Tracee
Linux runtime security using eBPF to trace OS and container events with prebuilt signatures and pipeline exports.
Why it is included
Strong open option when you want eBPF-first forensics and detection on hosts.
Best for
Threat detection research and K8s node instrumentation alongside scanners.
Strengths
- eBPF depth
- Aqua stewardship
- Pipeline-friendly
Limitations
- Kernel version and BPF feature requirements
Good alternatives
Falco · Inspektor Gadget
Related tools
Security & Privacy
Falco
Cloud-native runtime security for Linux/Kubernetes: syscall and K8s audit rules with Falcoctl and ecosystem outputs.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
Tetragon
eBPF-based security observability and runtime enforcement: process/exec monitoring, network hooks, and kill primitives integrated with Cilium.
Security & Privacy
YARA
Pattern matching for malware researchers—rules over files, memory, and streams in IR pipelines.
Security & Privacy
Lynis
Host-based security auditing for Unix: misconfigurations, packages, SSH, kernel hardening hints.
Security & Privacy
Suricata
High-performance IDS/IPS and network security monitoring with multi-threading, TLS inspection options, and Lua scripting.