Tracee uses the latest eBPF technology to observe system activity directly from the operating system kernel. With full coverage of Linux system calls, complemented by an additional set of custom security events, Tracee provides high quality, accurate results.
Tracee has used eBPF since inception and collects 330 syscalls (and other non syscall events) right out of the box. Unlike solutions built on kernel modules, eBPF is safe and fast. And Tracee uses cutting edge eBPF features to prevent evasion by attackers.