eBPF-Based Container Runtime Detection and Response
RCCE students will learn how modern cloud defenders use eBPF-based telemetry to observe process execution, file access, network behavior, and runtime anomalies inside Linux containers and hosts. RCCE students will learn to interpret runtime events, detect suspicious activity, connect behavior to threat models, tune detections, and support response actions in dynamic cloud-native environments. The course covers practical scenarios ranging from telemetry collection to detection engineering, investigation, and response. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing eBPF-Based Container Runtime Detection and Response
- Build detections and response workflows for privilege escalation
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn
- Execute hands-on tasks for course structure — covering eBPF kernel-level telemetry.
- Execute hands-on tasks for extended berkeley packet filter — covering Sandboxed programs in the Linux kernel, Kernel-level visibility without agents.
- Execute hands-on tasks for why ebpf for security? — covering Sandboxed programs in the Linux kernel.
- Design a scalable privilege management architecture with policy and enforcement
- Deploy JIT/JEA models with time-bound, scoped privileges
- Execute hands-on tasks for xdp / tc — covering Hook any kernel.
- Execute hands-on tasks for verifier guarantees — covering No infinite loops (bounded iteration), Verified bytecode compiled to native.
- Deploy JIT/JEA models with time-bound, scoped privileges, including No infinite loops (bounded iteration), and Verified bytecode compiled to native.
| Module 01 | Detection and Response |
| Module 02 | Course Overview |
| Module 03 | What You Will Learn |
| Module 04 | Course Structure |
| Module 05 | Extended Berkeley Packet Filter |
| Module 06 | Why eBPF for Security? |
| Module 07 | eBPF Architecture Deep Dive |
| Module 08 | eBPF Verifier + JIT |
| Module 09 | XDP / TC |
| Module 10 | eBPF Verifier and Safety Model |
| Module 11 | Verifier Guarantees |
| Module 12 | JIT Compilation |
| Module 13 | Container Runtime Architecture |
| Module 14 | Container Runtime |
All hands-on labs run on Rocheston Rose X OS. Students practice ebpf-based container runtime detection and response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for what you will learn
- Lab 4: Execute hands-on tasks for course structure
- Lab 5: Execute hands-on tasks for extended berkeley packet filter
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for eBPF-Based Container Runtime Detection and Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI