The linux kernel through eBPF offers to unify the disparate fields security and observability through shared data structures. We show how a K8s Security Operations Center, organically composed of established eBPF projects (CNCF Kubescape, Pixie and Tetragon) can see signals that the individuals cannot.

We explain how we achieve both a comprehensive baseline and use independent signals to dial up/down coverage as suspicious indicators surface. The mutual independence of signals from across processes, file system, and network activity achieves a high signal-to-noise, enabling manageable data volumes and facilitating selective forensic storage.

You will see a *live demo of the io_uring root-kit which is hard to detect for sys-call based security tools in their default configurations, however almost trivial to detect with our adaptive setup.

Additionally, our SOC architecture is node-local, and no data leaves the cluster meaning you remain sovereign and in control of your data.