Kernel Security

eBPF and Kernel Security

Name: Inner Warden
Author: Inner Warden

Kernel hooks, syscall-level detection, firmware checks, correlation rules, Sigma translation, anomaly detection, and production lessons.

22 articles in this hub

Kernel Security

eBPF for Security: Listening to Your Kernel in Real Time

How six programs running deep inside Linux detect privilege escalation, block malware, and drop malicious packets instantly.

Apr 3, 202611 min read

Read

Kernel Security

22 Kernel Hooks: How Inner Warden Detects Full Kill Chains in eBPF

From 7 monitors to 22. Container escapes, hidden malware, and rootkits: three real attack scenarios detected deep in the system, with smart noise filtering.

Apr 7, 202610 min read

Read

eBPF Security

Reverse Shell Detection at the Syscall Level

How to detect remote access attacks by tracking system behavior instead of pattern matching. Impossible to evade via obfuscation.

Apr 13, 20268 min read

Read

Threat Detection

How Inner Warden Catches Obfuscated Reverse Shells (Tree-Sitter AST, Not Regex)

Why regex fails for obfuscated commands like hex-encoded payloads, base64 pipelines, and Python reverse shells. How tree-sitter AST analysis detects them structurally.

Mar 29, 20268 min read

Read

Detection Engineering

208 Sigma Rules on eBPF: Bridging Community Detection to Kernel Telemetry

How we imported 208 community detection rules and adapted them for real-time kernel monitoring. Rewrites, false positive fixes, and practical results.

Apr 19, 202614 min read

Read

eBPF

Aya, eBPF, Rust: Lessons From Shipping 40 Hooks to Production

Real lessons from running 40 eBPF hooks (tracepoints, kprobes, LSM, XDP). #![no_std], CO-RE/BTF, ring buffer with epoll, common verifier failures, debugging.

Apr 29, 202610 min read

Read

Network Security

Detecting Cobalt Strike by its TLS Handshake

Deep dive on JA3/JA4 TLS fingerprinting in pure Rust with AF_PACKET. 10 known malicious hashes, GREASE filtering, and how to add custom fingerprints.

Apr 10, 202610 min read

Read

Detection Engineering

Cross-Layer Correlation: Connecting Firmware to Userspace

47 rules correlating events across Ring -2 firmware, Ring 0 kernel, userspace, network, and honeypot layers. How to detect multi-stage attacks that no single product can see.

Apr 11, 202612 min read

Read

Detection Engineering

The 46 Correlations: What a Full-Stack Security Agent Can See

All 69 cross-layer correlation rules. Firmware chains, network chains, execution chains, post-compromise patterns. Each with attack scenario and time window.

Apr 14, 202615 min read

Read

Firmware Security

Firmware Integrity Monitoring: Catching Bootkits Before They Load

Secure Boot, TPM, ESP hashing, UEFI variable tracking, ACPI table scanning, and boot timing anomalies. Six checks that catch BlackLotus, LoJax, and MosaicRegressor before the OS loads.

Apr 7, 20269 min read

Read

Research

How We Detect Rootkits With CPU Timing (No Kernel Module Needed)

Using CPU timing analysis to find hidden rootkits without any kernel module. Based on published security research with 98.7% accuracy.

Apr 22, 202611 min read

Read

Anomaly Detection

Zero-Day Detection via Baseline Learning

7 days of training, then anomaly detection without rules. Process lineage anomalies, silence detection, login time deviations, and unknown network destinations.

Apr 12, 20268 min read

Read

Machine Learning

Building an Autoencoder That Learns What Normal Looks Like on Your Server

Why we abandoned our previous AI model and built a tiny, fast anomaly detector in Rust. It learns what normal looks like on your server and catches anything unusual.

Apr 21, 202610 min read

Read

Detection Engineering

False Positives Are a Feature Problem, Not a Tuning Problem

130 Telegram alerts overnight. 62% were false positives. How we fixed each one by understanding what normal looks like, not by tuning thresholds. Six real examples with code.

Apr 19, 202612 min read

Read

Detection Theory

Signature vs Behavioral Detection in 2026

Sigma + YARA + IDS rules vs heuristics vs baseline learning. Honest trade-offs, why a layered approach wins, and how the autoencoder + Sigma + correlation engine layer up.

May 7, 20268 min read

Read

Vision

InnerWarden: The Self-Defending Server

From the deepest hardware layer to user applications, in one Rust binary. 40 monitors, 82 detectors, 69 correlation rules, behavior learning, mesh network. The full picture.

Apr 15, 20267 min read

Read

Competitive Analysis

Why CrowdStrike Can't See Your Firmware

What Inner Warden sees that nobody else does: deep hardware monitoring, firmware threats, and hidden attacks. A factual gap analysis.

Apr 16, 20269 min read

Read

Validation

We Ran MITRE Caldera Against Our Own Product. Here's What We Found.

5 rounds of adversary emulation with Caldera v5.3.0. From 36% detection to 67% of testable techniques. The argv truncation fix, 15+ false positive cleanups, and why mapped is not detected.

Apr 20, 202614 min read

Read

Tutorial

Your First Inner Warden Detector in 50 Lines

Walk through writing a custom detector for `wget | sh` patterns. File location, the trait, registration, unit test, validation via make replay-qa.

Apr 26, 20269 min read

Read

Kubernetes

Kubernetes Node Security with Inner Warden

Control-plane observability is mature; node-level eBPF detection is gap-y. Inner Warden as a DaemonSet, container escape detectors, mesh broadcast for fleet-wide blocking.

May 6, 20268 min read

Read

Threat Behavior

The First 60 Seconds After an Attacker Gets Shell Access

Real-world walkthrough of what attackers do in the first minute. Each step mapped to MITRE ATT&CK and what eBPF + behavioral detection sees vs what log-only tools miss.

Apr 27, 20268 min read

Read

Threat Intelligence

Behavioral DNA: Fingerprinting Attackers Without IP Addresses

How behavioral DNA identifies campaigns across IPs using SHA-256 hashing of attack patterns and union-find clustering. 47 IPs, 8 countries, one botnet.

Apr 11, 20269 min read

Read