aicoolies logo
Elkeid logo
Elkeid logo

Elkeid

Kernel-space host intrusion detection system

open-sourceopen sourceupdated Apr 21, 2026
Visit Website →
Share

Elkeid is ByteDance's open-source HIDS for hosts, containers, Kubernetes, and serverless workloads. Its kernel-level data collection via Kprobe hooks captures process lineage, privilege escalation attempts, file access patterns, and network connections with minimal overhead. Includes an Agent for telemetry, Detector for rule evaluation, Controller for policy management, and a Dashboard for alerts and investigation.

Elkeid addresses fundamental limitations of user-space security monitoring by collecting system telemetry directly from the Linux kernel via Kprobe hooks. The kernel-level driver intercepts system calls and kernel events to capture process execution chains, privilege escalation attempts, file access patterns, and network connections with minimal performance overhead. This vantage point reveals information invisible to user-space agents, enabling detection of sophisticated attacks that manipulate processes, exploit kernel vulnerabilities, or use fileless techniques.

The architecture consists of specialized components working together at scale: the Agent collects kernel telemetry and publishes events to Kafka, the Detector evaluates event streams against configurable security rules, the Controller manages detection policies across endpoints, and the Dashboard provides alerting and investigation interfaces. Supporting infrastructure includes Kafka for high-throughput message streaming, Redis for real-time caching, and MongoDB for event storage. This design enables horizontal scaling across thousands of endpoints while maintaining real-time detection latency.

Deployed at ByteDance's massive infrastructure scale, Elkeid has proven its reliability and performance in one of the world's most demanding computing environments. The system handles diverse workload types including traditional servers, Docker containers, Kubernetes clusters, and serverless functions from a single agent. The open-source Apache 2.0 license enables security teams to customize detection rules, integrate with existing SIEM platforms, and extend the codebase for organization-specific requirements.

Pricing

Free and open source under Apache 2.0

Platforms

Linux kernel + Go agents, scalable via Kafka

Categories

Tags

Use Cases

Alternatives

Related Tools

MCP Context Forge logo

MCP Context Forge

IBM-backed ContextForge gateway for federating MCP, A2A, REST, and gRPC APIs

MCP Context Forge is IBM’s Apache-2.0 ContextForge project for operating a gateway, registry, and proxy across MCP servers, A2A agents, REST APIs, and gRPC services. It centralizes discovery, authentication, policy controls, federation, and observability, with deployment paths through PyPI, Docker, and Kubernetes.

open-sourceOpen Source

MEDUSA

AI-first security scanner for LLM, agent, MCP, and RAG codebases

MEDUSA is an AGPL-3.0 AI-first security scanner from Pantheon Security that checks AI and machine-learning applications, LLM agents, MCP workflows, RAG pipelines, repository-poisoning risks, secrets, and agent-specific compromise patterns.

open-sourceOpen Source
iFixAi logo

iFixAi

Open-source diagnostic for AI operational misalignment

iFixAi is an Apache-2.0 diagnostic tool for scoring AI agents and models against operational-misalignment risks such as hallucination, manipulation, sabotage, sandbagging, and oversight evasion.

open-sourceOpen Source

Inspect AI

UK AI Security Institute framework for LLM safety evaluations

Inspect AI is an MIT-licensed framework from the UK AI Security Institute for running large language model evaluations, including tool use, multi-turn dialogue, model-graded scoring, and reusable evaluation tasks.

open-sourceOpen Source

Presidio

Open-source PII detection and anonymization for AI data flows

Presidio is an MIT-licensed privacy framework for identifying and anonymizing personally identifiable information in text, images, and structured data. It can act as a de-identification layer around LLM prompts, logs, RAG corpora, and customer-data workflows.

open-sourceOpen Source
Mergify logo

Mergify

Merge queue, CI insights, flaky-test controls, and stacked pull requests for GitHub teams

Mergify is a pull request automation platform that keeps main branches green with merge queue batching, merge protections, CI Insights, flaky-test detection, and stacked pull requests. Its Stacks workflow turns commits on one local branch into focused PR chains, helping teams review large AI-generated or feature-heavy changes without losing queue safety.

freemium