Safeguard
Tag

ebpf

Safeguard articles tagged "ebpf" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Cloud Security

Connecting build, deploy, and runtime security into one AppSec lifecycle

The XZ Utils backdoor (CVE-2024-3094) was found in the build chain; most tools that would have caught it stop at deploy. Here's how to close that gap.

Jul 11, 20267 min read
Kubernetes Security

Falco vs. Tetragon vs. Tracee: choosing a Kubernetes runtime security tool

Falco graduated CNCF in February 2024, Tetragon enforces in-kernel, and Tracee ships 330+ prebuilt eBPF detections — here's when each one actually wins.

Jul 11, 20267 min read
Container Security

Container Runtime Security Monitoring: Catching the Breach in Progress

Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.

Jul 8, 20265 min read
Container Security

eBPF Runtime Security for Kubernetes

eBPF lets you observe and enforce security at the kernel level — every syscall, network connection, and process exec — without kernel modules or instrumenting your apps. Here is how tools like Falco, Tetragon, and Cilium use it to catch what image scanning cannot.

Jul 8, 20266 min read
Container Security

Runtime security tools for Kubernetes clusters

A concrete look at Kubernetes runtime security tools — Falco, Tetragon, Tracee, eBPF, and recent CVEs — and what to check before you buy one.

Jun 25, 20267 min read
Container Security

eBPF in Kubernetes

eBPF gives Kubernetes deep runtime visibility, but it only sees what a container does after it starts. Here's what Aqua's Tracee gets right, and where supply chain gaps remain.

Apr 15, 20267 min read
Container Security

What is Container Runtime Security

Container runtime security monitors running containers for malicious behavior that image scanning can't catch — here's how it works and why it matters.

Mar 21, 20267 min read
Tools

Falco 0.40: Modern eBPF Is Now Default

Falco's 0.40 release line makes modern eBPF (CO-RE) the default driver, deprecates the legacy probe and gVisor engine, and changes how operators ship Falco. Here's what changed and what to test.

Mar 19, 20266 min read
Container Security

Deploying Cilium Tetragon for eBPF Runtime Security in 2026

A practical guide to rolling out Tetragon for kernel-level runtime visibility, covering policy authoring, performance overhead, and integration with existing detection pipelines.

Mar 4, 20266 min read
Tool Comparison

Tetragon vs Falco: 2026 Runtime Security Field Test

Both Tetragon and Falco run on eBPF and both ship as CNCF projects. We benched them side by side on a 400-node cluster — coverage, overhead, and enforcement behavior.

Feb 26, 20266 min read
Cloud Security

What is Runtime Protection

Runtime protection catches what pre-deployment scanning can't — live attacks like the XZ Utils backdoor and Log4Shell exploitation, detected only in production.

Jan 31, 20266 min read
Container Security

Cilium Tetragon Runtime Security with eBPF

A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and where Tetragon fits in a real stack.

Jan 26, 20267 min read
ebpf — Safeguard Blog