Appearance
Performance Impact
In a 5 minute timeframe the user may expect to see:
| Interval | Evals | Impact | Type of environment |
|---|---|---|---|
| 3s | 100 | High | Real-time |
| 6s | 50 | Moderate | High-security |
| 9s | 33 | Moderate | Balanced |
| 15s | 20 | Low | High-traffic |
| 30s | 10 | Low | Resource-constrained |
| 45s | 7 | Minimal | Resource-constrained |
| 60s | 5 | Minimal | Minimal overhead needed |
Each evaluation walks all enabled detection recipes.
Performance Note
Jibril's detection engine is designed to be resource-efficient and performant. While much of its logic could be parallelized, it has parts that are intentionally serialized to ensure that no more than a single CPU core is utilized at any given time, even on high-traffic systems.
Configuration Profiles
Default (Balanced)
yaml
cadences:
env-vars: 6
file-access: 6
network-peers: 6
network-flows: 9Best for: Most production environments
- Balanced detection speed and resource usage
- The default configuration for most use cases
Resource-Conscious
yaml
cadences:
file-access: 15
network-peers: 15
network-flows: 15
env-vars: 15Best for: Resource-constrained environments
- Minimal CPU impact ands still good detection speed
- ~4 evaluations per minute per cadence
- Most detection recipes should not need lower cadences
Mixed Priority
yaml
cadences:
env-vars: 15
file-access: 3
network-peers: 15
network-flows: 60Best for: Specific threat models
- Prioritize important detection categories
- Balance resources across different patterns
- Customize based on your risk profile
Important Concepts
Cadences affect
- CPU usage
Lower intervals = higher CPU usage - System responsiveness
Resource competition - Detection speed
How quickly threats are identified - Alert latency
Time between behavior and detection - Reaction time
Time between detection and a programmed action
Cadences don't affect:
- Policy application
Policies are applied sync, regardless of the cadence interval - Detection accuracy
Pattern matching precision is not affected - Data collection
eBPF always monitors continuously, nothing is missed - Event loss
Event generation will still happen, but at a different rate - Detection types
Same threats detected regardless of the cadence interval