Download
Elkeid is an open-source platform for security and intrusion-detection that aims to support a wide variety of deployment contexts — from bare-metal hosts to containers, Kubernetes clusters, and even serverless environments. It was born out of ByteDance’s internal security best practices, offering for community users a subset of its enterprise-grade capabilities. Elkeid combines kernel-level data collection, user-space agents, and runtime instrumentation (RASP) to detect malicious behavior, file anomalies, runtime exploits, and suspicious container activity. For container or cloud-native workloads, it also supports gathering audit logs from Kubernetes and correlating events across processes, network, and file activity to detect security threats. The platform packages data collection, event-streaming, and a rule/event engine (called “HUB”) — letting users define detection rules, alerts, baseline checks, and policy enforcement.
Features
- Kernel-level data collection for hosts and containers (processes, file I/O, network, system calls)
- Runtime Application Self-Protection (RASP) for instrumenting live applications (supports multiple languages/runtimes)
- Host-Intrusion Detection and static malware/ file integrity scanning (e.g. via YARA scanning)
- Kubernetes/K8s audit-log collection and container-aware intrusion detection, for cloud-native workloads
- Rule-/event-engine (HUB) that lets users define custom detection rules and alerting workflows
- Agent-server architecture with centralized management, agent control, and event aggregation for scalable deployment
Project Samples
