Tetragon is an eBPF-based security observability and runtime enforcement tool, part of the Cilium project at Isovalent and the CNCF. It instruments the Linux kernel directly to observe process execution, file access, network activity, and capability changes, and can synchronously kill or block offending processes from within the kernel before the syscall returns.
The key difference from auditd or user-space agents is that Tetragon attaches eBPF programs to kernel hooks (kprobes, tracepoints, LSM hooks, uprobes) and evaluates policies in kernel space. A TracingPolicy CRD describes which events to match, which selectors to apply (by binary path, namespace, pod label, argument value, capability), and what action to take: log, produce a Tetragon event, or SIGKILL the process. Because enforcement happens in the kernel, there is no TOCTOU gap between detection and action, which is a chronic weakness of user-space eBPF observers.
Tetragon automatically correlates kernel events with Kubernetes metadata (pod, namespace, container image, labels) and exports JSON events for consumption by SIEMs, Grafana, or Falco-compatible pipelines. It is commonly deployed alongside Cilium as the runtime-security layer in cloud-native environments.