We introduce the “Bill of Behavior” (BoB): a vendor-supplied profile detailing known benign runtime behaviors for software, designed to be distributed directly within OCI artifacts. Generated using eBPF, a BoB codifies expected syscalls, file access patterns, network communications, and capabilities. This empowers powerful, signature-less anomaly detection, allowing end-users to infer malicious activity or tampering in third-party software without the current burden of authoring and maintaining complex, custom security rules.

We will demonstrate the BoB specification's portability across diverse ecosystems, languages, and stacks. The main focus of our talk will be on emphasizing the vital role of user transparency and user experience:

Starting from the perspective of a customer journey, we designed a CLI experience tailored to both vendors and users—aiming to integrate seamlessly into existing ecosystems. Since effective security depends heavily on human factors, we deliberately optimized for minimal friction. In this talk, we’ll share the compromises we made, where our assumptions failed, and how user feedback reshaped our thinking.
Our ultimate goal? Empower the cloud-native community with a shareable, composable, and actionable framework for runtime security that fits naturally into modern Kubernetes workflows.
To close, we invite you to join our live-lab experiment — an open call to test and improve the system together. Your feedback will shape the future of runtime security tooling. Let’s make runtime behaviour as observable and manageable as CI/CD pipelines.