Book a Demo

Leveraging eBPF for Runtime Security


Visibility and eBPF

The first computer technology to provide a raw interface for network traffic analysis in kernel space was the Berkeley Packet Filter (BPF). An extended iteration of this technology (eBPF) – available since Linux 4.x – now works like a sandboxed virtual machine inside the Linux kernel. While eBPF applications are broad in monitoring hardware performance, the potential value of eBPF for network observability is revolutionary.

Modern applications are seperated by microservices and deployed across clusters of servers, often hosted in containers. With applications abstracted from their host operating systems, observing the system as a whole becomes a patchwork process of collecting and matching network operations data from individual servers and containers – the latter of which generally do not log or persist network data. By enabling kernel-level programs, eBPF elegantly solves this problem by capturing network operations on servers and containers in real-time.

eBPF and AuditD

For Linux users, talk of a kernel-level tool with implications for incident investigation likely sounds reminiscent of Linux’s native activity capturing feature, AuditD. eBPF and AuditD do share some common capabilities such as monitoring for system calls, file access, and other configurable events. Nevertheless, AuditD falls far short of eBPF for system-level visibility into modern cloud and multi-cloud environments. In particular, AuditD:

  • Creates excessive userspace syscall overhead
  • Often shows invocations such as execveat without revealing what they were called on
  • Is inherently container-unaware

Transforming eBPF into Actionable Insights with Spyderbat

Spyderbat offers an industry-first eBPF-based security solution for cloud native runtime environments. Using a lightweight nano agent that probes eBPF, Spyderbat captures real-time stateful observability within and across hosts and containers, without needing to collect and process data from other disparate log sources.

With Spyderbat, engineers don’t have to spend countless hours manually reconstructing event narratives after the fact from incomplete records. Instead, Spyderbat automaticaly stitches together causal sequences of activities as they occur from eBPF data. This includes connecting incoming/outgoing network connections from hosts and containers to their respective processes. Spyderbat both visualizes these causal sequences of activities as Spydertrace, as well as assesses a risk score for every Spydertrace with new activities.


Platform and Security teams use Spyderbat to observe activities live and in granular causal context, enabling automated root cause identification, early problem recognition, and attack detection.

To schedule a live demo to see Spyderbat transform eBPF into actionable insights, contact Spyderbat today.

Previous Containing Container Escape Exploits
Multi-Cloud Tracing for Runtime Visibility and Security Next