Reel

Reel

Forensic evidence capture for regulated Kubernetes, plus a free open-source VEX hub

Freemium
4.8 (9 reviews)

Gallery

About Reel

Reel calls itself the black box recorder for regulated Kubernetes, and the metaphor does most of the explaining. It takes forensic snapshots of live containers before they disappear, capturing processes, memory, filesystem, packages, cryptography, and threats, then lands that evidence in your own S3 vault with a timestamp on it.

The timing is the whole point. Pods get rescheduled, crash, and roll out constantly, so when an auditor or an incident review asks what was actually running in production last Tuesday, the container that would answer the question is long gone. Reel's framing is that evidence has to be captured before any reporting clock starts, not reconstructed afterwards from whatever logs happened to survive. The site maps this directly to DORA, NIS2, and the Cyber Resilience Act, which is the regulatory pressure most of its target buyers are already living under.

It ships in three shapes. The CLI does one-shot scans from a terminal or a CI pipeline, so a single command exports a CBOM from a live container, scans a running container for malware, or generates and stores an SBOM for an image with or without CVEs and vendor VEX attached. The Kubernetes Agent installs once through a Helm chart and then scans every pod in the cluster on a schedule you set with annotations, something like an SBOM upload every hour and a CBOM daily, pushing evidence to S3 as it goes. A single container's evidence manifest might hold a checkpoint archive, a memory dump, a layer diff, an SBOM, a CBOM, and a malware scan, and the sizes in the site's own example run from a couple of kilobytes up to a gigabyte for the memory dump.

The third surface is the interesting one. Reel runs as an MCP server, so Claude Code, Cursor, and Continue can ask it about live container state and get real answers back covering SBOMs, crypto, processes, files, and memory. The worked example on the site has an assistant asking what's actually exploitable in an nginx container and getting back a CVE count with the large majority ruled out by vendor VEX, then asking about weak crypto and turning up a couple of RSA-1024 keys, then listing what else runs on the node. That's runtime context, which is precisely what AI security scanners normally have no way to reach.

Alongside the commercial product sits vex-hub, which is free, open source under Apache 2.0, and needs no account, key, or node limit. It aggregates vendor VEX statements from Red Hat, SUSE, Ubuntu, Debian, Rancher, Alpine, Amazon Linux, AlmaLinux, and Oracle Linux across CSAF, OVAL, OpenVEX, secdb, and ALAS feeds, covering extended-support streams like RHEL EUS and Ubuntu Pro ESM rather than just the headline releases. You drop in a CycloneDX SBOM, a VEX document, or both, and get back an annotated document. Hand it an SBOM with a vulnerabilities list and it annotates each one with the vendor verdict. Hand it components only and it fills the vulnerabilities in from vendor data first. Hand it VEX alone and you get an OpenVEX document with your statements merged against the vendor's view, and where the two collide, yours wins.

The verdicts themselves are what make this useful. A vendor saying Not Affected means the CVE doesn't reach their product and you can suppress it. Fixed means a patched version is out. Under Investigation means keep watching. Affected means plan the work. Most scanners hand you a long list of CVEs and leave you to figure out which ones matter, and Reel's own copy is blunt about the payoff, most CVEs in your image don't apply. Pairing runtime evidence with vendor verdicts is how it tries to shrink the triage pile to something a human can get through in an afternoon. There's an analyze endpoint for API use and a statements endpoint with filters for vendors, statuses, source formats, and dates. A good chunk of the tooling is public on GitHub too, including the CLI, a GitHub Action, the Helm chart, the VEX resolution service, and two format-conversion libraries for OVAL and CycloneDX.

Access is freemium and priced by node. The free license covers up to nine nodes and includes the full cluster agent with continuous capture, SBOM and CBOM analysis, malware detection, and vex-hub. Pro is 180 pounds per node per year with a ten-node minimum, which puts the entry point at 1,800 pounds a year, and it lifts the node cap and adds production licensing. Enterprise is custom and brings volume discounts, air-gapped and on-premises licensing, custom retention terms, and procurement support. Billing is annual through Stripe, and the site says the CLI and vex-hub stay free forever. There's no published support address, only a contact form, though they claim to read every message and reply personally within a day.

