Tracee is a cutting-edge runtime security and observability tool that leverages eBPF technology to provide comprehensive threat detection and monitoring for cloud-native environments. It collects and analyzes system events, identifies potential security threats, and offers seamless integration with container orchestration platforms.

Key Features

eBPF-based Event Collection Tracee utilizes eBPF technology to collect system events efficiently and safely.

• Collects 330 syscalls and other non-syscall events out of the box
• Uses cutting-edge eBPF features to prevent evasion by attackers

Behavioral Threat Detection Identifies defense evasion techniques based on the MITRE ATT&CK framework.

• Detects fileless execution, anti-debugging, and kernel module loading
• Combines behavioral indicators with eBPF events for real-time threat detection

Easy Deployment and Integration Seamlessly integrates with popular container orchestration platforms and notification tools.

• Simple deployment with Kubernetes and Docker using "kubectl create" or "docker run" commands
• Supports external notification tools like Slack and GitHub Actions via Postee

Benefits

Enhanced Security Visibility Provides deep insights into system behavior and potential security threats.

• Real-time threat detection in runtime environments
• Captures artifacts like network packets and executables for further analysis

Flexibility and Customization Offers various options to tailor the tool to specific security needs.

• Customizable filters for event collection in specific clusters, containers, and hosts
• Multiple output templates, including JSON files and GO templates for easy insight viewing