Market Analysis of eBPF-Based Products
Very few IT professionals are in a position to formally learn about eBPF and develop in-house tools with it. I write this report to help you get an understanding of what eBPF-based commercial products are available today and the types of use cases they achieve which would otherwise be unavailable.
Perhaps looking at commercial products is a backwards way of understanding the technology, but understanding the market landscape can give you a solid conceptual foundation with regard to where, how, and why eBPF is used.
Most online resources quote the likes of FAANG and other big service providers that have developed eBPF tools in-house to manage their monstrous infrastructure and services. But these use cases haven’t really resonated with me - I don’t really care how Meta is doing networking behind closed doors, especially if I just consume the thing as a service. What FAANG can do and is doing in-house is not an accurate reflection of the wider tech industry.
I asked Thomas Graf - the creator of Cilium and chairperson of eBPF foundation - about his view on the eBPF market and community sentiment. He said that
‘A lot of people want to get involved in eBPF. They want to learn, but they want guidance for what it is a good area to invest learning into’.
He’s the one who introduced me to eBPF about four years ago. I was very much in the same place, where I wanted to learn but didn’t really know what to learn about. Since then, I’ve been regularly asking about eBPF, and the penny dropped a few years later when I had a large enough sample size of eBPF-enabled use cases. It also helped that these were commercial products, so they were articulated and positioned in a way that could be monetized.
Having looked at a total of ~45 products for this report that are based or use eBPF, I’ve summarized some of the most common as well as coolest use cases today. If you want to learn more about the eBPF, its capabilities, and market, this document can help you find the best area to focus on, or identify gaps in the market.
There’s also an open source toolset directory which you can check on ebpf.io. Some open source projects featured there have an enterprise-grade version which are included in this report.
Most importantly, this document can help highlight what can be achieved by running stuff in the kernel which has not been available or sufficient without eBPF, such as:
Manage cloud costs so you don’t get an AWS bill kerfuffle
Verify the integrity of an agent so you don’t get another CrowdStrike blue screen fiasco
Observe networks so you don’t get another SolarWinds supply chain debacle
Major Use Cases
Generally speaking, eBPF has mainly been used for observability, networking, and security for Linux-based systems. However, eBPF is Turing complete, which means that you can use it to perform any computation. But because it’s hard to understand and evaluate a technology that can do anything and everything, we’ll try to categorize this into these major use cases, plus another section labelled as 'cool stuff’.
It’s also worth noting that these three categories also bleed into each other, where a tool can enforce security at a network level or be used to observe network traffic. I found it very hard to draw hard lines between categories, especially when it comes to observability, so tools in this report will be categorized by their base use case, even if they can be used for others too.
By the numbers
Here’s a summary of how products in this report are categorized:
11 Acquisitions - Some are nested acquisitions, such as Splunk acquiring Flowmill, then getting acquired by Cisco.
1 Networking-based product acquired
3 Security-based products acquired
7 Observability-based products acquired
17 Observability products - out of them, 6 are Kubernetes-specific. It is very hard to distinguish between different flavors of observability. For example, monitoring HTTP requests can be both network monitoring and application monitoring. Or, service can mean a K8s service, or just a third-party service.
18 Security products - which are almost exclusively for runtime security. Only 1 product is for network security.
4 Networking products - all for Kubernetes, 3 being CNIs.
Observations and Takeaways
eBPF’s security
Most eBPF-based products are from start-ups
Windows OS available, not supported by Microsoft. And MacOS?
eBPF is still obscure
Networking is underappreciated
Security homogeneity
1. eBPF’s security
While eBPF is built with security mechanisms and has verifiers, eBPF programs also exploitable. The funny thing is that you can use eBPF to secure eBPF, which we cover below. For further reading on the security of eBPF I suggest the Security Threat Model and also this article on bypassing eBPF Security Monitoring.
2. Most eBPF-based products are from start-ups
The main eBPF developers today are either start-ups or big tech. Start-ups mainly offering commercial products (including OSS + enterprise plans), while FAANG developing in-house tools.
