Unlocking the Power of eBPF at Traceable

Here at Traceable, we’re really passionate about eBPF, the extended Berkeley Packet Filter.

It’s this amazing technology that lets us dynamically instrument Linux systems with kernel extensions built right into the Kernel. Whether you’re working with containers in Kubernetes or dealing with a standard monolith, eBPF adapts seamlessly. It operates at the kernel level, which means it’s super fast and doesn’t slow down your system.

Plus, you don’t have to tweak your applications to make it work. The coolest part? It’s event-driven and can hook into any kernel syscall, including those for networking.

The Rise of eBPF

eBPF actually isn’t new technology, it’s been in the kernel a while, having been originally released in 2014. From Meta to Google, Cloudflare, Netflix, DropBox, Microsoft, Apple, and even IKEA, they’re all using eBPF for better tracing and observability.

It’s a go-to solution for challenges like load balancing and performance diagnostics. If you’re playing in the big leagues of software, you’re probably using eBPF too.

eBPF and API Traffic: A Perfect Match

API traffic is essentially a series of HTTP requests and responses, all flowing through the standard Linux network stack. In today’s digital landscape, where security is paramount, most APIs use HTTPS, encrypting data as it moves through the network. This encryption, while crucial for security, renders the traffic invisible to traditional monitoring tools. That’s where eBPF steps in as a game-changer.

What’s really cool about eBPF is its ability to observe traffic right at the kernel level. This means it can capture and analyze the traffic after it’s decrypted, regardless of its origin.

Whether we’re talking about external or internal services, eBPF provides a window into the network traffic that was previously obscured by encryption. This capability is a big deal for us at Traceable because it allows us to see and collect data from almost any deployment scenario.

With eBPF, we’re not just looking at the surface; we’re delving deep into the network’s hidden layers, ensuring comprehensive visibility and enhanced security.

How Traceable’s Uses eBPF for Enhanced (and Agentless) Data Collection

At Traceable, our use of eBPF is integral to our platform’s data collection capabilities. We’ve recently expanded our reach with a launch on VMWare Tanzu, marking a significant step in our journey. But that’s just the beginning. We’re also adept at supporting deployments on Kubernetes clusters and on-premises setups, including under your API gateway.

In Kubernetes environments, our approach is strategic and targeted. We operate as a daemonset, which allows us to selectively instrument specific pods or containers.

This precision extends to our data collection capabilities, encompassing both ingress and egress data on gateways or backend services. The versatility of eBPF enables us to work with any Linux distribution, ensuring we remain resource-efficient and performance-optimized across various deployment scenarios.

One of the key advantages of eBPF in our setup is its ability to reduce the resource footprint and network traffic.

This is particularly evident when compared to our mirroring approach, where all traffic on a production microservice is duplicated for data collection. With eBPF, we achieve the same objectives but with a more streamlined, cloud-native, and cloud-first design.

When we compare eBPF to other deployment mechanisms like tracing agents, its agentless nature stands out. This translates to significantly less overhead, especially when compared to deployments involving language agents or ingress controllers. Our eBPF deployment focuses on efficiently sending data to our processing tools, rather than processing it on-site. For those working in high-performance environments where minimizing overhead is crucial, eBPF emerges as a compelling choice.

Watch our Webinar: eBPF – The Future of API Security and Observability

For those intrigued by the potential of eBPF, we invite you to explore further. Our webinar, featuring insights from our founder and R&D team, offers a deep dive into our eBPF deployment strategies. Join us in exploring this cutting-edge technology that’s reshaping the landscape of Linux system instrumentation.

Learn More about How Traceable Uses eBPF

APIs are everywhere now. New endpoints are popping up and made public all the time, and sometimes even the security team doesn’t catch them right away!

That’s where we come in at Traceable. Our API security platform is designed to help you get a grip on your attack surface. We’re here to help you analyze, understand, block, and uncover threats against all your APIs.

Our approach is comprehensive – we cover everything from eBPF to language agents, traffic mirroring, and even on-prem solutions. The goal? To seamlessly integrate with your existing API tools and infrastructure, boosting their security without turning your workflow upside down.

Curious about how we can bolster your API security? Why not sign up for a quick demo or take a peek at our platform overview? We’re here to guide you through the ever-evolving landscape of API security.


About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API visibility and attack protection in a cloud-first, API-driven world. Traceable is the only intelligent and context-aware solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring their customers. To learn more about how API security can help your business, book a demo with a security expert.