This detection rule identifies instances where Kubernetes pods are executing known offensive tools that could indicate a security compromise. Leveraging process execution data from Cisco Isovalent, the rule captures tools commonly used for reconnaissance and exploitation activities within the Kubernetes environment, such as network scanners (e.g., nmap, masscan) and post-exploitation frameworks (e.g., hashcat, SharpHound). The analytic utilizes a predefined macro `linux_offsec_tool_processes` for identifying malicious processes on Linux systems. Alerting on these processes is critical due to their links to unauthorized discovery, lateral movement, and potentially compromised containers. Security teams should be mindful of false positives stemming from legitimate security testing operations, necessitating strong coordination on maintenance and allowlisting practices. The rule is compatible with Splunk's infrastructure and employs significant filtering and statistical metrics to provide thorough insights into the nature of the alerting processes.