Architecture

How RuntimeGuard
works.

A technical walkthrough of the eBPF agent, event pipeline, detection engine, and SaaS control plane that powers RuntimeGuard's real-time ransomware detection.

Data pipeline
From kernel to alert in seconds
Runtime events travel through four stages — kernel observation, secure transport, behavioural analysis, and incident response.

eBPF Agent

Kernel tracepoints
on Linux 5.8+

Batch API

HTTPS transport
with API key auth

Detection Engine

Sliding-window
behavioural rules

Incident Store

Timeline, process
tree, file list

Alert

Webhook or Slack
notification

System layers
Three distinct layers
RuntimeGuard separates kernel telemetry collection, event processing, and the management control plane into independent layers with clean interfaces.
LAYER 1

Kernel layer — eBPF agent

A single eBPF program loaded as a userspace process. Hooks into kernel tracepoints using CO-RE (Compile Once, Run Everywhere) — no kernel module required, no recompilation for each kernel version. Works on any Linux 5.8+ host with BTF support, whether Ubuntu, RHEL, Debian, or a cloud-provided image. Runtime overhead is 0.3% CPU and 11 MB RSS — measured on a live production host.

LAYER 2

Agent layer — event batcher & transport

The Go userspace agent reads from the eBPF ring buffer, enriches events with host metadata, and batches them into compressed HTTPS payloads. Events are delivered to the cloud API endpoint within seconds. The agent is a single statically-linked binary — no dependencies, no package manager required.

LAYER 3

Cloud layer — API, detection, and dashboard

The RuntimeGuard SaaS control plane receives events, runs the detection engine, stores incidents, and serves the management dashboard. Built on Go (backend), PostgreSQL (tenants, incidents), and ClickHouse (event time-series). Multi-tenant with full data isolation between customers and environments.

Kernel telemetry
What the eBPF agent observes
RuntimeGuard attaches to four kernel tracepoints. Every relevant syscall on the host is captured with microsecond precision and zero sampling loss.
process_exec

Process execution

Every execve syscall is captured. Process name, full command, parent PID, and UID are recorded. Short-lived processes — common in ransomware chains — are never missed.

pid ppid comm filename uid
file_write

File write activity

File writes are observed via openat with O_WRONLY/O_RDWR flags. The path and writing process are correlated so write bursts can be attributed to a specific PID.

pid comm path flags
file_rename

File rename activity

Both rename and renameat2 syscalls are captured. Ransomware commonly renames files to add an extension (e.g. .locked) as part of the encryption process.

pid comm oldpath newpath
Detection engine
Sliding-window behavioural rules
RuntimeGuard does not match signatures. Instead, it evaluates the rate of events from each process over a moving time window. A single anomalous action doesn't trigger an alert — a burst does.
file_write
·
·
!
file_rename
·
·
·
!
·
·
·
·

▸ amber border = active 60-second window  ·  green = event observed  ·  red = threshold exceeded → incident created

Rule Trigger Window Threshold Severity Score
file_write_burstfile_write events60 s≥ 10medium65
file_rename_burstfile_rename events60 s≥ 5high80
process_exec_burstprocess_exec events60 s≥ 15high75
Specifications
Technical specifications

Agent

LanguageGo 1.22+
eBPF frameworkcilium/ebpf (CO-RE)
Minimum kernelLinux 5.8 + BTF
CPU overhead< 1% (single core)
Memory footprint11 MB RSS
Ring buffer size1 MB (configurable)
Batch interval5 s / 25 events
Deploymentsingle binary, no deps

Backend & API

API transportHTTPS/TLS 1.3
AuthenticationAPI key (X-API-Key)
Rate limit100 req/min per key
Event storageClickHouse (time-series)
Incident storagePostgreSQL
Multi-tenancyfull data isolation
Alert deliveryWebhook / Slack JSON
DashboardSaaS, browser-based
Deployment
Deploy in under 5 minutes
The agent is a single statically-linked binary. Install it with one command, configure the API key from your dashboard, and it starts sending data immediately.
your-linux-server
# 1. Install the agent
$ curl -sSL https://install.runtimeguard.io | sudo bash
→ Downloading runtimeguard-agent v1.0.0...
→ Installing to /usr/local/bin/runtimeguard-agent
✓ Installed

# 2. Start with your API key
$ AGENT_API_KEY=rg_live_... runtimeguard-agent
✓ eBPF program loaded
✓ Connected to api.runtimeguard.io
✓ Monitoring started — host: prod-web-01
Full quick-start guide → See all features

Ready to look under
the hood?

Read the full documentation or start a free 14-day trial and explore the architecture hands-on.

Start free trial → Documentation