Detects Linux chroot invocations that appear tied to container workloads, focusing on cases where a process is executed with chroot and is associated with container context. The rule flags when the process title matches runc init, the entry leader is a container workload, or the parent process is runc. Chrooting from within a container can pivot to a different root filesystem and is a common step in container breakout when coupled with host mounts. It relies on process execution telemetry from Elastic Defend and/or Auditd Manager to identify execve/start events and inspect process.name, process.args, process.title, process.entry_leader, and process.parent data. The detection is anchored by a signature that includes chroot binaries or arguments (e.g., chroot, /bin/chroot, /usr/bin/chroot, /usr/local/bin/chroot) and container-context indicators (runc init title, container-type entry leader, or parent name). The rule maps to MITRE ATT&CK technique T1611 (Escape to Host) under Privilege Escalation. A risk score of 73 reflects potential high impact due to host filesystem exposure and credential-risk implications. Setup guidance explains enabling Elastic Defend and Auditd Manager telemetry on Linux, with prerequisites such as Fleet, and notes to verify execve auditing so relevant fields populate. False positives may occur during legitimate CI/build workflows that chroot into staged root filesystems; tuning may be required to reduce noise. Recommended actions upon detection include isolating the workload, preserving artifacts, and rotating credentials exposed to the container, while correlating with container lifecycle metadata to confirm legitimacy.