Detection Mechanisms

Jibril uses multiple, tightly-integrated monitoring mechanisms to deliver full visibility into your system’s behavior. By combining kernel-level instrumentation (eBPF) with contextual analysis, it identifies advanced attacks missed by legacy tools.

How It Works

At the core, all mechanisms share these principles:

• Kernel Monitoring: eBPF programs capture all relevant system activity directly in the kernel.
• Query-Driven Architecture: Events are written to kernel maps and later queried on demand — ensuring zero event loss and constant overhead.
• Contextual Evaluation: All activity is evaluated in full context (process, file, network, environment), supporting deep correlation and detection accuracy.
• Efficient & Lightweight: CPU overhead stays low, with predictable memory use.

Core Mechanisms

• File Access: Tracks all file operations, including tampering and access to sensitive files.
• Execution: Monitors all program launches, including suspicious directories and privilege escalation.
• Network Peers: Captures all connections and DNS queries, with domain reputation analysis.
• Environment Variables: Detects dangerous environment manipulations

... and others

Detection Flow

1. Event Collection: eBPF hooks capture system events (files, processes, networks, env).
2. Pattern Evaluation: Engine queries kernel maps, applies detection recipes, and analyzes relationships.
3. Contextual & Correlated Analysis: All signals are correlated across mechanisms, revealing multi-stage attacks.

Use Cases

• Advanced Threats: Rootkits, memory-only malware
• Audit & Compliance: Tamper-proof, complete system records
• Container Security: Escape detection, K8s runtime protection
• Threat Hunting: Historical pattern analysis, anomaly detection