Skip to content
Real-time, eBPF-powered visibility

Instantly see what’s happening across Kubernetes & Linux

Live file changes, network connections, and container events—enriched with MITRE mapping so you can act fast.

Experience the Live Demo

Works with your stack

Kubernetes Docker Linux containerd CRI-O AWS Azure GCP
Runtime Security • dashboard
Runtime Security live dashboard showing file, network, and container events ▶ Experience the live demo
Kubernetes logo Kubernetes-native Docker logo Containers & Images Linux logo Linux Hosts

Real-time FIM, network, and container events—enriched with MITRE mapping

5 min

Install to first signal

0

App restarts required

100%

Cluster & host coverage

24/7

Live telemetry streaming

Deploy in minutes—no workload changes

Runtime Security ships as a lightweight eBPF agent. Run it directly on a Linux host or as a sidecar in your Kubernetes cluster—no kernel modules, no code changes, and no app restarts required.

  • Drop-in agent — single-step install or bake it into your golden AMI for bare metal and VM fleets.
  • Sidecar ready — run alongside any workload; the sidecar watches the node with zero service configuration.
  • Works everywhere — supports Kubernetes, containerd, Docker, and vanilla Linux with the same sensor binary.
Experience it in the live demo →

Whether you deploy the agent directly on a node or ship it as a sidecar, Runtime Security latches onto the kernel with eBPF and begins streaming telemetry instantly. No sidecar rewrites, no DaemonSet gymnastics, and no kernel modules to compile—just drop it in and watch the dashboard light up.

Note: the dashboard’s “Deployment” section walks through the exact install steps for hosts and Kubernetes clusters once you’re inside.

Golden AMI ready

Bake once, cover fleets

Sidecar template

Drop into any workload

Runtime agnostic

Kubernetes, Docker, CRI-O

No kernel modules

Upgrades stay painless

Why eBPF beats agent-based tracing alone

OpenTelemetry excels at instrumenting application code, but Runtime Security’s eBPF hooks live in the kernel—watching every syscall, socket, and container lifecycle event without asking developers to change a thing.

Kernel-level eBPF visibility

  • Sees system calls, network flows, and execs before they bubble up to user space.
  • Captures workloads you don’t control—third-party services, legacy binaries, even shell sessions.
  • No sampling or library updates—deploy the sensor once and stay current across every node.
  • Minimal overhead thanks to JIT-compiled programs that run inside the kernel’s hot path.

Traditional telemetry limitations

  • Requires app instrumentation and maintenance—easy to miss shadow IT or batch jobs.
  • Observes events after they hit the runtime, leaving blind spots for short-lived processes.
  • Depends on developer adoption and consistent SDK upgrades across teams.
  • Sampling or agent overload can drop security-relevant signals when systems are busy.

Use Runtime Security’s eBPF stream alongside OpenTelemetry traces: kernel hooks ensure nothing slips through while your app metrics stay untouched.

What Runtime Security does

Runtime Security watches your systems and containers in real time and gives you the context you actually need to respond.

File changes

See every create, edit, rename, and delete across your fleet.

Network activity

Track DNS lookups, HTTP calls, SSH sessions, and raw socket usage.

Container events

Watch start/stop, image pulls, runtime, and namespace changes in real time.

Who triggered it

Correlate events with process names, command lines, users, and containers.

When it happened

Precise timestamps and drift detection make timelines trivial to reconstruct.

Why it matters

Every alert is enriched with MITRE ATT&CK tactics, severity, and remediation hints.

Why teams choose Runtime Security

Security, DevOps, and platform engineers roll it out for the same reasons: deep visibility with almost no friction.

Catch issues early

Detect suspicious file edits, network spikes, and container drifts before they become incidents.

One unified view

Correlate hosts, containers, processes, and users in the same timeline—no context switching.

Lightweight footprint

eBPF runs inside the kernel, so overhead stays low even on busy clusters.

Actionable context

Every event carries MITRE IDs, severity, and user attribution so humans can respond fast.

Works with any stack

Kubernetes, Docker, containerd, CRI-O, bare-metal Linux—no agents per runtime.

Fast time-to-value

Install in minutes, experience the live demo, and scale without touching application code.

How it works

From install to incident response, every step is designed to be quick, observable, and low-maintenance.

Step 1

Install the sensor

Drop the agent on a node or run the sidecar template. eBPF attaches in seconds with no restarts.

Step 2

Stream live signals

File, process, and network telemetry flows to the dashboard instantly—no sampling, no gaps.

Step 3

Investigate & respond

Pivot by user, container, or MITRE tactic and export the evidence you need in clicks.

Each stage feeds the next: once the eBPF hooks fire, telemetry lands in a unified timeline with MITRE tagging, severity, and the right context so responders can jump straight to action.

What activity we detect

Open the panels to see the exact file, network, and container telemetry we stream.

Created, modified, read
Renamed or moved
Deleted
Permissions & ownership changed
Size & timestamp changed
Extended/chattr attributes
DNS queries and responses
HTTP methods, paths, status
SSH connection attempts
Source/destination details
Container start/stop
Workload and namespace
Node and pod context
Image details where available
Experience the Live Demo
Demo