Klarrio has released a white paper on its approach to security by design in cloud-native software development. The company argues that regulatory compliance should be the result of strong security practices, not the primary reason for them. The approach centers on risk-based security throughout the design and development process.
Cybercrime is costing the global economy more and more money. According to estimates, the global annual cost of cybercrime will exceed $1.2 trillion by the end of 2025. At the same time, the rise of AI-powered attack tools is lowering the barrier to entry for malicious actors. Deepfakes for phishing and automated hacking tools are now widely available.
The company has released a white paper on security in cloud-native software development. In it, Klarrio explains how it integrates security into every phase of the design and development process.
Compliance is not an end goal
Klarrio argues that companies are currently struggling with the pile of new European regulations. The NIS2 Directive and the EU’s Cyber Resilience Act require organizations to take proactive security measures, but the sheer volume of rules is causing confusion for many companies. Furthermore, Klarrio states in the white paper that simply checking off compliance requirements creates a false sense of security. As a result, critical risks may remain unaddressed. Klarrio argues that compliance should be the result of solid security practices, not the primary driver.
The company’s approach centers on risk-based security, where priorities are determined by the threats most relevant to an organization’s specific activities. According to Klarrio, incorporating security directly into the design costs about ten percent more during development. Making adjustments afterward can cost 10 to 15 times as much.
Open source and attack surface
Modern platforms consist of seventy to ninety percent open-source components, ranging from Kubernetes to the CNCF ecosystem. This offers transparency and speed, but also increases the attack surface. Klarrio applies strict selection criteria before a component is eligible for use in its platforms.
The Klarrio Security Framework operates with three team roles: a blue team that designs and implements defensive measures, a red team that actively identifies vulnerabilities, and a purple team that facilitates knowledge exchange between the two. Additionally, the company launched a Security Champions program in early 2025 to structurally embed security into the development culture.