cilium/tetragon

Tetragon is a tier-one infrastructure project with a significant moat. Its defensibility stems from the extreme technical complexity of writing stable, performant eBPF code for kernel-level enforcement—a task far harder than simple observability. With over 4,500 stars and deep integration into the Cilium ecosystem (maintained by Isovalent, now part of Cisco), it benefits from massive 'network effects' within the Kubernetes networking stack. Unlike competitors like Falco (which primarily focuses on detection/alerting), Tetragon's ability to perform in-kernel blocking of malicious calls (enforcement) without application sidecars puts it in an elite class of security tools. Frontier labs (OpenAI, Anthropic) have zero interest in kernel-level security primitives, keeping frontier risk low. The primary threat comes from cloud providers (AWS/GCP) building proprietary eBPF wrappers, but Tetragon's open-source standard status and multi-cloud portability make it the de facto choice for enterprise platform engineering teams. Its age and fork count (527) indicate a mature, battle-tested codebase that is unlikely to be displaced by any new entrant on a timeline shorter than 3-5 years.