Aqua OpenSource Tracee [1] [2] is comprised of two modules; tracee-ebpf and tracee-rules.

tracee-ebpf is loaded into the kernel and basically "watches" for event providing a stream of security events, whereas tracee-rules contains a limited list of signatures that allows detection.


The commercial Aqua product uses Tracee as the eBPF based technology and engine to trace system activities.

However, the commercial product adds the following:


- Continuous attacks patterns/signatures feeds from Aqua's global Cyber-Center so our customers is always up to date with most recent detections.

The OpenSource application doesn't have this service and the user should create their own signatures for detection.


- A user interface for Incident visualisation and management.


- Auto-collection of forensics information from ephemeral workloads for incident investigation.


- Realtime malware protection for VMs and containers.


- Aqua's realtime hardening controls e.g. drift


To summarise Aqua OpenSource Tracee is an outstanding eBPF technology to trace kernel activity whereas the commercial version provides a full CNDR on top of it.


[1] https://github.com/aquasecurity/tracee

[2] https://www.aquasec.com/products/tracee