In this tutorial you learn how mature, well-maintained FOSS eBPF tools make invisible activity visible - and how hooking the kernel allows you to understand what is really happening.

We guide you through a series of attacks (MITRE TTPs) using an intuitive UI and use eBPF to watch how the steps are detonated
- Intercepting malicious payloads in encrypted traffic
- Watching file access in a smart way
- The value and dangers of hooking STDOUT/IN
- Fileless malware abusing (deleted) filedescriptors
- Rating mechanisms for usefulness: syscalls, file-hashes, packets etc
- Tracing a pivot across neighboring services (in UI and kernel level)
- Capability abuse for e.g. person-in-the-middle
- How to use eBPF to achieve standardized audit logs

Two parallel difficulty levels, ensure everyone can follow along and challenge themselves. The hands-on exercises focus on giving you a systematic methodology to take home and apply in your own systems.