This time I sat down with Rafael David Tinoco, Engineer at Garnet, where he’s developing Jibril — a runtime security engine.
Rafael’s story spans from mainframes and operating system internals to maintaining Tracee at Aqua Security, and now, pushing eBPF to its architectural limits at Garnet. Here’s what we covered:
From CI/CD runtime security to Kubernetes
Jibril started as a project focused on GitHub Actions runtime security, but as users began deploying it in Kubernetes clusters, the transition was natural. After all, GitHub runners are just virtual machines — Kubernetes simply scales that model across nodes.
The context-first vision
From day one, Garnet’s founders had a clear thesis: whoever holds the best context wins. Jibril’s engine was built around this — capturing what’s happening at the system level without caring whether it’s running on GitHub, Kubernetes, or even a toaster.
A new/unique way to process kernel events
Unlike traditional runtime security tools like Falco, Tetragon, or Datadog Agent, Jibril doesn’t stream events from kernel to user space. Instead, it uses an in-kernel data query model — treating eBPF maps like a database.
Rather than flooding user space with raw events, Jibril stores, indexes, and exposes them on-demand through queries. The result: an order of magnitude reduction in CPU and memory usage while maintaining full observability.Virtual maps and caching
To make this model scale, Rafael built what he calls virtual maps — “maps made of maps” — enabling nested lookups and richer data structures entirely in-kernel.
A userland caching layer further optimizes queries, ensuring repeated lookups don’t re-hit the kernel unless necessary. The outcome is a smooth balance between cadence and performance, with tunable refresh intervals depending on workload.Beyond just detection
Jibril already supports in-kernel enforcement, blocking domains or CIDRs at egress using eBPF — no proxy, no user-space hop.
For broader cluster-wide blocking, it can also hand off to Cilium to enforce network policies, rather than competing with it.
At the end, there’s a short demo of Jibril — aimed at a more technical audience — showcasing the concepts we discussed throughout our conversation.
I’ll leave it at that — this was one of the most technical and insightful discussions I’ve had about eBPF architecture in a while.
Jibril is shaping up to be a fascinating rethink of how we do runtime security — not by streaming data faster, but by rethinking where and how data lives. 🐝
