Capsule8 Is Your Linux Protection

Immediately detect unwanted activity in all your Linux infrastructure.

Detect unwanted activity in Linux infrastructure

Eliminate coverage gaps in your infrastructure threat model with dedicated Linux protection

Gain complete prevention, detection, and response without needing to be a Linux expert

Use a security vendor that truly knows Linux, rather than porting over Windows detection

You shouldn’t have to settle for Windows detection and indicators of compromise (IoCs) ported over to a completely different operating system. Enterprise infrastructure requires detection built specifically for Linux that will catch not only the simplest commodity malware or rogue developers, but well-resourced attack campaigns using zero-day exploits, too.

Capsule8’s focus on Linux protection is informed by decades of Linux exploitation experience and ongoing security research. We prevent and detect unwanted activity on enterprise Linux infrastructure, including:

  • Disabling of native Linux security mechanisms (like SELinux, AppArmor, or SMEP/SMAP)
  • Interactive shell sessions and remote shells connecting back to attacker machines
  • Developers debugging in production or directly modifying running containers
  • Exploitation of memory mismanagement vulnerabilities, ROP, and attempts to execute shellcode
  • Execution of newly-created files by non-allowlisted programs
  • Privilege escalation attacks, and abuse of privileged access
  • Container attacks and escapes that lead to control over hosts
  • Developers downloading production data, PII, and other sensitive information
  • Harvesting cloud metadata to impersonate infrastructure
  • Loading of kernel modules or payloads as persistence mechanisms
  • Engineers performing “surprise” deployments without going through reviews
  • Spectre, Meltdown, and other cache side channel attacks
  • Backdoors, rootkits, and other persistence mechanisms

Capsule8 doesn’t struggle with the detection limitations of traditional Linux auditing solutions or kernel module-based solutions, instead using stable features like kprobes and perf. Unlike existing solutions, we can detect container-based activity, new file execution, and executed scripts within shells — all of which are essential parts of the modern enterprise threat model. Whether you’re worried about developers debugging in production, attackers exploiting the Linux kernel, or cryptominers in containers, Capsule8 ensures you can spot it.

Our detection is crafted with the threat models of cloud native systems in mind and pinpoints workloads, not just hosts. Capsule8 detects erosion of container isolation boundaries, compromise within the container itself, misuse of cloud metadata to impersonate infrastructure, abuse of orchestrators, and other issues in cloud-native systems.

Protection parity across your Linux infrastructure.

Your organization needs to keep its enterprise infrastructure safe, without you needing a team of experts in Linux, cloud computing, or containers. Capsule8’s team has decades of experience in exploiting the Linux kernel and attacking Linux-based systems, including backdoors, kernel vulnerabilities, container escapes and more. As a result, we deeply understand what you need to detect to keep your enterprise systems safe.

When unwanted activity occurs, Capsule8 empowers you to quickly track down what happened, what resources were affected, and who was involved. Our alerts expose important system metadata — automatically pulling orchestrator and cloud metadata — to support quick evaluation of events, including process, container, image, pod, node, and custom metadata.

Ops-friendly Architecture

Security built for your existing workflows

Capsule8 is API-first by design. You can ship Capsule8’s alerts to your existing log management tools, like Splunk, ELK, or S3, so your teams can use the tools that are already a part of their workflow. With flexible integration via API, bucket storage, file, webhook, or stdout, you can connect Capsule8 to your existing SIEM, orchestration, cloud storage, ticket management, and incident response tools.

While we know that no one wants to install yet another agent, Capsule8’s agent can be deployed as a package or container image through popular configuration management tools like Chef, Puppet, and Ansible.

Extend your protection with custom policies

Capsule8 gives you the flexibility to extend our Linux protection through policy enforcement, further improving coverage by encoding rules about your environment. Define blocklists or allowlists to restrict which binaries, scripts, or JAR files are allowed to run on your systems. If you need to audit file modifications, Capsule8 allows you to do so immediately, rather than on a periodic basis like existing file monitoring solutions. Or, use Capsule8 to manage privileged user behavior and uphold the integrity of your production systems.

Queryable system telemetry for investigations

To facilitate incident investigation, Capsule8 can archive system telemetry into cloud storage buckets or on premise storage systems. By storing as Apache Parquet, Capsule8’s event data is queryable by popular tools like AWS Athena, GCP Big Query, or Apache Hive, removing the need to deploy or learn new tools. This gives you a scalable security data pipeline with minimal setup and maintenance to help you build or enhance your investigations process.

Ready to modernize your enterprise security?

Request a demo or speak with our technical sales team to answer your questions.

Scroll to Top