Aqua Dynamic Threat Analysis (DTA) is the industry’s first container sandbox solution that dynamically assesses the risks of container images before they run. Aqua DTA runs container images in an isolated sandbox environment that monitors and detects indicators of compromise (IOC) such as container escapes, malware, crypto miners, code injection backdoors, network anomalies, and more.

Container images are a growing vector for external code to enter an organization. There is currently no practical way to test what an image will actually do when activated. Organizations are taking on a lot of risk by using externally built images. Aqua DTA provides a way to safely expose the risks an image might bring to your environments. 

The following terms are key in understanding the scan results:

Behaviors and Findings: Aqua DTA runs and monitors container image behaviors by running the container in an isolated sandbox environment. The behaviors are classified by category and risk severity, so you can understand their context.

In addition, DTA provides evidence to substantiate each behavior. For example, a possible behavior might be “Detection of network activity without performing DNS lookup”; the evidence for this behavior could include the ID of the process that initiated the network activity, as well as the destination IP address.


Behaviors categories

Each behavior is classified by one of 5 categories. To align with the MITRE attack framework, each category is mapped to one or more MITRE categories.

Behavior category


MITRE category mapping

Initial Execution

Consists of techniques that use various entry vectors to gain their initial foothold

Example: Crypto Mining binaries found in the image

Initial access, Execution


Includes unusual techniques to gain more control

Example: Privilege escalation and credential access

Persistence, Privilege escalation, Defense evasion, Credential access


Discovering local or remote resources to exploit them or perform lateral movement

Example: Executing "Shodan search" on internet-connected devices in runtime

Discovery, lateral movement


Suspicious network activity

Example: Accessing an unreachable IP address might indicate communication with a C&C

Command and control

Collection & Exfiltration

Collecting resources and reaching an end-game objective

Example: Resource hijacking to validate transactions of cryptocurrency networks and earn virtual currency

Collection, Exfiltration, Impact