
tetragon
eBPF-based Security Observability and Runtime Enforcement
The Lens
Tetragon watches what's actually happening inside your Kubernetes workloads at runtime: process executions, file access, network connections, and more, using eBPF to see it all from the kernel with very low overhead. Where a scanner tells you what could go wrong, Tetragon tells you what is happening right now. Open source, from the Cilium project, free.
eBPF is the key: it hooks into the Linux kernel to observe and optionally block events without the performance hit of older approaches. You write policies describing what to watch or stop, and Tetragon enforces them in real time, with Kubernetes-aware context so events are tied to pods and namespaces. Running it well takes some depth, both in eBPF concepts and in tuning what you monitor.
Tetragon is free. Isovalent, now part of Cisco, sells enterprise Cilium and support that includes Tetragon for large deployments. Solo and small teams, it's powerful but heavier to operate than a scanner, so adopt it when runtime visibility is a real need. Large or security-focused orgs, it's a serious runtime security and observability layer.
The catch: this is runtime, not prevention. Tetragon sees and can stop things as they happen, but it won't tell you your manifests are misconfigured or your images are vulnerable, that's what the scanners are for. And the eBPF-and-policy learning curve is real. It's a strong tool, but it's not the first one a small team should reach for.
Free vs Self-Hosted vs Paid
fully freeSelf-hosted (free): Tetragon under Apache-2.0, from the Cilium project. Uses eBPF to observe and optionally block runtime events (process execution, file access, network) from the kernel with low overhead, with Kubernetes-aware context. Policies describe what to watch or stop.
Enterprise: Isovalent (now Cisco) sells enterprise Cilium and support that covers Tetragon for large deployments.
The call: Runtime security and observability, not prevention. Adopt it when you genuinely need to see what's happening inside workloads.
Free and open source (part of Cilium). Isovalent (Cisco) sells enterprise Cilium and support.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
About
- Owner
- Cilium (Organization)
- Stars
- 4,793
- Forks
- 563
Explore Further
More tools in the directory
openclaw
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
381.5k ★everything-claude-code
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
225.3k ★hermes-agent
The agent that grows with you
208.2k ★