Fig. 7From: Optimus: association-based dynamic system call filtering for container attack surface reductionWorkflow of covert container renewal. The container manager creates an identical alternative container to the existing one. Then, it enforces a new Seccomp profile into the alternative container, enhancing its security posture. Lastly, the service proxy seamlessly redirects incoming traffic from the old container to the alternative oneBack to article page