Elkeid is an open source, multi-workload security platform providing host, container, Kubernetes, and serverless intrusion detection and protection derived from ByteDance's internal best practices.
Elkeid is an open source solution that can meet the security requirements of various workloads such as hosts, containers and K8s, and serverless. It is derived from ByteDance's internal best practices.
Elkeid is designed for enterprises needing comprehensive security across diverse environments including hosts, containers, Kubernetes clusters, and serverless workloads. Security teams and DevOps engineers use Elkeid to detect intrusions, identify malicious behaviors, and automate security policies without disrupting business operations.
Elkeid requires Linux-based environments for agent and driver components and supports multiple container runtimes and programming languages for RASP. The open source community edition includes core capabilities but may lack some advanced features of the full internal ByteDance version. Proper configuration of the rule engine and policy tuning is essential to maximize detection accuracy and minimize false positives.
Clone the repository from GitHub: git clone https://github.com/bytedance/Elkeid.git
Build or install Elkeid Agent and Driver components on Linux hosts
Deploy Elkeid RASP probes dynamically into supported runtimes (CPython, Golang, JVM, NodeJS, PHP)
Configure Elkeid Server and Agent Center for centralized management
Set up Elkeid HUB rule engine and load community edition strategies
Integrate Kubernetes audit log collection for K8s environments
Deploy Elkeid Console for monitoring and management./agent
Start the Elkeid Linux userspace agent responsible for managing plugins and communication with the Elkeid Server.
./driver
Run the Elkeid kernel driver to collect data from the Linux kernel and support container runtime monitoring.
Inject RASP probe dynamically into runtime
Enable runtime application self-protection by injecting probes into CPython, Golang, JVM, NodeJS, or PHP processes without restarting.
Use Elkeid HUB to create and manage security rules
Define and apply custom intrusion detection and risk policies through the rule engine.
Configure Kubernetes audit log collection
Set up Elkeid to collect and analyze Kubernetes audit logs for system-level intrusion detection.