Developing eBPF-based products or features for most other companies will be difficult, which I suspect is for the following reasons:
There is little knowledge about the advantages of eBPF or how it works, so there is also little incentive
It’s hard to find developers who know C and kernel programming
The easiest way to get in the eBPF game is to acquire startups, which gives you access to both the technology and the engineers.
The large players such as Broadcom, Cisco, IBM, CrowdStrike, or DataDog have gained eBPF-based capabilities by acquiring point-solution tools.
Some mid-sized provider like Wiz, Sentinel One, SysDig, have developed their eBPF features in house, but they are an exception rather than the norm.
I expect more start-ups to enter the market and, implicitly, more acquisitions.
3. Windows is here, but not Microsoft
When we say that eBPF is coming to Windows, we means that eBPF will be formally supported by Microsoft. There already is a Windows open source project that supports eBPF, but it’s not officially supported my Microsoft, and I haven’t seen anybody (publicly declare that they) use it. Perhaps this official lack of support for a closed source OS like Windows is what prevent tools from emerging. If there are any custom tools that somebody wrote in house, I don’t know.
3b. MacOS?
I encourage you to check this open source project that bring eBPF for MacOS. It’s an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.
It does the following:
Module-Level Security: Define and enforce syscall restrictions per Python module
Automated Profiling: Traces your application to create tailored security profiles
Multiple Enforcement Modes: Log, stop, or kill processes on policy violations
Production Ready: Negligible performance impact thanks to eBPF
Supply Chain Protection: Mitigate risks from vulnerable dependencies
4. eBPF is still obscure
I talk to about 100 vendors every year (and do desk research for about 150 more), and I’ve been asking about eBPF at least since 2022. I mostly get shrugs, and the occasional vendor that uses eBPF has a product manager that doesn’t understand it well enough to explain.
Granted, some of those like SIEM tools don’t really have explicit use cases for eBPF, but there still is very little understanding even from technical people about it.
So I’ve done a very rigorous research exercise by comparing eBPF with Wasm and K8s in Google Trends to see what it comes up with. While K8s is obviously more popular/queried, even Wasm - which is a comparable technology in terms of maturity and adoption - is much more searched for.
I don’t think we’re going to see mainstream discussions about eBPF anytime soon (like we hear about K8s), but it will slowly be included in most enterprise IT products in one way or another. The folks at F5 have been telling me that they see eBPF as a means to an end rather than a feature in and of itself, which I generally agree with. But I also believe that it’s important to understand how eBPF-based apps work and how they’re different if you are to compare multiple products.
5. Networking is underappreciated
I’ve got a grand total of four vendors that offer eBPF-based networking products. This is surprising, because if, for example, you look at the performance difference between eBPF and standard Linux for Calico and Cilium, you can see such a big performance improvement - see image below.
There is this interesting paper that explains NetEdit, a Meta project that quotes a 4.6x improvement for networking. It’s a system that orchestrates the composition, deployment, and life-cycle management of eBPF programs across a large fleet of servers, which has been deployed in production for five years at the time of publishing.
I can only speculate on the lack of networking products, so here goes:
Networking is commoditized and not as profitable as security and observability
Network operating systems have developed specialized Linux distributions with proprietary kernel modules optimized specifically for networking hardware. These custom modules are tightly integrated with the specific ASICs, and network processing units in their hardware, allowing for optimized performance and hardware-specific features.
Cloud networking is abstracted, so you only use what the cloud provider gives you, which may or may not use eBPF.
Most of your choices for cloud-abstracted networking functions are CNIs and service meshes, both applicable for Kubernetes. CNIs already leverage eBPF. Service meshes typically use Istio or Envoy.
Source: https://cilium.io/blog/2021/05/11/cni-benchmark/
6. Security homogeneity
Most security products are different flavors of runtime security, with a single vendor that uses eBPF for network security. Some variations on runtime security include:
Runtime data security
Security for IoT and edge devices
Runtime detection and response
File integrity monitoring
Runtime security for Ci/CD
Container fingerprinting
Acquisitions of eBPF start-ups
I want to first talk about acquisitions that involve a large technology provider buying eBPF startups to ingest their capabilities. This highlights two phenomenons here;
First, there’s an appetite for capabilities provided by eBPF, and even large tech vendors prefer acquiring smaller companies for both the technology and the engineering teams.
