Containers have become a favorite option for organizations either delivering on their application-modernization efforts or building cloud-native applications to begin with. The pace of innovation around the space includes increased options around runtime engines and execution environments, and better integration with deployment pipelines. Amid this activity, security has emerged as a key concern – with how to build container images securely, how to deploy them while maintaining proper controls and how to monitor production workloads. These are requirements that the market has responded to with numerous options, and Twistlock is one of the earliest and best-known offerings. The company recently release version 2.5 of its container security offering with improvements around forensics, visualization and, importantly, support for newer runtime options.

The 451 Take

The adoption of container-based deployment patterns has brought questions about container security to the forefront. At first, there's interest into whether the isolation provided by container runtimes is sufficient. More broadly, container adoption introduces different security topics, from how container images are built in the first place, to how they are made available for deployments and how those deployments actually behave. Twistlock has emerged as a key vendor in this space, both by offering functionality to address many of these concerns and by working on partnerships with other vendors in the broader container ecosystem. This has allowed the company to cover the basic use cases while it pursues additional areas such as support for multiple runtime engines and newer deployment patterns. We believe Twistlock has done significant work in these areas and recently recognized its efforts by including it in the initial cohort of the 451 Firestarter award. Still, there's no time to rest on laurels: competition is fierce both from other container security vendors and traditional enterprise security vendors as they add container security functionality.


Portland-based Twistlock was founded in Israel and still maintains a presence there. The company now has roughly 80 people, spread primarily between North America and Israel. It was founded by Ben Bernstein and Dima Stopel in 2015. Both executives, along with others such as CTO John Morello, spent significant time at Microsoft in a variety of technical and executive roles. Bernstein is currently Twistlock's CEO, and Stopel is VP of R&D.

The company has recently announced a $33m series C funding round, bringing its total to $63m over five rounds since its inception. This latest round was led by ICONIQ Capital and included existing investors YL Ventures, TenEleven, Polaris Partners, Rally Ventures and Dell Technology Capital. 451 Research estimates that Twistlock has revenue of $7-10m.



Twistlock has been pursuing growth across geographies and sectors, usually focusing on larger enterprises and pursuing deals through channel partners. While most of its presence and customers are in North America, the company has been making inroads in EMEA and announced it recently acquired its first customers in the Japanese market. From a sector perspective, Twistlock is seeing traction in financial, healthcare, government, technology and media.

The company has been looking to build on its early work in container security in two distinct ways. First, it is working across the security industry forging partnerships; it recently announced the 'Twistlock Advantage Program,' a tiered partnership program, to build relationships with other vendors in the modern software stack. Second, the company is looking to remain aligned with broader design pattern changes, such as the accelerating adoption of Kubernetes, managed container services such as Fargate, and serverless compute options.

While the major PaaS platforms – Docker Enterprise Edition, Red Hat OpenShift and Pivotal Cloud Foundry, as well as offerings from Mesosphere and others – have been adding security functionality themselves, Twistlock actively works on partnering to offer additional capabilities. The company also pursues integration options with components of the ecosystem such as software registries, secrets management tools and analytics tools.



At a high level, Twistlock provides a security platform for managing several aspects of security during a typical container lifecycle, from build through ship and run. Each stage requires different security controls. Build-time considerations are typically centered on vulnerability management in packaged libraries, image health and compliance with organizational policies. Once an image is shipped to a registry, the major considerations switch to access permissions to instantiate or modify containers, secrets management, vulnerability management and integration with orchestration layers. Finally, during runtime, there are aspects of monitoring and protection for both the host runtime environment and the container workloads themselves. Twistlock provides functionality to address these requirements under a few specific use cases: vulnerability management, runtime defense, CI/CD integration, compliance and cloud-native firewalling.

Twistlock indicated that it maintains its container security platform on a well-defined product update cycle. The company said it issues new releases roughly once every 10-12 weeks and has done so consistently for 14 iterations so far. The latest release – version 2.5 – was just released in the summer, and an updated version is expected in the November time frame.

Earlier this year, the company announced updates around scalability, support for VM-based workloads, integration with multiple registries, improvements to Windows firewalling and, notably, support for additional container runtimes. This is an interesting development because it suggests that Twistlock is anticipating increased adoption of technology stacks leveraging libraries such as runC, containerd and Kubernetes' CRI-O. The latest 2.5 release includes enhancements to visualization, forensics, compliance and support for serverless computing.

The company indicated it updated its 'radar' view to better depict information from Kubernetes namespaces, thereby making it easier for operators and architects to visualize the relationships between components, as well as the potential blast radius of security incidents. Other visualization enhancements included better information overlays for more efficient usage.

The new forensics functionality centers on performing more efficient collection of event information from each container locally, then being able to forward to a central location for processing only as incidents are identified by the analytics processing or on demand from an operator. This leverages more efficient local spooling of events while maintaining low resource consumption, according to Twistlock. Once visualized in the console, the data can paint a clearer picture of incidents, including communication and binary information.

The compliance upgrades to the latest version include providing better information on pass/fail state in relation to target benchmarks such as Center for Internet Security benchmarks. It also added support for custom checks based on Bash scripts. While this does not replace the OpenSCAP support in the product, it should offer a simpler process for some use cases.

Version 2.5 also builds on Twistlock's approach to supporting two new key deployment patterns: 'managed' container execution via AWS Fargate, and security for event-driven functions-as-a-service offerings such as AWS Lambda. For the latter, the approach the company took is to embed security functionality that prevents execution of unauthorized binaries. For AWS Fargate, the approach is to load the agent at runtime from a sidecar container. In both cases, security functionality is controlled by policy from the Twistlock console and can be inserted into the containers or function packages with minimal intervention to existing CI/CD pipelines or disruption to developer workflows.



The evolution of container technology and the increased adoption of orchestration has given rise to several offerings in the container security space, both from established vendors and newer entrants focusing on container security. Twistlock is one of the most well-known names in container security, but the field is crowded. Aqua Security is another popular container security offering that often competes with Twistlock, as is SysDig. Other members of this group – Layered Insights, NeuVector, StackRox, Deepfence, Anchore, among others – are all competing for the container security projects, albeit with slightly different approaches.

Many existing vendors in each of the areas/use cases that Twistlock covers have also added container support. Vulnerability management stalwarts such as Qualys, Tenable and Rapid7 all have container security offerings. For runtime protection, the list of vendors also includes CloudPassage, Tripwire, Symantec and Trend Micro, to name a few. Software composition vendors such as jFrog (with XRay) and Synopsys (Black Duck) also come up as offering some competing functionality.

Finally, the cloud providers are increasingly adding security functionality to their own environments. Google's Binary Authorization, Azure Container Registry support for content trust, and AWS's strong IAM support for ECS are all examples of providers adding layers of security to their container-based offerings.

Fernando Montenegro
Senior Analyst, Information Security

Fernando is a Senior Analyst on the Information Security team, based in Toronto. He has broad experience in security architecture, particularly network security for enterprise environments. He currently focuses on covering vendors and industry events in the endpoint security and cloud security spaces.

Jeremy Korn
Research Associate

Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received a MA in East Asian Studies from Harvard University, where he employed quantitative and qualitative methodologies to study the Chinese film industry.

Aaron Sherrill
Senior Analyst

Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Managed Services and Managed Security Services sectors. Aaron has 20+ years of experience across several industries including serving in IT management for the Federal Bureau of Investigation.

Want to read more? Request a trial now.