---
title: Setting up Workload Protection
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > Workload Protection > Setting up Workload Protection
---

# Setting up Workload Protection

To get started with Workload Protection, use the Workload Protection [Get Started](https://app.datadoghq.com/security/workload-protection/onboarding) steps in your Datadog account.

{% alert level="info" %}
Activating Workload Protection requires the Org Management [permission](https://docs.datadoghq.com/account_management/rbac/permissions/).
{% /alert %}

## Remote configuration{% #remote-configuration %}

You can enable [Remote Configuration](https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile) for Workload Protection.

Remote Configuration can be used to:

- Automatically stay up to date on the latest security detections
- Block attackers and attacks

Remote Configuration can be set up using the Workload Protection [Get Started](https://app.datadoghq.com/security/workload-protection/onboarding) steps in your Datadog account.

{% alert level="info" %}
To enable Remote Configuration, ask your admin for the **API Keys Write** permission.
{% /alert %}

## Agent setup options for Workload Protection{% #agent-setup-options-for-workload-protection %}

Workload Protection supports **Agent-based-only deployments**.

## Supported deployment types{% #supported-deployment-types %}

The following table summarizes Workload Protection relative to deployment types.

| Docker                 | Kubernetes | Linux | Amazon ECS/EKS | Windows | AWS Fargate ECS/EKS | AWS Account | Azure Account | GCP Account | Terraform |
| ---------------------- | ---------- | ----- | -------------- | ------- | ------------------- | ----------- | ------------- | ----------- | --------- |
| Agent Required (7.46+) | yes        | yes   | yes            | yes     | yes                 | yes         |
| Workload Protection    | yes        | yes   | yes            | yes     | yes                 | yes         |

## Supported Linux distributions{% #supported-linux-distributions %}

Workload Protection supports the following Linux distributions:

| Linux Distributions                                      | Supported Versions         |
| -------------------------------------------------------- | -------------------------- |
| Ubuntu LTS                                               | 18.04, 20.04, 22.04, 24.04 |
| Debian                                                   | 10 or later                |
| Amazon Linux 2                                           | Kernels 4.14 and higher    |
| Amazon Linux 2023                                        | All versions               |
| SUSE Linux Enterprise Server                             | 12 and 15                  |
| Red Hat Enterprise Linux                                 | 7, 8, and 9                |
| Oracle Linux                                             | 7, 8, and 9                |
| CentOS                                                   | 7                          |
| Google Container Optimized OS (default on GKE) (Preview) | 93 and higher              |

**Notes:**

- Custom kernel builds are not supported.
- The [Workload Protection eBPF-less solution for eBPF disabled environments](https://docs.datadoghq.com/security/workload_protection/setup/agent/kubernetes) uses a ptrace-based Datadog Agent. The ptrace-based Datadog Agent supports Linux kernel versions from 3.4.43 to 4.9.85.
- For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see [Troubleshooting Workload Protection](https://docs.datadoghq.com/security/workload_protection/setup/agent/docker).
- Data collection is done using eBPF, so Datadog requires, at minimum, platforms that have underlying Linux kernel versions of 4.14.0+ or have eBPF features backported (for example, Centos/RHEL 7 with kernel 3.10 has eBPF features backported, so it is supported).

## Deploy the Agent{% #deploy-the-agent %}

You can enable Workload Protection on the Datadog Agent using [multiple tools and systems](https://docs.datadoghq.com/security/workload_protection/setup/agent):

- [Kubernetes](https://docs.datadoghq.com/security/workload_protection/setup/agent/kubernetes)
- [Docker](https://docs.datadoghq.com/security/workload_protection/setup/agent/docker)
- [ECS EC2](https://docs.datadoghq.com/security/workload_protection/setup/agent/ecs_ec2)
- [Windows](https://docs.datadoghq.com/security/workload_protection/setup/agent/windows)
- [Linux](https://docs.datadoghq.com/security/workload_protection/setup/agent/linux)

## Workload Protection Agent variables{% #workload-protection-agent-variables %}

The Datadog Agent has several [environment variables](https://docs.datadoghq.com/security/workload_protection/setup/agent_variables) that can be enabled for Workload Protection. This article describes the purpose of each environment variable.