Research

Security research

Name: Inner Warden
Author: Inner Warden

Technical papers from the Inner Warden project. Every detection technique we ship is grounded in research. We publish our findings so the community can review, critique, and build on them.

Maicon Ribeiro EstevesMarch 2026Production-validated

Stateless Kill Chain Detection via Bitwise Syscall Correlation in eBPF

We present a novel technique for detecting multi-stage attack chains entirely within the Linux kernel, using eBPF programs and Linux Security Modules (LSM). Eight generic patterns are detected and blocked without CVE signatures, rule databases, or userspace processing. All eight patterns validated on a production server with zero false positives.

eBPFLSMkill chainsyscall correlationbehavioral detectionzero-day

Read paper