Multi-messenger Security - Adaptive Kubernetes SOC From Disparate eBPF Tools

Learn how to build an adaptive Kubernetes Security Operations Center using multiple eBPF tools in this conference talk from KubeCon + CloudNativeCon. Discover how the Linux kernel's eBPF capabilities can unify security and observability through shared data structures, creating a comprehensive security monitoring system that combines established CNCF projects including Kubescape, Pixie, and Tetragon. Explore how this multi-messenger approach enables the detection of security signals that individual tools cannot identify on their own, achieving both comprehensive baseline monitoring and adaptive coverage that adjusts based on suspicious indicators. Understand how independent signals from processes, file systems, and network activity create high signal-to-noise ratios, enabling manageable data volumes and selective forensic storage. Watch a live demonstration of an io_uring rootkit detection scenario that showcases how traditional syscall-based security tools struggle with detection in default configurations, while the adaptive multi-tool setup makes detection almost trivial. Learn about the node-local SOC architecture that ensures data sovereignty by keeping all security data within your cluster, maintaining complete control over sensitive information while providing robust threat detection capabilities.