Cilium Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies. We will walk through some attack scenarios in Kubernetes and how we can leverage Tetragon’s eBPF powered security observability to observe and retroactively detect these attacks.