The Architecture That Couldn't Be Breached
Container escape achieved. Attacker privilege: still none. Why?
The breach happened. The forensics confirmed it. Shellcode executed inside the container. Root user, full system access, network connectivity. All compromised. Everything the attacker needed to pivot was there.
None of it worked.
The escaped container had no network access to other services. Secrets were never mounted into the pod. The attacker had no credential to steal. The host firewall blocked outbound connections. The network policy denied access to the control plane. The RBAC denied any service account permissions.
The container was compromised. The architecture was not.
This is what defense in depth looks like when it actually works.