Second, it will give a lot more context for these large providers when we talk about their respective capabilities.
Cisco acquires Isovalent (2024)
This is the big one - Isovalent, who have been synonymous with eBPF since 2015, getting acquired by the largest networking provider. Cilium is open-source and widely deployed as a CNI, which gives Cisco the opportunity to provide Tetragon-based security and Hubble-based observability to a large Cilium userbase. Cisco continues supporting Cilium, Tetragon, and Hubble as open-source projects, and the Isovalent continues their regular operations under Cisco.
SUSE acquires StackState (2024)
SUSE acquired StackState who have built a great observability platform using eBPF. The tool automatically relates all topology, telemetry, and events within the environment, monitors signals such as latency, error rate, and throughput for pods, processes, and services. With StackState, SUSE will accelerate cloud native observability for the enterprise by integrating the platform into Rancher Prime, its premium container management service.
CrowdStrike acquired Flow Security (2024)
Flow Security uses eBPF technology to analyze data in motion for data discovery, classification, risk management, and data violation detection and response. eBPF's runtime analysis capabilities, payload classification, and its unmatched ability to provide deep insights into network and application activities make it our secret weapon in analyzing data in motion.
CrowdStrike plans to fully deliver native Flow Security DSPM capabilities in Falcon Cloud Security as part of the Falcon XDR platform, enabling customers to consolidate cloud point solutions and protect the entire cloud estate.
Snyk acquries Helios
Helios’ eBPF and OTel-based runtime data collection techniques, implemented at the platform, kernel, and application levels, will grant Snyk customers access to runtime data, offering insights into how applications are interacting with their environments and a real-time understanding of what is actively running during execution. When combined with Snyk’s development and build time context, Snyk AppRisk will provide a holistic view of application risk. These runtime data collection techniques will enable Snyk to build a framework for collecting and incorporating runtime data into Snyk AppRisk, and will strengthen collaborations with runtime-focused partners to enable mutual customers to benefit from enhanced runtime data and visibility.
Postman acquires Akita (2023)
In 2023, Postman acquired eBPF-based API monitoring tool Akita to integrate the discovery and monitoring capabilities to the Postman API Platform. The Akita Agent uses eBPF to watch API traffic, and analyzes traffic to infer endpoint structure (including path parameters), data types, authentications.
Red Hat acquires StackRox (2021)
Red Hat’s acquisition of StackRox implements the eBPF agent that gathers runtime data to provide visibility across Kubernetes clusters. Red Hat incorporates the StackRox capabilities to refine native Kubernetes controls and shift security left into the container build and CI/CD phase.
Elastic acquires Cmd (2021)
Cmd developed infrastructure detection and response (IDR) features by using eBPF to gain visibility into cloud workloads. As part of Elastic Security, Cmd is used to detect, prevent, and respond to attacks on their cloud workloads.
Elastic acquires Optimyze (2021)
Optimyze used eBPF for continuous profiling of systems and code with low performance overhead. Optimyze became part of the Elastic Agent to for improved data collection for observability and security.
Splunk acquries Flowmill (2020), and contributes to OpenTelemetry by donating it to CNCF (2021), then gets acquired by Cisco (2024)
In 2020, Splunk acquired Flowmill, a Palo Alto-based company with a real-time, service-aware network observability solution for modern applications. With Flowmill, Splunk expands its Observability Cloud capabilities, giving customers the ability to ingest, analyze and take action on additional cloud network and infrastructure data.
One year later, they announced donating the Flowmill eBPF collector to the OpenTelemetry CNCF project, to give OpenTelemetry an out-of-the-box solution for generating detailed network telemetry using eBPF
Datadog acquries Seekret (2022)
Seekret’s eBPF tooling autodiscover and visualize API assets, interconnections, and dependencies. Datadog added these API observability features in the APM and security products.
New Relic acquries Pixie (2020)
Pixie uses technologies such as eBPF to collect metrics, events, logs, and traces automatically from the application, infrastructure (Kubernetes), operating system, and network layers. New Relic included these capabilities to improve their observability features without additional instrumentation.
