Dedicated Linux Detection

Eliminate coverage gaps in your infrastructure threat model

Detection without limits

Security built for your needs

Eliminate Coverage Gaps

Don’t settle for Windows detection ported over to a completely different operating system.

Enterprise infrastructure requires detection built specifically for Linux that will catch not only the simplest commodity malware or rogue developers, but well-resourced attack campaigns using zero-day exploits, too.

Capsule8’s focus on Linux protection is informed by decades of Linux exploitation experience and ongoing security research. We prevent and detect unwanted activity on enterprise Linux infrastructure, including:

Disabling of native Linux security mechanisms (like SELinux, AppArmor, or SMEP/SMAP)
Interactive shell sessions and remote shells connecting back to attacker machines
Developers debugging in production or directly modifying running containers
Exploitation of memory mismanagement vulnerabilities, ROP, and attempts to execute shellcode
Execution of newly-created files by non-allowlisted programs
Privilege escalation attacks, and abuse of privileged access
Container attacks and escapes that lead to control over hosts
Developers downloading production data, PII, and other sensitive information
Harvesting cloud metadata to impersonate infrastructure
Loading of kernel modules or payloads as persistence mechanisms
Engineers performing “surprise” deployments without going through reviews
Spectre, Meltdown, and other cache side channel attacks
Backdoors, rootkits, and other persistence mechanisms

Read the latest research from Capsule8 Labs

Intrusion Detection without Limits

Capsule8 doesn’t struggle with the detection limitations of traditional Linux auditing solutions or kernel module-based solutions and instead uses stable features like kprobes and perf. Unlike existing solutions, we can detect container-based activity, new file execution, and executed scripts within shells — all of which are essential parts of the modern enterprise threat model. Whether you’re worried about developers debugging in production, attackers exploiting the Linux kernel, or cryptominers in containers, Capsule8 ensures you can spot it.

Our detection is crafted with the threat models of cloud native systems in mind and pinpoints workloads, not just hosts. Capsule8 detects erosion of container isolation boundaries, compromise within the container itself, misuse of cloud metadata to impersonate infrastructure, abuse of orchestrators, and other issues in cloud native systems.

Learn more about how Capsule8 protects cloud native systems

A Team of Experts Supporting You

Your organization needs to keep its enterprise infrastructure safe, but you don’t need to have a team of experts in all things Linux, cloud computing, and containers on staff. Capsule8’s team has decades of experience in exploiting the Linux kernel and attacking Linux-based systems, including backdoors, kernel vulnerabilities, container escapes and more. As a result, we deeply understand what you need to detect to keep your enterprise systems safe.

When unwanted activity occurs, Capsule8 empowers you to quickly track down what happened, what resources were affected, and who was involved. Our alerts expose important system metadata — automatically pulling orchestrator and cloud metadata — to support quick evaluation of events, including process, container, image, pod, node, and custom metadata.

Take a sneak peek at what we detect.

Request a demo or speak with our technical sales team to answer your questions.

Request a demo

Resources

Why IDS is Ineffective for Linux Production Environments

January 25, 2021

EDR for Linux Production Systems

February 4, 2020

Detection for Linux Systems

Eliminate Coverage Gaps

Intrusion Detection without Limits

A Team of Experts Supporting You

Take a sneak peek at what we detect.

Resources