Collected sources and patterns will appear here. Add from search, explore, or the patterns library.
Real-time, eBPF-powered security observability and runtime enforcement for Kubernetes and Linux, enabling kernel-level monitoring and blocking of malicious activity.
Utility
stars
4,568
forks
527
Tetragon is a tier-one infrastructure project with a significant moat. Its defensibility stems from the extreme technical complexity of writing stable, performant eBPF code for kernel-level enforcement—a task far harder than simple observability. With over 4,500 stars and deep integration into the Cilium ecosystem (maintained by Isovalent, now part of Cisco), it benefits from massive 'network effects' within the Kubernetes networking stack. Unlike competitors like Falco (which primarily focuses on detection/alerting), Tetragon's ability to perform in-kernel blocking of malicious calls (enforcement) without application sidecars puts it in an elite class of security tools. Frontier labs (OpenAI, Anthropic) have zero interest in kernel-level security primitives, keeping frontier risk low. The primary threat comes from cloud providers (AWS/GCP) building proprietary eBPF wrappers, but Tetragon's open-source standard status and multi-cloud portability make it the de facto choice for enterprise platform engineering teams. Its age and fork count (527) indicate a mature, battle-tested codebase that is unlikely to be displaced by any new entrant on a timeline shorter than 3-5 years.
TECH STACK
INTEGRATION
cli_tool
READINESS
The reusable building blocks distilled from this project — each a mechanism you could lift into your own.
RawProcessHook -> ProcessLifecycleEvent
Attach eBPF probes to kernel process lifecycle hooks to produce structured execution and exit events.
PID -> K8sMetadataEnrichedEvent
Correlate host-level Process IDs (PIDs) with active container runtime and Kubernetes API metadata.