Observability
eBPF gives you a great way of monitoring Kernel-level events, so naturally a lot of vendors have developed products around this. Also, most eBPF applications are naturally applied to Kubernetes (and containers) as it’s reliant on Linux, but non-Kubernetes use cases are also widely available.
You can do stuff like:
Infrastructure monitoring - low-level visibility into metrics such as CPU consumption, memory utilization, and disk space allocation
Network Monitoring and Service Mapping - visibility into how services, pods, and processes communicate with each other across infrastructure, including traffic flows, dependencies, and network-level metrics.
Application Performance and tracing - capturing and enriching distributed traces, which can consist of API calls and request/response information across services
Processes and system activity - processes information, including file execution and file opening, I/O operations on disk and memory, device activity, including system calls.
Security-oriented observability - where eBPF-based agents collect data for security processing rather than performance monitoring
Observability is also a prerequisite for security, where most security products featured in this report rely on the kernel-level data gathered using eBPF agents or probes. In this category, we only include products who sole point is infrastructure, network, and application monitoring.
Cisco Cloud Observability (non-Cilium)
What it does - K8s network monitoring
Cisco Cloud Observability provides application and infrastructure monitoring, creating topological views of application dependencies and the impact of network performance on cross-dependency communication. It uses eBPF to monitor incoming and outgoing TCP/UDP network connections in the context of Kubernetes-aware metadata, instead of ephemeral IP addresses. It can visualize network connections, relationships, and dependencies.
Datadog’s Universal Service Monitoring
What it does - service and application monitoring
Datadog used eBPF within build Universal Service Monitoring (USM), where an eBPF agent parses HTTP(S) traffic from the kernel network stack. It provides visibility into request, error, and duration metrics from every service across the infrastructure infrastructure, irrespective of the programming language they use. USM will automatically detect new services in real time and begin monitoring them.
Gigamon’s Precryption and UCT
What it does - K8s network monitoring
Gigamon Precryption uses eBPF senors running to provide plaintext visibility into all encrypted communications before the payload is encrypted. It captures the traffic when it is in plain text rather than performing the decryption itself.
Universal Cloud Tap (UCT) containerized instances are deployed alongside CNIs to copy packets from other containers on the same worker node via eBPF. In this way, UCT does not directly inspect, copy, nor handle any of the packets, thereby making this the most efficient method of tapping virtualized traffic.
Grafana Labs' Beyla
What it does - application and service monitoring
Grafana Beyla is an open source eBPF-based auto-instrumentation tool that provides application observability applications regardless of their programming language. Beyla uses eBPF to capture Rate-Error-Duration metrics and basic trace spans for Linux HTTP/S and gRPC services without any modifications to application code or configuration. Beyla was started at Grafana Labs and announced in 2023 and uses it to correlate collected telemetry with backend and infrastructure data in the Grafana Labs LGTM stack.
groundcover
What it does - infrastructure and application monitoring
groundcover uses eBPF for log management, real-time cloud-native infrastructure monitoring, and application performance monitoring. It enriches logs with context and correlates with relevant metrics and traces.
Kentik's Convis
What it does - K8s network monitoring
Convis is an open-source eBPF tool developed by Kentik that provides visibility into the processes and containers that are communicating with each other, and with the internet. It captures call made by applications to the kernel to accept or initiate a connection. Using eBPF, Convis can inspect the arguments to the call, extracting for example the source and destination IP address and ports of a new TCP connection.
Kodem
What it does - application and infrastructure monitoring
Kodem uses am eBPF monitor to monitor events like system calls and networking, letting Kodem see and subscribe to events at the kernel level without impacting the overall stability or security of the system. As the application executes, loads other code, moves data, etc.
Kodem’s solution uses a negligible percentage of an application’s resources, typically taking no more than 0.1% of CPU.
Levo.ai
What it does - API traffic monitoring
The Levo sensor is a userspace process that uses eBPF to capture API traffic, including full HTTP payloads from Linux workloads. The sensor does not require any modifications to application workloads. Captured API Traces are sent to the Levo Satellite component, for data anonymization, schema generation, and sensitive data detection and annotation.
MantisNet
What it does - network monitoring
MantisNet CVF platform combines eBPF along with in-node processing capabilities, integration with container orchestration systems, along with an open, extensible architecture to provide Packet Capture, dynamic topology, protocol Specific Processing, monitoring of Encryption Systems and Plain-Text Extraction, and live Tracing.
