RuntimeGuard, ransomware detection for Linux using eBPF

RuntimeGuard | Real-time ransomware protection for Linux servers eBPF-powered · Kernel-level visibility Stop ransomware on Linux before it encrypts your data. RuntimeGuard monitors runtime activity on Linux servers and detects ransomware behaviour in real time using lightweight kernel-level telemetry. Get Early Access → View Documentation Kernel-level visibility Zero signature databases Learning mode built-in Per-host threshold tuning runtimeguard-agent — live telemetry · prod-server-01 ⚠INCIDENT DETECTED Rule file_write_burst Host prod-server-01 Severity HIGH Score 80 / 100 Tenant acme-corp Alert Webhook sent ✓ The problem Linux servers are an increasing target Most security tools are built for Windows endpoints — not for Linux production infrastructure. Growing attack surface Ransomware, cryptominers and supply-chain malware increasingly target Linux infrastructure. Many security tools are still built around desktop endpoints and add too much complexity or overhead for server environments. What teams are missing DevOps and infrastructure teams often lack direct visibility into runtime process and file activity on production Linux hosts. That makes it harder to spot attacks before data is impacted. Core capabilities Everything you need to detect and respond ⬡ Runtime Monitoring Monitor process and file activity in real time on Linux infrastructure. Full kernel-level visibility via eBPF — no per-application instrumentation, no performance overhead. ⚡ Ransomware Detection Detect behaviour patterns commonly associated with ransomware: file write bursts, rename storms, and abnormal process execution — caught in a sliding time window before encryption spreads. ◎ Instant Alerting Webhook and Slack alerts fire the moment suspicious behaviour is detected. Integrate with your existing incident response workflows without changing your toolchain. ◈ Learning Mode Every new host starts in learning mode. RuntimeGuard observes silently and surfaces what would have triggered — so you validate and tune before any alert fires in production. ◧ Per-host Thresholds A file server behaves differently from a web server. Configure detection thresholds per host or per tenant — defaults get you started, overrides keep false positives out. ▲ Lightweight Agent A low-overhead eBPF agent designed for cloud, VM and bare-metal workloads. CO-RE compiled — one binary runs on any modern Linux distribution running kernel 5.8+. ◰ Role-Based Access Control Admin, analyst and viewer roles with API-level enforcement. Assign the right level of access to every team member — operations, security analysts and read-only stakeholders — without sharing a single key. ◫ Audit Log Full trail of every configuration change — logged with tenant, role, method, path, status code and IP. Viewable in the dashboard by admins. PostgreSQL-backed with tenant isolation, ready for compliance evidence. ◭ Process Tree Every incident links to an interactive process tree — all processes active in the ±5-minute window assembled into a parent–child attack graph with pan, zoom and per-node detail. Follow the chain from suspicious process back to root cause without touching the host. ◈ Custom Sigma Rules Write your own detection rules in Sigma-compatible YAML alongside the 26 built-in rules. Supports field modifiers (contains, startswith, regex), logsource categories and compound conditions. YAML is validated on save — no broken rules in production. ⊞ File Integrity Monitoring Watch any file or directory for writes, renames, deletes and permission changes. Every match is logged with process name, PID and timestamp — ready for PCI-DSS, CIS Benchmark and SOC2 audit packages. ⊗ Rootkit Detection Scans /etc/ld.so.preload, /proc/modules and /proc/*/exe every 30 seconds to detect LD_PRELOAD rootkits, malicious kernel modules and fileless malware with deleted-on-disk binaries. No kernel module required. ⚡ Response Playbooks Automate your incident response with SOAR-level playbooks. Isolate hosts, block IPs, notify webhooks and trigger PagerDuty alerts — automatically, the moment a matching incident opens. Enforcing mode only; full execution log for audit. ☸ Kubernetes Admission Webhook Block dangerous pods before they start. A ValidatingAdmissionWebhook checks every pod against your policy: privileged containers, hostPID/Network/IPC, dangerous capabilities, hostPath volumes and image registry allowlists. Dry-run mode for safe rollout. ◉ Threat Intelligence Every outbound connection is checked against Feodo Tracker and Emerging Threats C2 IP blocklists — free, refreshed hourly. Every executed binary is checked against MalwareBazaar, VirusTotal and AlienVault OTX. Matches open a critical incident and kill the process immediately. ◌ DNS Exfiltration Detection Raw DNS traffic captured via AF_PACKET raw socket. Shannon entropy analysis on every DNS subdomain detects base64 or hex-encoded payloads pushed through DNS tunnels — the covert channel that bypasses most firewalls and connection monitors. ⊞ MSP / MSSP Portal Manage unlimited customer tenants from a single login. Cross-tenant SOC feed, per-tenant drill-down, isolated incidents and API keys. Built for managed service providers protecting multiple client environments at scale. ◎ SSO / OIDC Login Sign in with Google Workspace or Microsoft Entra accounts via OIDC. RBAC roles apply to SSO identities — admin, analyst and viewer access enforced at login. No separate credentials to manage for enterprise teams. How it works Up and running in minutes 01 Deploy A lightweight eBPF agent is deployed on your Linux host in minutes via a single curl command. 02 Learn The host starts in learning mode. RuntimeGuard observes behaviour silently — no alerts, no noise. 03 Tune Review what would have triggered. Adjust thresholds per host until the signal is right for your environment. 04 Enforce Switch the host to enforcing mode. Detection rules are now active and alerts go live. 05 Alert Incidents are created and alerts are sent via webhook or Slack before damage spreads. bash — root@prod-server-01 Deploy in minutes One command. Full visibility. Install the RuntimeGuard agent on any Linux server running kernel 5.8 or higher. Works on Ubuntu, Debian, RHEL, Amazon Linux and more. Installs and starts in under 60 seconds No reboot required Ubuntu, Debian, RHEL, Amazon Linux 2023 Kernel 5.8+ with BTF required Built for modern infrastructure Where RuntimeGuard runs From bare-metal servers to Kubernetes nodes — consistent runtime visibility across your entire Linux fleet. Linux server protection File server security Cloud workload monitoring Kubernetes node visibility Supply chain detection MSP / MSSP environments DNS exfiltration monitoring Enterprise SSO deployments Pricing Simple, predictable pricing Designed for infrastructure teams that need focused Linux runtime protection without unnecessary complexity. Starter For small Linux environments Runtime monitoring Basic incident visibility Email alerts Up to 5 hosts Contact for pricing Growth For production server environments Runtime monitoring Behaviour-based detection Incident timelines Slack / webhook alerts Up to 50 hosts Get Early Access Business For larger environments and MSPs Multi-tenant visibility Advanced detection rules Containment support Priority support Unlimited hosts Contact us Protect your Linux infrastructure from ransomware. Join the early access programme and start monitoring Linux runtime activity today. Get Early Access →