- Limit Sysdig capture permissions to authorized operators.
- Use scoped sudo wrappers instead of unrestricted root shells.
- Audit every capture session execution.
- Filter captures to required processes/interfaces only.
- Avoid broad full-host capture in multi-tenant environments.
- Define maximum capture duration and storage quota.
- Encrypt capture files at rest and in transfer.
- Remove or mask secrets from exported traces.
- Apply retention and deletion policy to troubleshooting artifacts.