An important topic in cloud computing is security. Security in the cloud is more akin to a journey rather than a destination. Securing a cloud platform is a complex task that has to be implemented on multiple layers. One of these layers is the container layer. This thesis focuses on the container layer. It concentrates on container security during run time. The intention of the thesis is to improve on the results of an open-source runtime security tool, Falco. Falco's biggest weakens is the amount of alerts it sends out. In many cases an actual attack alert can be buried by the number of alerts Falco sends out if their priority level is low. By implementing a tool that uses simple algorithms to detect malicious behaviour in the containers we aim at improving the priority level of those Falco alerts that have an underlying attack as source. The selected algorithms look at container metrics, such as CPU and memory usage and identify outliers in their usage attempting to pinpoint when an attack is happening. If the algorithms detect an attack at the same time as Falco does the priority level of the Falco alerts is increased thus giving the alert more significance.