Secure by default.
Simple by design.

Sekyr turns any Docker image into a security‑monitored one. Prefix the registry URL with sekyr.cloud/ and monitoring is on. Nothing to install, nothing to configure.

~/sekyr·shell

$ docker pull sekyr.cloud/

How it works

Four steps. Only the first one is yours.

Prefix the registry URL

Change `nginx:1.27` to `sekyr.cloud/nginx:1.27`. That one line is the whole install.

Pull as usual

Sekyr instruments the image at pull time, at the layer level. We see what Docker sees, and we don't ask for your source code or access to your infrastructure.

Ship to production

Your runtime is monitored the moment a container starts. Nothing runs in your cluster that wasn't already running, and pull overhead stays under 10%.

Signal only, when it happens

We capture the full event: binary, arguments, stdin, environment, parent process. Context and investigation run over that. You hear from us only when the action is actually malicious.

BEFORE

image: nginx:1.27

AFTER

sekyr.cloud/nginx:1.27

Fewer alerts. More answers.

Four things we refuse to compromise on.

We don’t generate noise to justify our existence, and we don’t make dashboards that look impressive but mean nothing. We built Sekyr because runtime security should be something every team has, not just the ones that can afford to hire specialists for it.

Invisible until it matters

Quiet by default. Fires only when something real is happening. What you get is a signal, not a queue of things to triage.

Trustworthy by default

We don't ask you to trust us. We tell you how we work, show you what we find, and ship secure defaults before you touch a config.

Precision over spectacle

Every alert we raise should be one you care about. A dashboard that looks impressive but doesn't change what you do next isn't something we'd build.

If it's hard to use, it's not done

Whoever opens Sekyr, a developer at 2am or a security lead writing a report, should feel like it was built for them.

How it compares

A different place to stop the problem.

Most container security tools watch what’s already running. Sekyr works earlier, at the registry, before anything hits your hosts. Here’s how that shifts the trade-offs.

Our approach

Sekyr

Registry-layer security

Endpoint agents

EDR-style tools

A watchdog on every server

In-app protection

RASP-style tools

A library inside each app

Where it runsThe point in the stack it lives in

Inside your registry

On every host and container

Inside every running app

What you installWhat your team has to deploy and maintain

Nothing on your servers

A background agent on each host

A library in each service

Works with your codeWhether apps need to change

No changes, same images

No changes

Code or build changes required

When it actsWhere in the lifecycle it catches things

Before the container runs

After something suspicious happens

During each request, inside the app

Language coverageRuntimes and frameworks it supports

Any image, any language

Any workload

Only supported runtimes

Who owns itThe team that runs the tool day-to-day

Platform / infrastructure

Security operations

Every application team

EDR: Endpoint Detection & Response. Agents on each host watching for suspicious behaviour after it starts.RASP: Runtime Application Self-Protection. A library linked into each app that inspects requests from inside.

Also by Sekyr

Meet Varde.

A companion tool for image provenance and supply‑chain checks. Same idea as Sekyr: it stays out of the way, and it only speaks up when it has something worth saying. Uses a triangle, because every product in the Sekyr family gets its own shape.

Read about Varde

Questions

The usual concerns.

Do you need access to my source code?

No. Sekyr works at the image layer, so we see what Docker sees. Your source code, build system, and cluster stay where they are.

What about false positives?

Every alert should be one you'd act on. We fire when an instrumented image does something that doesn't happen during its normal operation, which is a much narrower target than “looks suspicious”.

What does "prefix the registry" mean?

You change `nginx:1.27` to `sekyr.cloud/nginx:1.27` in your image reference. Sekyr proxies the pull, instruments the layers, and serves the instrumented image back. No other config. Aliases like `aws.sekyr.cloud`, `gcp.sekyr.cloud`, and `dockerhub.sekyr.cloud` let you keep several saved registry logins side by side.

How do you handle compliance and privacy?

We meet the security and privacy requirements our customers and regulators expect of us, and we publish how. We track what we promise, measure whether we deliver, and fix the parts that fall short.

What happens if Sekyr is down?

Images are cached locally once pulled, so an outage on our end doesn't affect workloads that are already running. Status is public.

Secure by default.Simple by design.