Middleware
What it does - infrastructure and network monitoring
Middleware uses eBPF to monitor all the network traffic and activity that flows through the system. All hops will be detected, along with source and destination IP data, in order to provide accurate and real-time service maps. The eBPF agent exporting data to the Middleware platform is able to recognize various network protocol requests such as HTTP, gRPC calls, SQL queries, Kafka Calls, and more.
It can create a service map for the network flow and displays queries made from the backend to the database and any issues or occurrences in the flow of network traffic between the respective services.
New Relic’s Pixie
What it does - K8s infrastructure and service monitoring
New Relic acquired Pixie, an open source Kubernetes-native-in-cluster observability platform that provides instant visibility into Kubernetes workloads with no manual instrumentation. Pixie uses uprobes and kprobes to provide visibility into K8s workloads and telemetry for service maps, cluster resources, application traffic, and pod states.
Odigos
What it does - tracing
Odigos uses eBPF to automatically generate traces in OpenTelemetry format. Their performance tests claim that eBPF-based automatic instrumentation is over 20x faster than manually instrumenting code. This is achieved by separating data recording and data processing, eliminating extra workload, object allocation, and network calls during application runtime.
Qpoint.io
What it does - network traffic observability
Qtap uses eBPF for application traffic inspection to get visibility into outbound SSL/TLS traffic before encryption. This allows for full payload access without the need for TLS termination or certificate management, giving organizations the ability to detect and respond to traffic anomalies in real-time. The use of lightweight eBPF probes minimizes the impact on system performance, making Qtap ideal for high-traffic environments.
Red Hat
What it does - network monitoring
To create an alternative to IPFIX that is portable and usable by most CNIs, Red Hat wrote an eBPF agent to control traffic. The agent is attached at the ingress and egress of all physical and virtual network devices. It inspects the headers of all received and submitted packets, then forwards them serially to the user-space code through a ring buffer. This operation is performed with safety guarantees due to the pre-verification steps of the eBPF virtual machine.
The user space agent aggregates in memory the quantitative information of each packet to compose the actual flows and periodically forwards them to the flow collector, as defined in the IPFIX scenario.
SUSE
What it does - K8s network and service monitoring
SUSE uses eBPF to monitor data flow between processes, even across clusters and clouds, we gain insights into service interactions that were previously hidden. This includes real-time metrics on throughput, latency, and error rates for protocols like HTTP, HTTPS, MongoDB, and Kafka. It provides visibility into request paths, status codes, and topic names.
The Apache Software Foundation's SkyWalking Rover
What it does - application, network and infrastructure monitoring
SkyWalking Rover uses eBPF to monitor network traffic and infrastructure. It can collect extra information from OS level as attached events for an existing tracing system, such as attach raw data of HTTP request and response.
Traceable
What it does - K8s network monitoring
Traceable’s eBPF solution operates as a daemonset, which can selectively instrument specific pods or containers. This precision extends to our data collection capabilities, encompassing both ingress and egress data on gateways or backend services.
The eBPF deployment focuses on efficiently sending data to our processing tools, rather than processing it on-site.
Security
If we remind ourselves that the PF in eBPF stands for packet filtering, we can easily see how eBPF is a great resource-efficient way of implementing host firewalls. However, with the extensive observability features, most tools have opted for runtime security that can gather and analyze granular low-level data.
Two advantages for eBPF-based runtime security over traditional agents are considerably lower overhead, and the verifier potentially preventing another global bluescreen doomsday.
AccuKnox’s KubeArmor
What it does - runtime security
AccuKnox's open source KubeArmor uses eBPF and Linux Security Modules to secure workloads based on Cloud Containers, IoT/Edge, and 5G networks using policy-based controls.
Aurva
What it does - runtime data security
Aurva is using eBPF for runtime data security and database monitoring. Some of its use cases includes Data Discovery & Classification, database Activity Monitoring, and data Lineage.
Aquasec’s Tracee and Lightning Enforcer
What it does - runtime security
Tracee is an open source runtime security and forensics tool used to trace systems and applications at runtime. It analyzes collected events to detect suspicious behavioral patterns.
