Skip to content
>_
SecOps
Log
_
Home
Courses
Learning path
Resources
Topics
Blog
All courses
Runtime & eBPF security
Advanced
5 sections · 15 lessons · ~9h total · 60-question self-test
Start course
01
eBPF & kernel foundations
3 lessons
Test yourself
01
eBPF for runtime security
Sandboxed kernel programs, maps, and the verifier.
35 min
02
LSM & mandatory access control
Where SELinux/AppArmor and BPF-LSM hook in.
30 min
03
Kernel events & enrichment
The syscalls that matter, plus container context.
30 min
02
Kernel hardening & isolation
3 lessons
Test yourself
01
seccomp syscall filtering
RuntimeDefault and custom default-deny profiles.
30 min
02
AppArmor & SELinux
Path-based and label-based container confinement.
35 min
03
Capabilities, namespaces & cgroups
Drop ALL, non-root, and the isolation primitives.
30 min
03
Falco & runtime detection
3 lessons
Test yourself
01
Falco runtime detection
Driver, engine, rules; shells in containers.
35 min
02
Tuning Falco for signal
Scoped exceptions, custom rules, low noise.
30 min
03
Routing & automated response
Falcosidekick, Talon, isolate on critical.
30 min
04
Enforcement: Tetragon & Cilium
3 lessons
Test yourself
01
Tetragon in-kernel enforcement
TracingPolicy and synchronous Sigkill.
35 min
02
Cilium network policy & Hubble
Identity-based L3–L7, default-deny, encryption.
35 min
03
Detect vs enforce, safely
The spectrum and a waved rollout.
30 min
05
Container escapes & IR
3 lessons
Test yourself
01
Container escape paths
Privileged, hostPath, sockets, caps, runtime CVEs.
35 min
02
Detecting escapes at runtime
The behavioral signatures and fast containment.
30 min
03
Runtime incident response
Isolate, preserve, hunt persistence, recover.
35 min
Final exam
Test yourself on everything
60 questions drawn from all 5 sections — every answer explained as you pick.
Start final exam