Infrastructure Security | Butler Solutions
Last Tuesday, a client called me in a panic. Their scanning tool had just flagged 847 critical vulnerabilities across their Kubernetes cluster. "How did this happen?" they asked. "We deployed three weeks ago."
Here's what I told them: That's not a bug. It's the new normal.
In 2025, the CVE database exploded. Security researchers, automated tools, and bug bounty programs found and disclosed more vulnerabilities than any year in history. The container images you built last month? They're already carrying known exploits. The base images in your Dockerfiles? Likely several patch cycles behind.
And here's the part that should keep you up at night: 40% of all cyber intrusions in Q4 2025 started with exploited known vulnerabilities. Not zero-days. Not sophisticated nation-state attacks. Known, patchable flaws that someone just hadn't gotten around to fixing.
The math doesn't work in your favor anymore. Manual patching cycles, quarterly image rebuilds, and "we'll update it next sprint" attitudes are leaving windows open that attackers are walking right through.
This post breaks down what changed, why the old playbook failed, and a practical 5-step framework to get ahead of container security in 2026. No vendor pitches. Just what I've seen work in production across dozens of clusters.
Let's look at the data driving this shift.
CVE Volume Exploded: 2025 saw 48,196 Common Vulnerabilities and Exposures published. That's 132 per day, every day, for the entire year. Compare that to 2020, when the annual total was under 18,000. The rate of vulnerability discovery has nearly tripled.
Kernel CVEs Alone: Linux kernel maintainers are now dealing with 8-9 new CVEs appearing daily. Any container running on a host kernel is potentially exposed — and most teams aren't tracking host-level patches separately from container updates.
The Patching Gap: According to Datadog's 2025 Kubernetes adoption report, 78% of hosts are running Kubernetes versions in mainstream support. That's the good news. The bad news? 19% are on versions with only extended support, and 3% are running completely unsupported releases. In a 100-node cluster, that means 3 nodes with no security patches coming. Ever.
Exploitation Speed: Here's what Cisco Talos reported: nearly 40% of all intrusions in Q4 2025 were due to exploited flaws. And the window between patch availability and active exploitation is shrinking. The React2Shell vulnerability (CVE-2025-55182) was patched in June 2024, but attackers didn't weaponize it at scale until November 2025 — giving organizations 5 months to update. Many didn't.
| Metric | 2023 | 2024 | 2025 |
|---|---|---|---|
| Annual CVEs Published | 28,902 | 34,565 | 48,196 |
| Avg CVEs Per Day | 79 | 95 | 132 |
| Exploited Flaws in Intrusions | 23% | 31% | 40% |
| Containers with Critical CVEs | 47% | 52% | 61% |
Containers should be secure by design. Immutable. Reproducible. Isolated. The theory is beautiful. The practice? Different story.
Most containers start from base images that are already outdated. Alpine, Debian, Ubuntu — maintainers do their best, but by the time you pull, build, and deploy, the underlying packages often have known vulnerabilities.
I audited a client's environment last month. Their production containers were built 8 weeks ago using the "latest" Alpine image. That image contained 23 CVEs at build time. Today? 67 CVEs, 12 of them critical. And those containers would keep running, vulnerable, until someone triggered a rebuild.
Infrastructure teams are conservative by necessity. If a cluster is stable, there's strong organizational pressure not to disturb it. But security patches require restarts. They require redeployments. They carry risk.
So teams defer. They wait for the next maintenance window. The next sprint. The next quarter. Meanwhile, their attack surface grows.
A typical Node.js application pulls in 800-1,500 transitive dependencies. Python and Java aren't much better. Each dependency is a potential vulnerability vector. Most teams audit their direct dependencies. Almost nobody audits the full tree.
The Log4j crisis of 2021 should have taught us this lesson. A logging library, five levels down in the dependency chain, became the most exploited vulnerability in history. We're still making the same mistake.