Aquasec also released the Lightning Enforcer, which monitors behavior and prevents drift to detect suspicious activities such as a fileless execution in containers, new binaries dropped to an immutable workload, container escape event, and others
ARMO Security’s Kubescape
What it does - runtime security
ARMO provides comprehensive runtime security, detection, response and prevention capabilities, utilizing eBPF sensors to monitor and analyze system and application behaviors at the kernel level. The solution can perform agentless scanning, for Cloud, Container, and Kubernetes Security Posture , and provides advanced runtime context monitoring across various environments, including on-premises, cloud-managed services, and multi-cloud infrastructures.
A key differentiator of ARMO's offering is its sophisticated detection, prevention, and hardening capabilities. The platform can automatically detect anomalies like cryptomining activities by monitoring kernel-level changes, parse Layer 7 network traffic to identify potential attacks and exploits, and perform detailed call stack analysis to trace the origins of suspicious processes. Moreover, it can automatically generate security configurations such as network policies and seccomp profiles, and prevention policies by observing actual workload behaviors, effectively reducing unnecessary system call permissions and potential attack surfaces - this approach mitigates unsolved vulnerabilities and risk by applying specific prevention policies on the vulnerable workloads, reducing exploitation probability by over 90%.
Aviatrix
What it does - network security
Aviatrix implements eBPF into the Distributed Cloud Firewall product to analyze, observe and enforce network security policies for traffic within and between cloud environments.
Cycode’s Cimon
What it does - runtime security for CI/CD pipelines
Cimon (CI Monitor) is a runtime security agent designed for CI/CD pipelines to provide real-time protection and preventing unauthorized access. It comprises a user-space loader application and secure kernel-space BPF sensor applications. These sensor applications monitor specific kernel events, generate secondary events, and send them to the user space for further processing.
Datadog
What it does - File Integrity Monitoring, Process Execution Monitoring
Datadog’s security-based eBPF capabilities include file integrity monitoring, which detects content and attributes changes across multiple event types, such as open, chmod, mkdir, link, mount. It also detects abnormal process execution patterns with a multi stage context gathering, and has a historical process tree with short lived processes.
Exein’s Pulsar
What it does - runtime security fpr IoT and edge computing
Pulsar is an open-source event-driven framework for monitoring the activity of Linux devices which collects runtime information about the system from the Linux kernel through its modules, enrich and transform this information into events and publish the events on a shared event bus. This can be used write and apply any rule to generate alerts when undesired system behaviour occurs, such as accessing certain areas of the filesystem. It collects data on file I/O:, network data, processes, and system activity.
Invary
What it does - runtime security and system integrity
Invary uses eBPF to measure OS kernel integrity by appraising the invariant properties of an endpoint’s operating system to detect modification to the kernel that signal a loss of integrity.
Invary leverages it to gather state-based information - taking snapshots of the kernel's current state by collecting both static and dynamic kernel data structures. They then compare these snapshots against a known baseline to detect compromises, malware, or rootkits. This approach verifies that critical kernel components maintain their integrity during runtime.
Oligo Security
What it does - runtime security
Oligo uses eBPF technology to enable kernel-level tracing that covers the entire host and breaks down applications into their individual library components to monitor their behavior at runtime. Oligo combines eBPF-driven insights with tools like Oligo ADR and Oligo Focus to prioritize vulnerabilities and address threats efficiently.
Rad Security
What it does - container fingerprinting
The RAD security standard uses eBPF to codify the baseline behavior of a cloud workload into a behavioral fingerprint to acts as a verifiable defense against zero day software supply chain attacks. The fingerprint is composed of a container, it’s processes and child processes, and the programs and files that are a part of those processes.
Red Canary
What it does - runtime security
The redcanary-ebpf-sensor gathers system data via probes that insert themselves at various points in the kernel (such as the entrypoint and return of the execve system call) and gather information on the call and its context. This information is then turned into a telemetry event, which is sent to userspace through a perf buffer.
SentinelOne
What it does - runtime security
eBPF probes provide visibility into the kernel to collect cloud workload telemetry and feed it to an XDR system for real-time detection of suspicious or malicious activity. It can detect activities such as crypto mining, local privilege escalationm and ransomware encryption.
