Tetragon in-kernel enforcement
TracingPolicy and synchronous Sigkill.
Falco detects; Tetragon can detect and enforce. Built on eBPF by the Cilium team, Tetragon adds in-kernel enforcement — synchronously killing a process when a policy matches — which closes the gap between seeing an attack and stopping it.
Observability plus in-kernel enforcement
Tetragon attaches eBPF programs that observe process execution, file access, network activity, and privilege changes with very low overhead, filtering in the kernel so only relevant events reach userspace. Its differentiator is enforcement: a TracingPolicy can specify an action — including SIGKILL — that the kernel applies the instant a matching event occurs, before the operation completes. A userspace detector like Falco reacts after the syscall returns; Tetragon can stop it mid-flight. Policies are Kubernetes CRDs, so enforcement is declarative and version-controlled alongside your other manifests.
apiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata: { name: block-sensitive-read }spec:kprobes:- call: "security_file_permission"syscall: falseselectors:- matchArgs:- index: 0operator: "Equal"values: ["/etc/shadow"]matchActions:- action: Sigkill # kill the process reading /etc/shadow, in-kernel
When to choose enforcement
In-kernel enforcement is powerful precisely because it is synchronous — but that also means a bad policy can kill legitimate processes. Treat it like any enforcement rollout: begin in observation mode (Tetragon as a rich, low-overhead event source feeding your SIEM), identify the truly unambiguous conditions, and enable Sigkill actions in waves with careful validation. Tetragon and Falco are not mutually exclusive — many teams run Tetragon for low-overhead observability and targeted enforcement while keeping Falco’s mature rule ecosystem for broad detection.