Last updated Nov 06, 2025 (first posted Sep 22, 2025)
3 minutes read
524 WordsIntroduction
Security tools are often designed to highlight specific issues by consuming APIs and applying predefined logic. Each tool implements its own data structures, storage formats, and evaluation logic. While effective in narrow contexts, this approach creates challenges for teams managing a diverse toolset. Moreover, most tools are optimized to fetch only the data needed for specific findings, limiting their utility in broader contexts such as incident response or historical analysis.
At Latacora, we’ve addressed these limitations with a different approach to building our tooling ecosystem. Rather than collecting data for predefined use cases, we gather everything exposed by the providers we target - whether that’s AWS, Kubernetes, or otherwise - and store the data in a format closely mirroring the original API responses. This design provides teams with a flexible query engine, giving them the power to investigate, respond to incidents, generate security findings, and identify resources impacted by new vulnerabilities, all in a single tool.
Today, we’re excited to introduce Replik8s, an open source Kubernetes tool that embodies this approach. Replik8s can clone Kubernetes clusters, serving back an exact replica of the original cluster’s data. It can also run analysis with a tool-agnostic query language, and investigate historical data long after it was captured.
Replik8s is built around a few key functions that provide a workflow for auditing and investigation:
Snapshot collection
Step one is creating a full snapshot of a cluster’s configuration. This command connects to the Kubernetes API and gathers all the data, storing it for future use.
Serving back snapshots
Once you have a snapshot, you can serve it back as a mirror API.
This powerful feature allows you to run standard tools such as kubectl against a historical, offline snapshot as if it were a live cluster.
You can even run other security tools such as Trivy!
Replik8s also supports modern AI workflows. For example, using a Kubectl MCP, you can leverage an AI agent to interact with the mirror API, investigating changes over time by querying multiple snapshots.
Querying snapshots
Replik8s leverages a generic, tool-agnostic query language (Datascript) to analyze snapshots. You can ask complex questions of your cluster data, from listing all pods to identifying specific misconfigurations. These queries are used to generate reports that cover all issues identified in a set of snapshots.
Visualizing it all
Finally, Replik8s can render a high-level notebook for visualizing snapshot data, reported findings, and cluster configurations in an easily digestible format.
Conclusion
This approach makes security tooling more adaptable and powerful. By capturing complete snapshots and providing a flexible query interface, Replik8s moves beyond simple, predefined “security findings,” empowering teams to implement complex queries, conduct historical investigations, and respond to incidents with full context.
Check out Replik8s on GitHub and see how it can fit into your arsenal! We’re actively working to improve Replik8s and build out its capabilities, and we welcome your contributions and feedback along the way.