eBPF Threat Hunting: Engineering Real-Time Runtime Defense for Kubernetes.
No Customer Reviews
Stop Relying on Static Scans. Master eBPF and Catch Advanced Attackers in the Kernel.
Scanning container images in your CI/CD pipeline is no longer enough. When a zero-day exploit drops, or a compromised dependency executes malicious code at runtime, traditional perimeter security and legacy agents are completely blind. To defend modern Kubernetes clusters, you must move your detection logic into the Linux kernel.
eBPF Threat Hunting is the definitive, elite-level engineering manual for building real-time runtime defense systems. Extended Berkeley Packet Filter (eBPF) has revolutionized cloud-native security, offering unprecedented observability without the overhead or instability of kernel modules. This book teaches Security Engineers, SOC Analysts, and Platform Architects how to harness eBPF to detect container escapes, lateral movement, and command-and-control (C2) traffic the millisecond a malicious syscall is executed.
Inside, you will discover:
eBPF Internals for Defenders: Master the execution model, from Verifier and JIT compilation to attaching Kprobes, Tracepoints, and LSM hooks.
Syscall Monitoring & Ground Truth: Build high-signal detection baselines targeting critical syscalls like execve and ptrace to expose attacker behaviors instantly.
Container Threat Models: Map exact syscall sequences to real-world Kubernetes attacks, including namespace breakouts, privileged container abuse, and API server credential theft.
Mastering Falco & Tetragon: Write high-fidelity Falco rules to integrate with your SIEM, and deploy Tetragon to move from passive observation to active, in-kernel process killing.
Network Threat Hunting: Use Cilium to expose Layer 7 metadata (DNS, HTTP, TLS) without decryption, catching beaconing patterns and egress anomalies.
The Real-Time Detection Pipeline: Build a low-latency event collection architecture that correlates kernel events with Kubernetes audit logs and cloud API data to eliminate false positives.
THE THREAT HUNTER'S VAULT (Appendix)
Engineered for the incident responder actively fighting in the trenches, the Appendix provides immediate, battle-tested reference material:
High-Signal Syscall Reference: A master cheat sheet mapping specific attacker techniques to the exact Linux kernel calls they trigger.
The eBPF Program Type Matrix: Instantly know which kernel attachment point to use based on security use cases and kernel version constraints.
Detection Coverage Matrix: Real-world eBPF detection strategies mapped directly across the MITRE ATT&CK Kubernetes Kill Chain.
Don't wait for the breach notification. Weaponize the Linux kernel, architect a self-defending cluster, and hunt the adversaries hiding in your infrastructure.
Scanning container images in your CI/CD pipeline is no longer enough. When a zero-day exploit drops, or a compromised dependency executes malicious code at runtime, traditional perimeter security and legacy agents are completely blind. To defend modern Kubernetes clusters, you must move your detection logic into the Linux kernel.
eBPF Threat Hunting is the definitive, elite-level engineering manual for building real-time runtime defense systems. Extended Berkeley Packet Filter (eBPF) has revolutionized cloud-native security, offering unprecedented observability without the overhead or instability of kernel modules. This book teaches Security Engineers, SOC Analysts, and Platform Architects how to harness eBPF to detect container escapes, lateral movement, and command-and-control (C2) traffic the millisecond a malicious syscall is executed.
Inside, you will discover:
eBPF Internals for Defenders: Master the execution model, from Verifier and JIT compilation to attaching Kprobes, Tracepoints, and LSM hooks.
Syscall Monitoring & Ground Truth: Build high-signal detection baselines targeting critical syscalls like execve and ptrace to expose attacker behaviors instantly.
Container Threat Models: Map exact syscall sequences to real-world Kubernetes attacks, including namespace breakouts, privileged container abuse, and API server credential theft.
Mastering Falco & Tetragon: Write high-fidelity Falco rules to integrate with your SIEM, and deploy Tetragon to move from passive observation to active, in-kernel process killing.
Network Threat Hunting: Use Cilium to expose Layer 7 metadata (DNS, HTTP, TLS) without decryption, catching beaconing patterns and egress anomalies.
The Real-Time Detection Pipeline: Build a low-latency event collection architecture that correlates kernel events with Kubernetes audit logs and cloud API data to eliminate false positives.
THE THREAT HUNTER'S VAULT (Appendix)
Engineered for the incident responder actively fighting in the trenches, the Appendix provides immediate, battle-tested reference material:
High-Signal Syscall Reference: A master cheat sheet mapping specific attacker techniques to the exact Linux kernel calls they trigger.
The eBPF Program Type Matrix: Instantly know which kernel attachment point to use based on security use cases and kernel version constraints.
Detection Coverage Matrix: Real-world eBPF detection strategies mapped directly across the MITRE ATT&CK Kubernetes Kill Chain.
Don't wait for the breach notification. Weaponize the Linux kernel, architect a self-defending cluster, and hunt the adversaries hiding in your infrastructure.
Format:Paperback
Language:English
ISBN:B0H18DLCJ9
ISBN13:9798196286605
Release Date:May 2026
Publisher:Independently published
Length:245 Pages
Weight:0.88 lbs.
Dimensions:9.6" x 0.6" x 6.7"
Customer Reviews
0 rating
Copyright © 2026 Thriftbooks.com
Terms of Use | Privacy Policy | Do Not Sell/Share My Personal Information | Cookie Policy | Cookie Preferences | Accessibility Statement
ThriftBooks ® and the ThriftBooks ® logo are registered trademarks of Thrift Books Global, LLC
ThriftBooks ® and the ThriftBooks ® logo are registered trademarks of Thrift Books Global, LLC