Snyk
What it does - runtime detection
The Helios team at Snyk has built an an eBPF-based runtime detection tool to identify a running container attempting to exercise the Leaky Vessels CVE-2024-21626 vulenrability on underlying infrastructure.
Sysdig's Falco
What it does - runtime security
Falco is an open source, cloud native runtime security tool that designed to detect and alert on abnormal behavior and potential security threats in real-time. It audits systems at the Linux kernel layer to identify anomalous behavior.
Upwind Security
What it does - runtime security, response and prevention
Respond to threats in real time with Upwind’s eBPF sensor by killing malicious processes in runtime environments. Create prevention policies and automate prevention for a set time period, automatically stopping malicious processes from running in workloads. Cut down time to remediation with built-in root cause analysis and custom remediation plans for every threat detection.
Uptycs
What it does - runtime security
With eBPF, Uptycs inserts probes into the kernel to monitor events of interest to us. This happens when osquery starts up and passes information back to the userland osquery process. Uptycs also maps kernel memory to achieve compatibility across different Linux kernel versions i.e. compile ebpf program(s) once and use it quickly and easily across various kernel versions.
The telemetry gathered includes the ancestor list, showing who is the parent of that process and the related ancestry. This forms a powerful detections framework for tracing processes and forming event alerts, differing from the open-source osquery framework that requires multiple JOINs and correlating the PID with the process table to implement a container detections framework.
Wiz
What it does - runtime security
Wiz’s eBPF-based Runtime Sensor monitors Kubernetes and containerized environments in real-time. The Sensor gathers targeted eBPF-captured system calls and sends them to Wiz's cloud-based SaaS solution. As such, Wiz can identify malicious files, IPs, domains, malicious behavior, and anomaly detection. The Process tree allows Security operators to see connections between process activities, user sessions, and network connections across containers and systems. Wiz also automatically detects workload behaviors, making it possible to detect new behaviors in real-time.
Networking
Using eBPF for networking can give great performance improvements. The current adoption of eBPF-based networking is almost exclusively for Kubernetes and virtualized environments.
Network operating systems that are Linux-based (and most of them are) could use eBPF, but they use custom kernel modules. The likes of Cisco, Juniper, and Arista have developed specialized Linux distributions with proprietary kernel modules optimized specifically for networking hardware. These custom modules are tightly integrated with the specific ASICs and network processing units in their hardware, allowing for optimized performance and hardware-specific features.
Broadcom’s VMware’s Tanzu Service Mesh
What it does - Kubernetes service networking
Tanzu was a previously open-source project by VMware. In the Tanzu Service mesh, eBPF is used to achieve network acceleration by bypassing the TCP/IP networking stack in the Linux kernel.
Cisco’s Isovalent's Cilium
What it does - Kubernetes networking
Cilium is an open-source container networking interface (CNI) that is synonymous with eBPF and has been designed on top of it to address the networking, security, and visibility of containers.
Tigera's Project Calico
What it does - Kubernetes networking
Project Calico is an open-source CNI that offers a pluggable eBPF-based data plane for Kuberentes networking and security.
Juniper’s CN2
What it does - Kubernetes networking
Cloud-Native Contrail Networking (CN2) is a Kubernetes-native SDN that secures and automates virtualized Infrastructure as a Service (IaaS) and multiple containerized application clusters into an integrated network. An eBPF form factor of CN2 vRouter is in limited tech preview. Some of the currently supported features include default pod network, pod to pod connectivity, kubernetes network policy, ClusterIP service, LoadBalancer service, Fabric SNAT, and BGPaaS.
Other cool stuff
Attribute (Attrb.io)
What’s cool about it - uses eBPF to monitor cloud costs without using tags
Attribute correlates the granular data collected by eBPF probes with business metrics to calculate costs and provide actionable insights over cloud spending. They monitor system calls, payload level network traffic, and application behavior in real-time, revealing how cloud services are used. This goes beyond basic metrics like CPU or memory usage, capturing which entities (e.g., teams, customers, or business units) are using specific resources. This can discover how workloads are used for service delivery, including shared services and multi tenant setups.
Attribute aligns cost to business metrics such as customer activity, team contributions, or product usage, without requiring manual tagging or any configurations - which makes time to value immediate. The system deploys as a daemonset in customer environments and utilizes eBPF sensors for deep packet inspection across multiple application protocols of cloud providers. For example, it can analyze traffic patterns and queries across various services including RDS (MySQL/PostgresSQL), BigQuery, S3, Kafka, Bedrock, and data transfer costs (even cross AZ).
Bluerock
What’s cool about it - non-eBPF tool for securing eBPF applications
BlueRock secures eBPF-based applications through a thin, type-one hypervisor-like approach that protects the integrity of the Linux kernel itself. Rather than trying to secure Linux from within Linux (which they argue is fundamentally flawed), BlueRock creates an independent layer using hardware virtualization technologies like Intel VTx and VTd. This layer sits below the Linux kernel and provides an additional point of control, allowing it to enforce security policies and protect kernel structures that eBPF relies on, such as trace points, from being bypassed or disabled by attackers.
Invary
What’s cool about it - eBPF-security that can secure eBPF
You may remember Invary from the security part. They employ eBPF in two distinct ways for security purposes. First, they use eBPF for runtime integrity measurement of the Linux kernel. Unlike other vendors that primarily use eBPF to track events.
Second, Invary provides security for the eBPF layer itself, addressing the growing concern that as eBPF adoption increases, so do potential compromises. Their solution includes three key capabilities: validating that loaded eBPF programs haven't been altered at runtime, providing enhanced observability of eBPF activity (showing which programs were loaded, from which processes, and how often they change), and detecting risky behaviors commonly used in attacks. This helps organizations identify whether eBPF programs are legitimate security tools or potential threats.
Prompt Security
What’s cool about it - monitors API calls made to LLMs
Prompt Security uses eBPF to trace the communication between applications and the vector database, providing insights into query patterns, response times, and potential issues.
They instrumenting eBPF at the network layer to monitor and log the API calls made to these services, capturing crucial information such as request and response data, latency, and error rates. This can show which third-party models applications are relying on and how they are being used, track the performance of external model calls to identify bottlenecks or inefficiencies, and ensure that data shared with third-party models adheres to privacy and security regulations.
Red Canary
What’s cool about it - uses eBPF to debug eBPF
eBPFmon offers features to make the exploration, debugging, and analysis of eBPF programs easier. eBPFmon can actively monitor systems for eBPF programs. It will constantly check the system for the addition or removal of programs and update the UI appropriately. The program view allows you to view the disassembly along with a program’s metadata, mapping it all in a single window.
From the program view, you can select a map to display its contents. An eBPF map is made up of key-value pairs. Depending on the map type, there may be restrictions on what the key-value pairs can be and their size. eBPFmon allows you to format the data in a variety of ways, such as hex, decimal, char, or raw. It also allows you to view those values in different bit widths and endian formats.
Stackstate
What’s cool about it - uses eBPF to debug eBPF
StackState not only develops a cluster monitoring solution for customers to use, we also use it ourselves. As part of our commitment to quality, we run pre-release versions of our components on our own infrastructure, predominantly hosted on Google Cloud and AWS. We operate a combination of custom Ubuntu-based nodes and default nodes, which run Google’s Container-optimized OS (COS) on our Google Kubernetes Engine (GKE) clusters.
One of the most important parts of our agent is the eBPF-based HTTP probe. This component allows you to use StackState for troubleshooting HTTP error codes, even for TLS connections, without any additional instrumentation from the endpoints. The probe is loaded into the kernel when the StackState agent starts. However, after an update to our cluster nodes, the loading failed on some of them, while it still worked fine on others.
Caveats and Asterisks
Not including open source tools
Not including in-house tools
Only including commercially available solutions
Solutions with more than one use case will be categorized under its main use case. For example, observability for security is categorized as observability.
If you want your solution included or have corrections, please email me at andrew.green@precism.co
https://www.parca.dev/ is a popular open source continuous profiler that also uses eBPF. (disclaimer: I work on it)
Hey Frederic, I think you could add Jibril: jibril.garnet.ai for security (together with tracee, falco, tetragon, etc).