Tracee uses eBPF technology to detect and filter OS events, helping you uncover security insights, detect suspicious behavior, and capture forensic indicators.

Tracee is a runtime security and forensics tool for Linux-based cloud deployments.it uses eBPF at runtimeTrack host operating systems and applications and analyze collected events to detectsuspicious behavior pattern. It can run as a daemonset in your kubernetes environment, but has the flexibility to run on any Linux-based host for multiple purposes. It can be delivered via Helm as a docker container or as a small set of static binaries.

Tracee aims to be an easy-to-use and effective solution for learning when cloud-native attacks occur in your environment. By leveraging Aqua’s advanced security research, high-performance eBPF-based instrumentation, and a cloud-native-first approach, Tracee makes runtime instrumentation accessible, powerful, and effective.

Tracee is designed to monitor hosts in a kubernetes cluster.

Tracee consists of the following subprojects, hosted in the aquasecurity/tracee repository: