Security Built Into Our DNA: How Edera Achieves Enterprise-Grade Protection

November 10, 2025

At Edera, we've engineered a hardened runtime that reduces the attack surface by 95% through fundamental architectural decisions and rigorous security practices. We engaged Trail of Bits, a security research firm specializing in software testing and code review, to conduct an independent security assessment of Edera because security isn't just a feature at Edera, it's embedded in our DNA.

‍

Edera Neutralizes Threats You Can't Patch

The vulnerability management ecosystem is fundamentally broken. Organizations spend countless hours tracking and patching CVEs that pose zero real threat to their environments – simply because compliance frameworks demand it. From arbitrary CVSS scoring to the bureaucratic nightmare of CVE assignment, the current system forces security teams into a never-ending cycle of reactive patching while real risks slip through unnoticed.

At Edera, we like to look at this problem differently. Many of us pioneered the hardened images movement at Chainguard, where we learned firsthand the monotony of traditional vulnerability management programs. We reduced bloated base images and eliminated unnecessary CVEs, but the fundamental problem remained: the moment you build on top of those hardened images, you introduce new risks and vulnerabilities that inevitably reach production.

Instead of building on massive, vulnerable codebases like the Linux kernel or KVM, we rewrote parts of the Xen hypervisor to create a truly minimal attack surface. By starting from a security-first foundation, we've eliminated entire classes of vulnerabilities that plague traditional container runtimes.

This architectural decision means organizations running Edera can:

Run end-of-life software safely - Legacy applications that can't be updated no longer represent as significant of a security risk
Deploy open source code with confidence - Community packages don't become attack vectors
Operate without constant patching - Version lag doesn't equal vulnerability

The Mouse Trap Effect

Here's where Edera's approach becomes truly revolutionary: even if an attacker gains initial access to your environment, they're immediately neutralized by our containment technology. Think of Edera as a sophisticated mouse trap – the attacker may get in, but they can't get out or move laterally.

This containment capability fundamentally changes the security equation. You're no longer racing to patch every vulnerability before an attacker can exploit it. Instead, Edera's isolation technology ensures that even an exploited vulnerability doesn't have to become a system-wide breach.

The goal of vulnerability management should be risk mitigation, not compliance theater. With Edera, you can finally focus on what matters– protecting your actual attack surface – while resting easy knowing that threats are neutralized at the runtime level.

Edera Passes First PenTest with Flying Colors

Actions speak louder than words, which is why we engaged Trail of Bits – one of the industry's most respected security assessment firms – to conduct a security assessment of the Edera platform. The results speak for themselves.

Zero High or Medium Severity Vulnerabilities

After a thorough four-week security assessment examining our infrastructure, Trail of Bits identified zero high or medium severity vulnerabilities in their evaluation. This is an exceptional outcome for a first security audit, particularly for an emerging technology like ours.

Trail of Bits conducted this independent third-party security assessment of the Edera container runtime over four weeks in September-October 2025. The assessment included manual code review, static analysis, and dynamic testing with full access to source code and documentation. The complete assessment report, including detailed findings and recommendations, is available upon request.

What the Audit Covered

The comprehensive security review examined:

Isolation boundaries - Can an attacker with privileged access inside an Edera zone break out to the host or another zone?
Hypervisor security - Are there vulnerabilities in Xen's paravirtualized guest drivers that could break isolation?
GPU passthrough safety - Do modifications to support PCIe passthrough leak guest memory?
Memory initialization - Are guest memory mappings and page grants correctly initialized at zone launch?
Default security posture - Does the Edera daemon launch zones in a secure-by-default configuration?
Defense in depth - Are containers within zones resistant to breakouts?

The Verdict: "Generally Robust"

In their executive summary, Trail of Bits concluded: "The security posture of Edera and its surrounding infrastructure is generally robust, with no medium or high severity findings identified in this audit."

Critically, they noted that "we did not identify any vulnerabilities that would compromise the primary isolation guarantees of the system (chiefly, that zones are isolated from one another and from the host)."

The audit did identify 15 findings – 10 low severity and 5 informational – primarily related to input validation and defense-in-depth measures. These findings, which we're actively addressing, actually reinforce confidence in Edera's core security model: even after intensive scrutiny, the fundamental isolation guarantees remain intact.

Our extensive use of Rust for critical components, which provides memory safety guarantees that eliminate entire vulnerability classes common in traditional C-based hypervisors, was noted as a positive by Trail of Bits.

If you are interested in reviewing the full report and findings, reach out and we would be happy to share it.

Edera Enables SLSA Compliance

Supply chain security has emerged as one of the most critical challenges facing modern organizations. High-profile attacks like SolarWinds and Log4Shell have demonstrated that the weakest link in your security posture is often buried deep in your software supply chain. This is where Edera's isolation technology becomes a game-changer for achieving the highest levels of supply chain security.

Understanding SLSA

The Supply-chain Levels for Software Artifacts (SLSA) framework, pronounced "salsa," represents the industry's most rigorous standard for supply chain security. In SLSA’s build track, the highest level requires signed, non-falsifiable provenance and an isolated hardened build platform. Previous versions of SLSA have suggested two party review, hermetic builds, and reproducible builds.

Easily Reach SLSA 3 With Edera

Traditional approaches to SLSA compliance face significant challenges. Standard containers don't provide sufficient isolation for truly hermetic builds. Reusing build environments can lead to dependency confusion attacks. Spinning up full VMs provides isolation but significantly impacts performance.

Edera's hardened runtime solves these challenges through lightweight VM-based isolation that delivers:

True hermetic builds - Each build runs in a genuinely isolated environment with no shared kernel or filesystem.

Ephemeral guarantees - Edera zones are designed to be disposable. Each build starts from a clean state, runs to completion, and terminates without leaving artifacts.

VM-level security with container-level performance - Edera's architecture delivers VM isolation with startup times and resource efficiency approaching traditional containers.

Verifiable execution - Edera's containment capability ensures that even if a build process is compromised, the attacker cannot escape the isolated environment to tamper with other parts of your supply chain.

Organizations implementing SLSA with Edera can isolate each build step, prevent dependency confusion, guarantee reproducibility, and enable zero-trust CI/CD. While achieving SLSA provides important compliance benefits, the real value lies in the fundamental security improvements.

The Edera Security Philosophy

The broken CVE ecosystem won't fix itself. Traditional container security models will continue to struggle with lateral movement and privilege escalation. Supply chain attacks will only grow more sophisticated. But organizations don't have to accept these realities.

Security at Edera isn't about checklists and compliance badges (though we do significantly help with those) – it's about fundamentally rethinking how we protect workloads in production.

With Edera, you can run the software you need – regardless of its age or patch status – knowing that threats are neutralized at the runtime level. You can achieve regulatory compliance without sacrificing operational efficiency. You can build software supply chains that are genuinely resistant to modern attack techniques.

Security isn't a feature you bolt on. It's the foundation you build upon. Run your infrastructure with confidence, run it with Edera.

Ready to see how Edera can transform your security posture? Contact our team to schedule a demo and learn how leading organizations are achieving 95% attack surface reduction with our hardened runtime.

Authors

Kaylin Trychon

Share with the world

Copy link

https://edera.dev/stories/

security-built-into-our-dna-how-edera-achieves-enterprise-grade-protection

About Edera

Introducing secure-by-design AI and Kubernetes no matter where you run your infrastructure. Security simplified.