How Garnet works under the hood.

Components

Jibril Agent

eBPF-based monitoring
  • Runs on every host/node
  • <1% CPU, ~50MB RAM
  • Monitors at kernel level
  • No application changes needed

Garnet Platform

Cloud-based analysis
  • Aggregates from all agents
  • Applies detection rules
  • Manages policies and alerts
  • Provides dashboard and API

Data Flow

1. Jibril captures syscalls via eBPF
2. Filters and enriches data locally
3. Sends events to Platform over HTTPS
4. Platform analyzes and detects threats
5. Alerts sent to configured channels
Garnet architecture showing Jibril agents reporting to Platform

Detection Engine

Behavioral Analysis

Garnet uses machine learning and behavioral analysis to detect threats:
  • Process execution patterns - Identifies malicious processes
  • Network communication analysis - Detects C2 and exfiltration
  • File system monitoring - Catches ransomware and data theft
  • Container runtime security - Monitors container breakouts

Real-time Processing

  • Event correlation - Links related security events
  • Threat intelligence - Compares against known IOCs
  • Custom rules - User-defined detection logic
  • False positive reduction - ML-powered noise filtering

Security Model

Data Collection

What we collect:
  • Process execution metadata
  • Network connection metadata
  • File access patterns
  • System call information
What we DON’T collect:
  • File contents
  • Network packet payloads
  • Personal data
  • Application data

Encryption & Privacy

  • In transit: TLS 1.3 encryption
  • At rest: AES-256 encryption
  • Access: RBAC with audit logs
  • Compliance: SOC 2, GDPR ready

Scalability

Performance Characteristics

EnvironmentCPU ImpactMemory UsageNetwork
CI/CD<0.1%~30MBMinimal
Kubernetes<1% per node~50MB<10KB/s
Production<1%~50MB<10KB/s

Scaling Limits

  • Agents: Unlimited
  • Events: 1M+ per second
  • Retention: 90 days default
  • API rate: 10K req/hour per agent

High Availability

Agent Resilience

  • Auto-restart on crash
  • Graceful degradation on high load
  • Event buffering during outages
  • Health monitoring and alerting

Platform Reliability

  • 99.9% uptime SLA
  • Multi-region deployment
  • Automatic failover
  • Data replication across zones

Integration Points

Incoming Data

  • Jibril agents - Primary data source
  • Third-party tools - SIEM integration
  • Custom sources - API ingestion
  • Threat feeds - External intelligence

Outgoing Alerts

  • Dashboard - Real-time UI
  • Webhooks - Custom endpoints
  • Slack/Teams - Chat notifications
  • SIEM - Splunk, Elastic, etc.
  • Email - Alert notifications

Deployment Patterns

GitHub Actions

- uses: garnetlabs/garnet-action@v1
  env:
    GARNET_API_TOKEN: ${{ secrets.GARNET_API_TOKEN }}
Best for: CI/CD security, supply chain monitoring

Kubernetes DaemonSet

helm install jibril garnet/jibril \
  --namespace garnet-system
Best for: Container security, cluster-wide monitoring

Docker Container

docker run -d --privileged --pid=host \
  -e GARNET_API_TOKEN=$TOKEN \
  ghcr.io/garnetlabs/jibril:latest
Best for: Host security, standalone deployments

Technology Stack

Agent (Jibril)

  • Language: Go + eBPF/C
  • Runtime: Linux kernel ≥5.15
  • Privileges: Requires CAP_BPF or privileged
  • Dependencies: None (static binary)

Platform (Cloud)

  • Infrastructure: Kubernetes on AWS
  • Database: PostgreSQL + TimescaleDB
  • Message Queue: Apache Kafka
  • API: REST + GraphQL
  • Frontend: React + TypeScript

Next Steps

View Detections

See all detection types

Performance

Benchmarks and optimization

API Reference

Programmatic access