Show HN: Jibril – Runtime security monitoring and enforcement for modern infra (garnet.ai)

20 points by garnet ↗ HN
Jibril is a runtime security monitoring and enforcement tool. It introduces a new architecture designed to overcome limitations of previous-generation runtime security tooling and EDRs, which were primarily built for traditional endpoints and long-running containerized workloads.

Jibril introduces an event-less architecture leveraging eBPF to maintain lightweight state maps directly within the kernel. Instead of buffering events, it queries kernel state directly, enabling real-time detection and enforcement with minimal overhead. This approach is especially effective for protecting ephemeral and cloud-native infrastructure against emerging threats that exploit low-level system behaviors.

The new sensor architecture delivers unique benefits: - Simple deployment with out-of-the-box coverage: deploy instantly in any Linux environment using a single binary—no sidecars, kernel modules, or application code changes required. Integrates seamlessly into existing stacks with minimal dev/ops overhead and includes a comprehensive set of MITRE-mapped runtime detections. - Real-time in-kernel detection & enforcement: enforce behavioural policies directly within the kernel in real-time. Features include live kernel-state querying, freezing suspicious processes, detailed process ancestry, and source-level context. - Lightweight footprint: engineered specifically for modern environments, jibril operates with negligible CPU and memory overhead (typically <5%), ensuring performant visibility and response without the perf impact.

This enables modern platform and engineering teams to achieve runtime detection and response at scale, enabling use cases and answering questions such as: - What network calls were made during my GitHub Actions test workflow, and what dependency triggered them? - How can I restrict the python3 process from reading /proc/[pid]/mem to block memory dump attacks in my runner (as seen in the recent tj-actions supply chain attack)? - How can I automatically block malicious DNS resolutions within K8s pods and automatically update cluster firewall rules using managed blocklists (e.g., known cryptomining pools and C2 servers)?

You can try it out for free today at https://jibril.garnet.ai/usage/installation. We’re looking forward to your feedback, questions, and suggestions on what we can improve on and build next!

13 comments

[ 2.6 ms ] story [ 48.0 ms ] thread
Hello everyone! I'm Rafael David Tinoco, the lead developer behind Jibril Runtime Security at Garnet Labs. I'm thrilled to share this exciting journey with you as we launch Jibril, a next-generation runtime security tool designed to revolutionize how we approach Linux security monitoring.

With over 22 years in IT, my career has spanned across industry leaders like AquaSec, Canonical, IBM, Linaro, RedHat, and Sun Microsystems. I've contributed as a core developer to projects such as Tracee (eBPF) and Ubuntu, always driven by my passion for open-source software, kernel development, and security introspection.

I'm passionate about combining deep technical knowledge with innovative approaches to security, and Jibril represents exactly that—a powerful, adaptable solution for modern runtime security challenges.

Feel free to connect, ask questions, or discuss anything related to Runtime Security. I'm excited to engage with the community and continue pushing the boundaries of runtime security together!

Let's secure the future, one kernel at a time!

Rafael Tinoco Jibril Runtime Security @ Garnet Labs Jibril, help us!

Damn, you worked on Tracee AND Ubuntu? Okay, maybe you know how to actually do eBPF right.
Nah, we're just working hard to get something really cool! Cheers!
eBPF is hard to do right. We couldn’t use Falco in production on our kubernetes infrastructure because of that.

I long for a production-ready runtime monitoring tool that can ACTUALLY be used in a blocking mode. Otherwise we’re always too late, and I’ve been burned more than once when dealing with an incident. Damned hackers always seem to come around weekends and holidays.

If you can, please elaborate on what specifically were limitations with Falco?
Intrigued by your "real-time kernel-level enforcement" (like freezing suspicious processes). Sounds powerful, but also risky—how do you prevent false positives from bringing down legitimate workloads? Is there a built-in policy tuning mechanism, or are users expected to rely on predefined MITRE detections as-is?
I agree it’s risky and, IMO, it would be as good as the policy that drives it. Same happens with seccomp, lsm hooks (bpf or apparmor:selinux:smack:tomoyo), nft or netfilter, or any other policy driven mechanism.

Now, the enforcement feature, will never be unanimous (although runtime tools try to provide it). Of course there are straight forward cases like never execute a binary from procfs, or never allow x vídeos.com (that is a no brain automatic enforcement for almost everyone, let’s put this way).

It also depends on what kind of enforcement we talk: we apply synchronous network policies and dynamic ones after DNS answers for example (and that is enforced if the policy says so). This is an action (to something currently going on), different than a re-action (which happens after something has already happened but allows me to enforce a cluster policy, for example). We have synchronous actions (like our network policy update, and, soon, execution and file access policies) and mitigation reactions (try to kill, pause, introspect, etc) jittered from original trigger (search the whole tetragone discussion).

In our case we have actions for the network policy, actions for detections (in some detection methods), reactions to detection events and integration with external tools as detections occur.

To your answer: yes you will be able to define the actions, reactions and drive enforcement for reactions (3rd party integrations for example). For now we are only distributing the network policy and we are about to include more (we just need good feedback on things people want and use cases). We will also be providing soon a way for users to create their detection recipes (but we will probably have a big list of recipes made for the biggest use cases so users don’t have to worry).

Thanks for asking, I do agree with your concern (and I think most of sec people also share the same concern on that).

Thanks for the detailed reply! I see custom policy/assertions on kernel behavior as powerful. As a current osquery user managing a fleet of 10k+ hosts (mostly Linux boxes) I find the query model resonates in terms of ux. We have a set of SQL pipelines that run on top of it at my org. osq works well for monitoring but not detections. So this direction is interesting, I'll forward to my detection eng folks
I'm looking forward to talking them. Let them know we have a free of charge partnering program right now (where they can be design partners for the tool, get integrations and features that attend their needs and support). This is meant for medium/big sized companies with specific needs so we can better shape the tool. Ping me if you have any doubts. Cheers!
kernel state maps vs event buffering is an interesting choice. We've been seeing more in-memory malware in our CI/CD pipelines lately that never touches disk or network - any thoughts on extending this to userspace memory introspection?
Take a look at https://jibril.garnet.ai/readme/theory-behind so you have a better understanding what we are doing. As long as there is 'a resource' and 'an action', we can track it. Full memory (file-backed or not) introspection is tricky due to performance reasons (like checksumming files, picking entire content being read/write to pages, etc). Still, we would be able to do if we wanted (specially considering we can add uprobes on-demand for binaries being executed). Hope that helps.
This looks interesting! I like that it’s a single binary with no sidecars or kernel modules (which really is a barrier for most other products IMO), really makes deployment a lot easier. The eBPF approach sounds efficient, especially if it keeps overhead low. Will be something I’ll keep an eye on for my future projects.