Platform Integrations Changelog Pricing Blog
Deploy in your cluster
eBPF Runtime Security

Runtime threats don't wait for your next scan.

Kubesentry watches every process, syscall, and container event in your K8s clusters — and stops attacks at execution time, not after the fact.

Deploy in your cluster Talk to our security team
Detects
Container Escape Privilege Escalation Cryptomining Lateral Movement Syscall Anomalies Policy Violations Container Escape Privilege Escalation Cryptomining Lateral Movement Syscall Anomalies Policy Violations
How It Works

Three steps from zero to runtime visibility.

No sidecar containers. No application code changes. Deploy in minutes with a single Helm command.

1

Deploy the eBPF agent

One Helm command installs the Kubesentry DaemonSet on every node. Works on EKS, GKE, AKS, and self-managed clusters.

$ helm repo add kubesentry https://charts.kubesentry.com
$ helm install ks kubesentry/kubesentry \
  --namespace kubesentry-system \
  --create-namespace
# DaemonSet running on all nodes in <2min
2

Define policy rules

Write YAML policies — or import your existing Falco rules. The policy engine evaluates every event against your threat signatures.

apiVersion: sentry.io/v1
kind: ThreatPolicy
metadata:
  name: detect-container-escape
spec:
  condition: syscall.type=unshare
  severity: critical
  action: alert+isolate
3

Respond to alerts

Alerts route to Slack, PagerDuty, or your SIEM within 30 seconds P99. Every alert includes process tree, container ID, and namespace.

🚨 CRITICAL: Container Escape
pod: api-server-6d9f4bc
ns: production
node: ip-10-0-1-42.ec2.internal
syscall: unshare(CLONE_NEWPID)
 
→ View in dashboard | Isolate pod
Detection Capabilities

Six threat categories, kernel-level visibility.

Built on eBPF probes that intercept syscalls at the kernel level — before any application-layer defense can be bypassed.

Container Escape Detection

Detects namespace breakout attempts via unshare, chroot, and mount syscall patterns. Catches both known CVE patterns and novel techniques.

See detection details

Cryptomining Detection

Identifies mining processes by CPU usage anomaly, outbound connection to known mining pools, and process name heuristics — within seconds of execution.

See detection details

Lateral Movement

Tracks anomalous cross-namespace network connections and unauthorized access to Kubernetes service accounts that suggest east-west pivot attempts.

See detection details

Privilege Escalation

Monitors setuid/setgid calls, CAP_SYS_ADMIN usage, and attempts to write to /etc/passwd or sudoers from within containers.

See detection details

Syscall Anomaly Baseline

Learns the normal syscall profile of each workload over 72 hours, then alerts when behavior deviates — catching zero-day exploitation patterns.

K8s Audit Log Analysis

Correlates Kubernetes API server audit events with container-level process activity to surface threats that span the API and runtime layers.

ARCHITECTURE Linux Kernel (eBPF Layer) syscall table kprobe hooks perf events namespace events Kubesentry Agent DaemonSet · zero-copy eBPF ring buffer · no sidecar overhead Policy Engine YAML rules · Falco compat Event Store 30-day retention · audit export Alert Engine Slack · PagerDuty · SIEM ≤30s P99 latency Zero-copy eBPF · Kernel-level visibility · DaemonSet deploy

Kernel-level visibility, zero overhead.

eBPF probes attach directly to the Linux kernel syscall table — no sidecar containers, no app-code modifications, no performance penalty.

Zero-copy eBPF ring buffer
Events flow directly from kernel to userspace without copying. Processes 4,000+ syscall events per second per node with sub-1% CPU overhead.
DaemonSet deployment model
One agent per node. No per-pod sidecars that add latency or require deployment restarts when rules change.
Falco-compatible rule format
Import your existing Falco rules directly. No rewrite. Kubesentry adds managed policy delivery, alert routing, and 30-day retention on top.
30-second P99 alert latency
From syscall event to Slack or PagerDuty notification in under 30 seconds at the 99th percentile. Not a batch scan window.
Integrations

Works with your existing stack.

Falco
Slack
PagerDuty
Splunk
Datadog
Elastic SIEM
OpsGenie
GitHub Actions
Helm
View all integrations
From the field

What K8s operators say.

"We went from 72-hour MTTD on container escapes to under 90 seconds. The eBPF DaemonSet was running in production within 10 minutes of helm install — no restarts, no sidecars to manage."

Lead SRE
Logistics platform · 40-node EKS cluster

"We had Falco rules but no managed policy delivery or alert routing. Kubesentry took our existing rules and gave us the SIEM forwarding and 30-day retention we needed for our SOC 2 audit cycle."

Platform Engineering Manager
Fintech · GKE multi-region

"Alert noise was the main concern — our previous tool fired on every cron job. Kubesentry's syscall baseline learning period reduced false positives by roughly 85% in the first week."

Security Architect
Cloud-native healthcare startup · AKS + on-prem

Ready to see what's running in your cluster?

Deploy in minutes. No sidecar overhead. Falco-compatible.

Deploy in your cluster Read the docs