Key Features

  • Forensic snapshots of live containers
  • SBOM, CBOM, and malware scanning
  • Scheduled cluster-wide agent via Helm
  • Evidence uploaded to your own S3 vault
  • MCP server for AI security tooling
  • Free open-source vex-hub aggregation

Pros & Cons

What we like

  • Captures container evidence before the pod disappears
  • Evidence lands in your own S3 bucket rather than a vendor cloud
  • vex-hub is free and open source with no account or node limit
  • MCP server gives AI assistants real runtime container context

Room for improvement

  • Aimed at containers and Kubernetes, not broader infrastructure
  • Paid tier starts at a ten-node minimum, so cost jumps past the free cap
  • Evidence like memory dumps and checkpoints gets large fast
  • No published support email, only a contact form

Frequently Asked Questions

What is Reel?
Reel takes forensic snapshots of live containers in Kubernetes, capturing processes, memory, filesystem, packages, crypto, and threats, then stores that evidence timestamped in your own S3 vault. It runs as a CLI for one-shot scans, a cluster agent on a schedule, and an MCP server. The site maps it to DORA, NIS2, and the Cyber Resilience Act.
What is vex-hub?
vex-hub is Reel's free, open-source VEX service, licensed Apache 2.0 with no account, key, or node limit. It aggregates vendor VEX statements from Red Hat, SUSE, Ubuntu, Debian, Rancher, Alpine, Amazon Linux, AlmaLinux, and Oracle Linux. Upload a CycloneDX SBOM or a VEX document and it annotates each CVE with the vendor's verdict.
Is Reel free?
The free license covers up to nine nodes and includes the full cluster agent, SBOM and CBOM analysis, malware detection, and vex-hub. Pro is 180 pounds per node per year with a ten-node minimum, so 1,800 pounds a year to start. Enterprise is custom. The CLI and vex-hub are free forever.
Who is Reel for?
Platform and security teams running Kubernetes under regulatory pressure, who need evidence of what was actually running rather than a reconstruction after the fact. It also suits anyone drowning in CVE lists, since vex-hub clears the ones vendors say don't apply. The MCP server appeals to teams pointing AI assistants at their clusters.

Best For

Capturing compliance evidence before a pod is rescheduledScanning images for vulnerabilities in a CI pipelineCutting a CVE backlog down using vendor VEX verdictsGiving an AI assistant live container state to reason over

Featured in

Alternatives to Reel

View all

Reviews (9)

R
Ryota Svensson Verified

Finally something that fits

Three months of Reel later, here is what holds up. The output quality holds up better than I expected. Performance has been steady even when I lean on it hard. Worth it for what I get out of it.

5/19/2026 14 found this helpful
D
Dmitri Almeida

Finally something that fits

Have been running Reel for a while, here is where I land. Where it really wins is sbom, cbom, and malware scanning. Easy yes for anyone weighing the same trade offs.

3/29/2026 14 found this helpful
J
James Nair Verified

Recommended without reservation

Reel solves a real problem for me without making a fuss about it. The sbom, cbom, and malware scanning is more useful than I expected. The core workflow is smooth once you are set up. Mostly using it for giving an ai assistant live container state to reason over.

7/12/2026 12 found this helpful
C
Carlos Nielsen Verified

Worth a look

Started using Reel casually, now it is pinned in my dock. What stands out is how it handles evidence uploaded to your own s3 vault. Found it works best for scanning images for vulnerabilities in a ci pipeline. Recommending it to people in a similar spot.

5/29/2026 12 found this helpful
J
James Greco

Solid daily driver

Three months of Reel later, here is what holds up. The thing I keep coming back to is how reliable it is. It earns its place in my stack.

4/21/2026 2 found this helpful
E
Emerson Cruz Verified

Worth a look

Started using Reel casually, now it is pinned in my dock. Got real value out of forensic snapshots of live containers. No regrets so far.

7/5/2026 1 found this helpful
R
Ren Pereira Verified

Pulled its weight from week one

Reel has quietly become part of my daily flow. Support actually answered when I had a question, which surprised me. The defaults are sensible, so I was not fighting settings on day one. It earns its place in my stack.

6/3/2026 1 found this helpful
C
Carlos Meyer Verified

Quietly excellent

Picked Reel for the price, stayed for the quality. What stands out is how it handles scheduled cluster-wide agent via helm. The core workflow is smooth once you are set up. Found it works best for cutting a cve backlog down using vendor vex verdicts. Recommending it to people in a similar spot.

6/15/2026
A
Amara Costa Verified

Pulled its weight from week one

Came to Reel after getting frustrated with what I had before. What stands out is how little babysitting it needs. Worth it for what I get out of it.

6/10/2026