Skip to main content
Garnet observes system activity at runtime across CI runners, clusters, and agent environments. Every kernel event becomes a behavioral signal.

Behavioral Runtime Monitoring

StageDescriptionExample
EventKernel-level signal (e.g., process or network action)python opened /etc/shadow
DetectionMatches behavioral rule (policy)Rule: Reverse Shell Spawn
IncidentElevated detection needing responseBlocked connection to attacker-c2.com

Example Runtime Feed

bash executed /tmp/malware.sh
node changed permissions on /bin/sudo
python attempted DNS lookup for pool.xmrig.com
curl connecting to attacker-c2.com

The Flow

Security events flow through four stages:
1

Event

Jibril captures a raw system event via eBPF
{
  "type": "network",
  "process": "python3",
  "destination": "pool.xmrig.com",
  "timestamp": "2024-01-15T10:23:47Z"
}
2

Detection

The event matches a configured policy rule
policy "DropDomain" {
  type   = "network"
  match  = domain_in_blocklist()
  action = "block"
}
3

Incident

The detection is logged and acted upon
Connection blocked before data transmission
4

Response

Automatic action taken + alerts sent
  • Slack notification
  • GitHub PR comment
  • Dashboard incident

Key Metrics

TTD

Time To DetectHow quickly Garnet identifies the threatAverage: 47 seconds

TTR

Time To RespondHow quickly the threat is blockedWith auto-block: 0 seconds

Example: Cryptominer Detection

{
  "event_type": "network_connection",
  "process": "xmrig",
  "destination": "pool.xmrig.com",
  "port": 3333,
  "protocol": "tcp"
}

Next: Install Garnet

Deploy Garnet in your environment
I