StackRox Adversarial Intent Model (AIM)

StackRox AIM captures a core philosophy that defensive strategy should be built from an offensive perspective.

By examining application deployments through the attacker's lens, StackRox exposes threats by fusing together signals in container environments which correspond to the five iterative phases of an attack’s lifecycle: foothold, persistence, privilege escalation, lateral movement, and objectives.

Adversarial Intent Model The StackRox Adversarial Intent Model (AIM)

StackRox deeply understands container attacks and detects a broad range of adversary behaviors across each phase of the AIM


FootholdReverse shell invocation, Java-based code injection attacks
PersistenceDatabase persistence via post of database procedures, user persistence via modification of PAM configurations
Privilege EscalationExecution of setuid/setgid by non-root users
Lateral MovementAnomalous network communication with a client followed by payload execution or unexpected process cloning
ObjectivesCryptocurrency mining software, exfiltration of sensitive content via reading stored secrets or accessing confidential file paths


AIM is the foundation for best-in-class container runtime security that detects the most relevant threats in the container world.

Download AIM brief