Elkeid - Bytedance Cloud Workload Protection Platform

Elkeid is an open source solution that can meet the security requirements of various workloads such as hosts, containers and K8s, and serverless. It is derived from ByteDance's internal best practices.

With the business development of enterprises, the situation of multi-cloud, cloud-native, and coexistence of multiple workloads has become more and more prominent. We hope that there can be a set of solutions that can meet the security requirements under different workloads, so Elkeid was born.


Elkeid has the following key capabilities:

  • Elkeid not only has the traditional HIDS (Host Intrusion Detection System) ability for host layer intrusion detection and malicious file identification, but also can well identify malicious behaviors in containers. The host can meet the anti-intrusion security requirements of the host and the container on it, and the powerful kernel-level data collection capability at the bottom of Elkeid can satisfy the desire of most security analyst for host-level data.

  • For the running business Elkeid has the RASP capability and can be injected into the business process for anti-intrusion protection, not only the operation and maintenance personnel do not need to install another Agent, but also the business does not need to restart.

  • For K8s itself, Elkeid supports collection to K8s Audit Log to perform intrusion detection and risk identification on the K8s system.

  • Elkeid's rule engine Elkeid HUB can also be well linked with external multiple systems.

Ekeid integrates these capabilities into one platform to meet the complex security requirements of different workloads, while also achieving multi-component capability association. What is even more rare is that each component undergoes massive byte-beating. Data and years of combat testing.

Elkeid Community Edition Description

It should be noted that there are differences between the Elkeid open source version and the full version. The current open source capabilities mainly include:

  • All on-device capabilities, that is, on-device data/asset/partial collection capabilities, kernel-state data collection capabilities, RASP probe parts, etc., and are consistent with the internal version of ByteDance;
  • All backend capabilities, namely Agent Center, service discovery, etc., are consistent with the internal version of ByteDance;
  • Provide a community edition rule engine, namely Elkeid HUB, and use it as an example with a small number of strategies;
  • Provides community version of Elkeid Console and some supporting capabilities.

Therefore, it is necessary to have complete anti-intrusion and risk perception capabilities, and it is also necessary to construct policies based on Elkeid HUB and perform secondary processing of the data collected by Elkeid.

Elkeid Architecture

Elkeid Host Ability

  • Elkeid Agent Linux userspace agent,responsible for managing various plugin, communication with Elkeid Server.
  • Elkeid Driver Driver can collect data on Linux Kernel, support container runtime , communication with Elkeid Driver Plugin.
  • Elkeid RASP Support CPython、Golang、JVM、NodeJS、PHP runtime probe, supports dynamic injection into the runtime.
  • Elkeid Agent Plugin List
    • Driver Plugin: Responsible for managing Elkeid Driver, and process the driver data.
    • Collector Plugin: Responsible for the collection of assets/log information on the Linux System, such as user list, crontab, package information, etc.
    • Journal Watcher: Responsible for monitoring systemd logs, currently supports ssh related log collection and reporting.
    • Scanner Plugin: Responsible for static detection of malicious files on the host, currently supports yara.
    • RASP Plugin: Responsible for managing RASP components and processing data collected from RASP.
    • Baseline Plugin: Responsible for detecting baseline risks based on baseline check policies.
  • Elkeid Data Format
  • Elkeid Data Usage Tutorial

Elkeid Backend Ability

  • Elkeid AgentCenter Responsible for communicating with the Agent, collecting Agent data and simply processing it and then summing it into the MQ, is also responsible for the management of the Agent, including Agent upgrade, configuration modification, task distribution, etc.
  • Elkeid ServiceDiscovery Each component in the background needs to register and synchronize service information with the component regularly, so as to ensure that the instances in each service module are visible to each other and facilitate direct communication.
  • Elkeid Manager Responsible for the management of the entire backend, and provide related query and management API.
  • Elkeid Console Elkeid Front-end
  • Elkeid HUB Elkeid HIDS RuleEngine

Elkeid Function List

Ability ListElkeid Community EditionElkeid Enterprise Edition
Linux runtime data collection:white_check_mark::white_check_mark:
RASP probe:white_check_mark::white_check_mark:
K8s Audit Log collection:white_check_mark::white_check_mark:
Agent control plane:white_check_mark::white_check_mark:
Host Status and Details:white_check_mark::white_check_mark:
Extortion bait:ng_man::white_check_mark:
Asset collection:white_check_mark::white_check_mark:
Asset Collection Enhancements:ng_man::white_check_mark:
K8s asset collection:white_check_mark::white_check_mark:
Exposure and Vulnerability Analysis:ng_man::white_check_mark:
Host/Container Basic Intrusion Detectionfew samples:white_check_mark:
Host/Container Behavioral Sequence Intrusion Detection:ng_man::white_check_mark:
RASP Basic Intrusion Detectionfew samples:white_check_mark:
RASP Behavioral Sequence Intrusion Detection:ng_man::white_check_mark:
K8S Basic Intrusion Detectionfew samples:white_check_mark:
K8S Behavioral Sequence Intrusion Detection:ng_man::white_check_mark:
K8S Threat Analysis:ng_man::white_check_mark:
Alarm traceability (behavior traceability):ng_man::white_check_mark:
Alarm traceability (resident traceability):ng_man::white_check_mark:
Alert Whitelist:white_check_mark::white_check_mark:
Multi-alarm aggregation capability:ng_man::white_check_mark:
Threat Repsonse (Process):ng_man::white_check_mark:
Threat Repsonse (Network):ng_man::white_check_mark:
Threat Repsonse (File):ng_man::white_check_mark:
File isolation:ng_man::white_check_mark:
Vulnerability discoveryfew vuln info:white_check_mark:
Vulnerability information hot update:ng_man::white_check_mark:
Baseline checkfew baseline rules:white_check_mark:
Application Vulnerability Hotfix:ng_man::white_check_mark:
Virus scan:white_check_mark::white_check_mark:
User behavior log analysis:ng_man::white_check_mark:
Agent Plugin management:white_check_mark::white_check_mark:
System monitoring:white_check_mark::white_check_mark:
System Management:white_check_mark::white_check_mark:
Windows Support:ng_man::white_check_mark:
Honey pot:ng_man::oncoming_automobile:
Active defense:ng_man::oncoming_automobile:
Cloud virus analysis:ng_man::oncoming_automobile:
File-integrity monitoring:ng_man::oncoming_automobile:

Front-end Display (Community Edition)

Security overview

K8s security alert list

K8s pod list

Host overview

Resource fingerprint

intrusion alert overwiew


Baseline check

Virus scan

Backend hosts monitoring

Backend service monitoring

Console User Guide

Quick Start

Contact us && Cooperation

Lark Group

About Elkeid Enterprise Edition

Elkeid Enterprise Edition supports separate intrusion detection rules(like the HIDS, RASP, K8s) sales, as well as full capacity sales.

If interested in Elkeid Enterprise Edition please contact elkeid@bytedance.com

Elkeid Docs

For more details and latest updates, see Elkeid docs.


  • Elkeid Driver: GPLv2
  • Elkeid RASP: Apache-2.0
  • Elkeid Agent: Apache-2.0
  • Elkeid Server: Apache-2.0
  • Elkeid Console: Elkeid License
  • Elkeid HUB: Elkeid License

Elkeid has joined 404Team 404StarLink 2.0 - Galaxy