Runtime security built for how Kubernetes actually works.
eBPF probes at the kernel level. DaemonSet deployment. Falco-compatible rules. A policy engine that evaluates events in microseconds.
Kernel-level visibility without kernel modules.
Before eBPF, runtime security required fragile kernel modules or sidecar agents with measurable latency overhead. eBPF lets us attach probes directly to the syscall table — no restarts, no application changes, no performance penalty.
Zero-copy ring buffer
Syscall events flow from kernel to userspace via a shared memory ring buffer — no data copy, minimal CPU overhead. Handles 4,000+ events/second per node.
Kernel safety guarantee
eBPF programs are verified by the kernel verifier before loading — they cannot crash or corrupt kernel memory, unlike loadable kernel modules.
Hot-reload rule updates
Push policy changes without restarting the DaemonSet or any application pod. New rules take effect in under 5 seconds across all nodes.
YAML policies. Falco-compatible syntax.
Write detection rules in a declarative YAML format that's compatible with Falco's rule language. Import your existing OSS Falco rules without modification.
Detection coverage matrix.
| Threat Category | Syscall Signals | Audit Log | Network | Baseline Drift | Falco Rule |
|---|---|---|---|---|---|
| Container Escape | |||||
| Cryptomining | |||||
| Lateral Movement | |||||
| Privilege Escalation | |||||
| Syscall Anomaly |
Deployment options.
Helm Chart
One command install via our official Helm chart. Supports values.yaml customization for resource limits, namespace targets, and alert routing.
Kubernetes Operator
Deploy the Kubesentry Operator for GitOps-native management. Reconciles DaemonSet state against your KubesentryConfig CRD automatically.
Manual YAML
Raw Kubernetes manifests available for air-gapped or restricted environments. No external registry dependencies when using the bundle.
Ready to deploy?
Takes under 10 minutes on any CNCF-conformant K8s distribution.