LotR Episode 3 - Digging into eBPF for Security

Date: May 12, 2025Guest: Daniel Pacak (Software Engineer, Miggo)Hosts: James Berthoty, Charrah HardamonTopic: Building Real Runtime Security with eBPFIn this episode, we go deep on eBPF and what it actually takes to build reliable, performant runtime detection, beyond the buzzwords. James and Charrah are joined by Daniel Pacak, a longtime engineer in the cloud security space whose work spans Aqua Security, Cycode, RAD Security, and now Miggo. Daniel brings years of firsthand experience building eBPF sensors and walking the line between kernel-level complexity and practical detection coverage.We open with Daniel’s journey into runtime security, beginning with his early work on Aqua’s Tracee project and continuing through multiple startup roles where he helped shape eBPF-based detection systems. He shares candid insights about the challenges of kernel instrumentation, the tradeoffs of performance versus visibility, and why function-level detection is so difficult but increasingly important.Key discussion points include:* Why runtime protection historically underperformed on Linux* How vendors differ in their approaches to eBPF integration* The technical realities behind stack unwinding, kernel hooks, and symbolization* What ADR (and CADR) really means from a backend detection perspective* Common misconceptions around eBPF and what it can (and can’t) do* Why the industry lacks a common SDK or standard framework for building sensors* Practical advice for evaluating vendors’ claims and assessing impact in real-world clustersDaniel also walks through his thinking on why some tools overload the node with too much local processing, and what a healthier architecture looks like, particularly for teams focused on tuning alerts and scaling reliably.The episode closes with a reminder that learning eBPF is a long road, but one with real payoffs for engineers interested in modern detection systems. And for security teams trying to figure out if eBPF tooling fits into their environment, Daniel gives straightforward guidance: test it in a real cluster, give it time to run, and measure both what it detects and how it performs.Follow Daniel’s work on GitHub or LinkedIn. Get full access to Latio Pulse at pulse.latio.tech/subscribe