drop k8s audit log · detect mass secret reads + token usage anomalies
flags bulk secret get/list · service account token requests · kube-system secret reads · actor rollup
heuristic screener · audit policy and export format varies by cluster version — not definitive proof