The silent spread of containers inside the enterprise

Developers are spinning up containers everywhere, without oversight or control. It’s a silent trend creating big risks for security and governance.
Written by
Neil Cresswell
,
Portainer CEO
5 min read
October 27, 2025
October 28, 2025
Last updated:
October 28, 2025

There is a very real problem occurring in IT right now, and it is one that few leaders are prepared to confront. Across almost every enterprise, containers are proliferating at an alarming rate, entirely outside of central oversight. Anyone with even a small amount of technical knowledge can, and often does, spin up their own Docker, Podman, or Kubernetes environment. Some do it for experimentation, others for development, and some even for what they call “productive business use.” Most of the time, that means data analytics.

On the surface, it seems harmless enough. A small test app here, a containerised script there. But underneath, it represents a systemic and growing risk that most CIOs and CISOs are completely blind to.

The problem begins with the simplest truth: none of these environments are secured beyond the defaults. Defaults are designed for convenience, not protection. A personal container setup is rarely hardened, rarely audited, and almost never monitored. Since it is usually created for personal use, the individual running it sees no reason to lock it down.

IT is generally unaware of their existence. These systems sit on developer workstations, virtual machines, or small “personal cloud” servers (sitting under a desk), often running under personal credentials. There are no tickets, no approvals, no network entries in the CMDB, and no monitoring agents installed. They simply do not exist in the official landscape of corporate assets.

Because of the way container networking works, these environments are nearly invisible. All of the network traffic appears to come from the host system’s IP address, which means it looks exactly like normal workstation traffic. The containers could be making outbound connections to anywhere, and to corporate network monitoring tools, it just appears as another laptop browsing the internet or querying APIs.

This invisibility creates the perfect storm for malicious exploitation. Typo-squatting of popular container images is rife on public registries. A developer can accidentally pull a malicious image whose name differs by only a single character from a legitimate one. Done well, the malicious image behaves exactly as expected, running the intended application while silently harvesting credentials or data in the background.

Trend Micro documented one of the most notorious examples of this, involving two containers named “alpine” and “alpine2.” The second, masquerading as a legitimate base image, contained a cryptominer and was propagated by a companion image that scanned the internet for open Docker daemons to infect. Aqua Security later found similar impersonations of official language images, such as “openjdk” and “golang,” that also embedded miners. And an academic study by Virginia Tech and the University of Delaware, researchers demonstrated at scale how easily typo-squatted image names are downloaded and executed by mistake. Small spelling errors, it turns out, can open very large doors.

In environments without zero-trust networking, these containers operate with near unrestricted access to the enterprise network. From the container’s perspective, everything reachable by the host is reachable by it as well. That means databases, internal APIs, and management interfaces may all be within easy reach of unvetted, unmanaged software.

It takes only a few keystrokes for a developer to deploy a reverse tunnel container such as inlets (https://inlets.dev/) or even a CloudFlare reverse proxy, exposing an internal-only service to the public internet. In many cases this is done innocently, simply to share a proof of concept or a demo with a colleague or a client. Yet the outcome is the same: an internal service, now exposed, without authentication or inspection.

And if any of those containers are compromised, the leap from container to host is almost instantaneous. A weakly configured host, such as one running with an overly permissive socket or mount, can be compromised in seconds. From there, the attacker inherits the same credentials, network access, and privileges as the user who owns the host.

All of this happens in complete obscurity. The CISO is unaware, the CIO is unaware, and the IT operations team is often only focused on the officially sanctioned container platforms. Ironically, those sanctioned environments are often the very reason shadow platforms exist. When governance rules are too strict, or the user experience too painful, people take matters into their own hands. They install Docker, Podman, or Kubernetes locally and build what they need to get their work done. The result is a parallel, unmanaged container ecosystem living quietly inside the enterprise.

Why this keeps happening

This is not a problem that can be solved through prohibition. You cannot simply ban non-IT-sanctioned deployments of Docker, Podman, or Kubernetes. Doing so will not eliminate the behaviour; it will just push it further underground. The only sustainable path forward is one that combines visibility, control, and cultural understanding.

And this is where the real issue lies. These “shadow” environments don’t exist because people are reckless. They exist because the centrally provided container environments are often not fit-for-purpose. The user experience is designed not by and for the end users, but by the central engineering team. The UX is often too cumbersome and technically complex, the onboarding process too slow, or the guardrails too restrictive. Developers and analysts want to get work done, not submit tickets and wait days for an environment that still doesn’t meet their needs. This is further compounded by the near unlimited examples of “docker run” or “docker compose” commands that come up on any google search for how to run a modern app.

To change that dynamic, IT must deliver a central platform that people want to use, something that feels flexible and intuitive while still being safe. You absolutely want a policy that prohibits the uncontrolled deployment of container platforms, but that policy only works if the sanctioned alternative actually meets user expectations. Either it needs to offer a secure, fully managed play-space for experimentation, or it needs to make decentralised deployments possible within clearly defined, baseline-secure parameters.

This is precisely where Portainer helps. It gives IT the tools to deliver both. Its user interface is designed for ease of use, providing a self-service experience that developers enjoy, while still allowing IT to define guardrails and enforce policy. And because Portainer can centrally manage decentralised Docker, Podman, or Kubernetes runtimes, it provides the visibility and control needed to bring shadow environments back under management, without killing the flexibility that made them appealing in the first place.

The uncomfortable truth is that shadow container environments are not a technical failure; they are a usability failure. The fix is not to clamp down harder, but to offer something better. Portainer bridges that divide, allowing IT to empower users with freedom and speed, while ensuring the business remains secure, visible, and in control.

Neil Cresswell
Portainer CEO
Share this post
This is some text inside of a div block.
Related content

Practical. Relevant.
Real insights.

View all articles
October 14, 2025
October 22, 2025
Light coloured arrow icon
If your control plane lives in someone else’s cloud, it’s not yours.
Neil Cresswell
,
Portainer CEO
Technology
October 5, 2025
October 6, 2025
Light coloured arrow icon
OPA Gatekeeper rules got you tearing your hair out?
Neil Cresswell
,
Portainer CEO
Technology
October 1, 2025
October 2, 2025
Light coloured arrow icon
The Hidden Headache of Kubernetes RBAC
Neil Cresswell
,
Portainer CEO