Container registries now commonly include vulnerability scanning. Tools like Trivy, Clair, and Snyk will happily generate reports showing every CVE in your images. I've seen teams with dashboards full of red CVE counts — thousands of criticals — that nobody's acted on.
Scanning without a remediation process is security theater. You feel protected because you can see the problems. But visibility without action is just anxiety generation.
The average time to patch a critical container vulnerability in enterprise environments is 80 days. Attackers typically weaponize critical CVEs within 14 days of disclosure. That 66-day window is where breaches happen.
Here's the approach I've been implementing with clients over the past year. It's not revolutionary. It's just disciplined execution on fundamentals that most teams skip.
Stop treating container builds as releases. Start treating them as a continuous process.
docker build --pull to ensure latest base imagesTools: GitHub Actions, GitLab CI, Tekton, or any CI platform with container build capabilities.
Some containers can't be rebuilt immediately. Legacy apps. Vendor images. Third-party dependencies. For these, use runtime security tools that patch in-memory without container restarts.
Note: Runtime patching is a band-aid, not a cure. It buys you time to properly rebuild and redeploy.
Every package you don't include is a vulnerability you don't have to patch.
Manual vulnerability management doesn't scale. Automate the entire lifecycle.
Don't rely on humans to remember security policies. Encode them.
I work with companies across Michigan — from automotive suppliers in Sterling Heights to healthcare SaaS in Ann Arbor. What I've learned: manufacturing culture actually helps here.
Manufacturing understands preventive maintenance. You don't wait for the machine to break. You service it on a schedule. Container security needs the same mindset. Rebuild. Patch. Scan. Rotate credentials. Not because something failed, but because scheduled maintenance prevents failures.
The teams I've seen succeed treat their Kubernetes clusters like production lines. They have SOPs. They have metrics. They have escalation procedures. Security isn't a special project — it's part of normal operations.
Let's talk numbers. Implementing this framework isn't free.
Platform costs: Advanced security scanning (Snyk, Aqua, Prisma Cloud) runs $10-50 per node per month depending on feature set. Runtime security tools add $5-20 per node. For a 50-node cluster, budget $750-3,500 monthly for tooling.
Engineering time: Building automated pipelines, setting up policies, tuning false positives — expect 40-80 hours of focused engineering time over the first quarter. Maintenance is lighter, maybe 4-8 hours per month ongoing.
Now compare to breach costs: IBM's 2025 Cost of a Data Breach Report put the average at $4.88 million. For mid-market companies, it's lower — typically $1-3 million — but still devastating. And that's just direct costs. Reputation damage, customer churn, and regulatory penalties add multiples.
ROI calculation: If improved container security prevents even one minor breach over 5 years, it pays for itself 10-50x. If it prevents a major incident, the ROI is astronomical.
But the real value? Sleeping soundly. Knowing that when the next CVE drops — and it will — your automated systems are already rebuilding, scanning, and deploying patches before you even read the security bulletin.
If you're not confident in your current container security posture, here's how to start:
Days 1-7: Assessment
Days 8-14: Quick Wins
Days 15-21: Pipeline Integration
Days 22-30: Hardening
This is achievable. I've guided teams through this exact sequence in under a month. The key is starting now, not waiting for the next security review cycle.
I've helped teams across Michigan and beyond implement container security frameworks that actually work — without slowing down development. Book a 30-minute consultation and we'll audit your current posture, identify the highest-impact fixes, and build a roadmap that fits your team.
Email clide@butler.solutions →No pressure. No sales pitch. Just practical security advice for your specific situation.
About the Author: Clide Butler is an automation and infrastructure consultant at Butler Solutions, helping companies in Michigan and beyond build secure, scalable systems. Learn more at askclide.com.
Sources: CVE.org, Cisco Talos Intelligence, Datadog 2025 Kubernetes Adoption Report, IBM Cost of a Data Breach Report 2025, Sysdig 2025 Container Security Report.