Over the years, Kubernetes has grown massively in popularity with developers and IT teams. Has your security team grown with them? When a security incident happens within a Kubernetes environment do you know how to unpack the events in order to gain insight into the scope and impact of a security incident? In this session we will walk through a Kubernetes investigation from runtime alert to root cause. Throughout the presentation we will be uncovering the attacker's behavior and the resulting impact from that behavior. Along the way we will discuss some unique features of Kubernetes that can be very powerful when conducting an investigation.