Runtime security threats are detected and analyzed for serverless functions developed for hybrid clouds or other cloud-based deployment environments. One or more serverless functions may be received and executed within a container instance executing in a controlled and monitored environment. The execution of the serverless functions is monitored, using a monitoring layer in the controlled environment to capture runtime data including container application context statistics, serverless function input and output data, and runtime parameter snapshots of the serverless functions. Execution data associated with the serverless functions may be analyzed and provided to various supervised and/or unsupervised machine-learning models configured to detect and analyze runtime security threats.