open-sourced by SUSE in January 2022 under Apache 2.0 with 1.3k GitHub stars.
  • Patented deep packet inspection (DPI) engine analyzes network traffic at Layer 7 to detect SQL injection, DDoS, DNS attacks, and tunneling between containers.
  • Full-lifecycle coverage from build-phase vulnerability scanning through runtime protection, with built-in WAF and DLP for container network traffic.
  • Includes CIS Kubernetes Benchmark and Docker Bench compliance audits with reporting for PCI DSS, HIPAA, and GDPR.

NeuVector is an open-source, Kubernetes-native container security platform that provides full-lifecycle protection from build-phase scanning through runtime threat detection and response. Maintained by SUSE, it was open-sourced in January 2022 under the Apache 2.0 license, making it the first end-to-end open-source container security platform. 1.3k GitHub stars, 37 contributors, latest release v5.4.9 (February 2026).

What does NeuVector do?

NeuVector provides vulnerability scanning during build and deployment, plus runtime protection in production with network-level threat detection. The feature that separates it from most container security tools is a patented deep packet inspection (DPI) engine that acts as a Layer 7 firewall between containers and pods. Unlike tools that only monitor system calls, NeuVector inspects actual network payloads to detect and block attacks like SQL injection, DDoS, and DNS-based threats in real time.

The platform deploys four main components as containers in a Kubernetes cluster:

ComponentRole
ControllerCentral management, policy engine, REST API
EnforcerPer-node agent for runtime monitoring and DPI
ManagerWeb UI for visualization and management
ScannerVulnerability database and image scanning engine

How does NeuVector’s runtime protection work?

NeuVector’s runtime security operates in three modes, progressively moving from observation to enforcement:

Discovery mode learns normal application behavior — which processes run, what network connections containers make, and what file access patterns are expected. This behavioral baseline becomes the foundation for security policies.

Monitor mode alerts on deviations from learned behavior without blocking traffic, letting teams validate policies before enforcement.

Protect mode blocks threats and policy violations. The DPI engine inspects Layer 7 traffic between container pairs, catching SQL injection, cross-site scripting, DDoS attacks, DNS-based threats, and tunneling attempts. Built-in WAF and DLP engines add web application firewall and data loss prevention directly to container network traffic.

Zero Trust Networking
NeuVector implements a Zero Trust model for container networks. Every connection between containers is inspected and must be explicitly allowed by policy. The behavioral learning phase automates initial policy creation, reducing the manual effort of defining allowed traffic patterns.

Does NeuVector include vulnerability scanning and compliance?

NeuVector includes built-in vulnerability scanning that covers container images in registries, CI/CD pipelines, and running containers and host nodes. The scanner component maintains its own vulnerability database and updates independently of the main platform, so scan results reflect the latest known CVEs.

For compliance, NeuVector runs automated audits against CIS Kubernetes Benchmark and Docker Bench security standards. It ships with report templates for PCI DSS, HIPAA, and GDPR, which saves time during audit cycles. Compliance results can be exported through the REST API for integration with existing governance workflows.

Deployment

Deploy via Helm charts, kubectl manifests, or OpenShift Operators. NeuVector works with Rancher, Red Hat OpenShift, EKS, AKS, and GKE. Authentication plugs into LDAP, Active Directory, SAML, and OpenID/Okta.

Security policies can be defined as Kubernetes Custom Resource Definitions (CRDs), so security rules live in version control alongside application manifests.

When should you use NeuVector?

NeuVector is the right choice when you need runtime container security with network-level threat detection, not just pre-deployment scanning. The Layer 7 firewall and DPI engine catch attacks like SQL injection, cross-site scripting, and lateral movement that image scanners miss entirely.

It pairs well with image scanners like Trivy or Clair for pre-deployment vulnerability detection, and admission controllers like Kyverno or OPA Gatekeeper for policy enforcement at deploy time.

Limitations: The DPI engine requires privileged access to network namespaces, which some managed Kubernetes services restrict. Behavioral learning needs time to build accurate baselines in dynamic environments. The community is smaller (1.3k stars, 37 contributors) than Falco or Trivy, though SUSE provides commercial backing.

For a broader view of container security options, see our container security tools category page.

Frequently Asked Questions

What is NeuVector?
NeuVector is an open-source, Kubernetes-native container security platform maintained by SUSE. It provides full-lifecycle security from build-phase vulnerability scanning through runtime protection. Its distinguishing feature is a patented deep packet inspection (DPI) engine that analyzes container network traffic at Layer 7 to detect and block attacks including SQL injection, DDoS, and DNS-based threats.
When did NeuVector become open source?
SUSE open-sourced NeuVector in January 2022 under the Apache 2.0 license, less than three months after acquiring the company. It became the first end-to-end open-source container security platform. The code is available on GitHub with 1.3k stars and 37 contributors.
How does NeuVector's runtime protection work?
NeuVector deploys an Enforcer container on each node that monitors container behavior and network traffic in real time. It uses deep packet inspection to analyze Layer 7 traffic between containers and pods, detecting threats like SQL injection, cross-site scripting, and DDoS attacks. The platform can operate in Discovery, Monitor, or Protect mode — learning normal behavior first, then alerting on or blocking anomalies.
What compliance frameworks does NeuVector support?
NeuVector includes built-in compliance auditing for CIS Kubernetes Benchmark and Docker Bench security standards. It provides reporting capabilities aligned with PCI DSS, HIPAA, and GDPR requirements. Compliance results can be exported and integrated into existing governance workflows through the REST API.
Is NeuVector free to use?
Yes, NeuVector is fully open-source under the Apache 2.0 license and free for commercial use. SUSE maintains the project and offers commercial support through SUSE Security (formerly NeuVector Prime). The open-source version includes all core features including the Layer 7 firewall, vulnerability scanning, and compliance auditing.
How we review tools Suggest an edit

Other Container Security Tools

AQ
Aqua Security

Full-Lifecycle CNAPP Platform

CL
Clair

Open-source container image vulnerability scanner

DO
Docker Scout

Docker-Native Security Scanning

HA
Harbor

CNCF Graduated, 30.5k Stars

kube-bench
kube-bench

CIS Benchmark Compliance, 7.9k Stars

See all Container Security tools

Learn More

OWASP Top 10 Secure SDLC Application Security Tool Pricing Guide DAST Benchmark Project Kubernetes Security Tools Open-Source SCA Tools