Tetragon
What is Tetragon?
TetragonAn eBPF-based Kubernetes runtime security tool from the Cilium project that observes and synchronously enforces policy on processes, files, and network activity.
Tetragon is an open-source runtime security platform that uses eBPF to observe and enforce policies at the kernel level on Kubernetes nodes. Unlike audit-only tools, Tetragon can synchronously block syscalls, kill processes, or override return values — for example, killing a workload that attempts to read /etc/shadow or open an unexpected outbound connection. Policies are expressed as TracingPolicy custom resources. Tetragon was open-sourced by Isovalent (now part of Cisco) and is part of the broader Cilium ecosystem within the CNCF. It complements admission-time controls and image scanning by providing high-fidelity, low-overhead runtime visibility and enforcement that traditional EDR struggles to deliver inside containers.
● Examples
- 01
A TracingPolicy that kills any process executing curl from inside a payment-service pod.
- 02
Observing every file write under /var/log across thousands of nodes via eBPF.
● Frequently asked questions
What is Tetragon?
An eBPF-based Kubernetes runtime security tool from the Cilium project that observes and synchronously enforces policy on processes, files, and network activity. It belongs to the Cloud Security category of cybersecurity.
What does Tetragon mean?
An eBPF-based Kubernetes runtime security tool from the Cilium project that observes and synchronously enforces policy on processes, files, and network activity.
How does Tetragon work?
Tetragon is an open-source runtime security platform that uses eBPF to observe and enforce policies at the kernel level on Kubernetes nodes. Unlike audit-only tools, Tetragon can synchronously block syscalls, kill processes, or override return values — for example, killing a workload that attempts to read /etc/shadow or open an unexpected outbound connection. Policies are expressed as TracingPolicy custom resources. Tetragon was open-sourced by Isovalent (now part of Cisco) and is part of the broader Cilium ecosystem within the CNCF. It complements admission-time controls and image scanning by providing high-fidelity, low-overhead runtime visibility and enforcement that traditional EDR struggles to deliver inside containers.
How do you defend against Tetragon?
Defences for Tetragon typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Tetragon?
Common alternative names include: Cilium Tetragon.
● Related terms
- cloud-security№ 170
Cilium
An eBPF-based Container Network Interface that provides networking, observability, and security for Kubernetes workloads at kernel speed.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
● See also
- № 601Kubescape