Tools/cilium/tetragon

tetragon

eBPF-based Security Observability and Runtime Enforcement

4.8kemergingCApache License 2.0

The Lens

Tetragon watches what's actually happening inside your Kubernetes workloads at runtime: process executions, file access, network connections, and more, using eBPF to see it all from the kernel with very low overhead. Where a scanner tells you what could go wrong, Tetragon tells you what is happening right now. Open source, from the Cilium project, free.

eBPF is the key: it hooks into the Linux kernel to observe and optionally block events without the performance hit of older approaches. You write policies describing what to watch or stop, and Tetragon enforces them in real time, with Kubernetes-aware context so events are tied to pods and namespaces. Running it well takes some depth, both in eBPF concepts and in tuning what you monitor.

Tetragon is free. Isovalent, now part of Cisco, sells enterprise Cilium and support that includes Tetragon for large deployments. Solo and small teams, it's powerful but heavier to operate than a scanner, so adopt it when runtime visibility is a real need. Large or security-focused orgs, it's a serious runtime security and observability layer.

The catch: this is runtime, not prevention. Tetragon sees and can stop things as they happen, but it won't tell you your manifests are misconfigured or your images are vulnerable, that's what the scanners are for. And the eBPF-and-policy learning curve is real. It's a strong tool, but it's not the first one a small team should reach for.

Free vs Self-Hosted vs Paid

fully free

Self-hosted (free): Tetragon under Apache-2.0, from the Cilium project. Uses eBPF to observe and optionally block runtime events (process execution, file access, network) from the kernel with low overhead, with Kubernetes-aware context. Policies describe what to watch or stop.

Enterprise: Isovalent (now Cisco) sells enterprise Cilium and support that covers Tetragon for large deployments.

The call: Runtime security and observability, not prevention. Adopt it when you genuinely need to see what's happening inside workloads.

Free and open source (part of Cilium). Isovalent (Cisco) sells enterprise Cilium and support.

Self-hosting ops:significant

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Score
57/100 · C+
Adoption17/30
Maintenance10/25
Community5/20
License15/15
Analysis10/10

About

Owner
Cilium (Organization)
Stars
4,793
Forks
563

Explore Further

More tools in the directory