The present disclosure generally relates to improving network security threat detection and response in cloud environments hosting containers. Typically, a multi-tenant cloud provider hosts many virtual machines (“VMs”) belonging to many different tenants, which in turn host many different applications including applications further virtualized in containers. Isolated guests such as VMs and containers may allow a programmer to quickly scale the deployment of applications to the volume of traffic requesting the applications. Isolated guests may be deployed in a variety of hardware environments. There may be economies of scale in deploying hardware in a large scale. A cloud provider may rent or sell excess computing capacity on extra hardware deployed to, for example, achieve per unit cost savings on hardware, or for the express purpose of creating a revenue stream from such rentals. A programmer may hire one or more cloud providers to provide contingent space for situations where the programmer's applications may require extra compute capacity, becoming a tenant of the cloud provider. A tenant may flexibly launch more or less copies of isolated guests to scale their applications and services in response to the ebb and flow of traffic. Typically, a container is significantly lighter weight than a VM, and may be hosted in a VM, allowing for additional flexibility and scalability of deployment.