Date: May 12, 2025
Guest: Daniel Pacak (Software Engineer, Miggo)
Hosts: James Berthoty, Charrah Hardamon
Topic: Building Real Runtime Security with eBPF
In this episode, we go deep on eBPF and what it actually takes to build reliable, performant runtime detection, beyond the buzzwords. James and Charrah are joined by Daniel Pacak, a longtime engineer in the cloud security space whose work spans Aqua Security, Cycode, RAD Security, and now Miggo. Daniel brings years of firsthand experience building eBPF sensors and walking the line between kernel-level complexity and practical detection coverage.
We open with Daniel’s journey into runtime security, beginning with his early work on Aqua’s Tracee project and continuing through multiple startup roles where he helped shape eBPF-based detection systems. He shares candid insights about the challenges of kernel instrumentation, the tradeoffs of performance versus visibility, and why function-level detection is so difficult but increasingly important.
Key discussion points include:
Why runtime protection historically underperformed on Linux
How vendors differ in their approaches to eBPF integration
The technical realities behind stack unwinding, kernel hooks, and symbolization
What ADR (and CADR) really means from a backend detection perspective
Common misconceptions around eBPF and what it can (and can’t) do
Why the industry lacks a common SDK or standard framework for building sensors
Practical advice for evaluating vendors’ claims and assessing impact in real-world clusters
Daniel also walks through his thinking on why some tools overload the node with too much local processing, and what a healthier architecture looks like, particularly for teams focused on tuning alerts and scaling reliably.
The episode closes with a reminder that learning eBPF is a long road, but one with real payoffs for engineers interested in modern detection systems. And for security teams trying to figure out if eBPF tooling fits into their environment, Daniel gives straightforward guidance: test it in a real cluster, give it time to run, and measure both what it detects and how it performs.
Share this post