DEV Community: Maicon Ribeiro Esteves The latest articles on DEV Community by Maicon Ribeiro Esteves (@maicon_ribeiroesteves_32). https://dev.to/maicon_ribeiroesteves_32 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3923096%2F870e496b-cacb-431b-b463-c27277caad7c.jpg DEV Community: Maicon Ribeiro Esteves https://dev.to/maicon_ribeiroesteves_32 en Inner Warden: A Lightweight Open Source eBPF EDR for Linux that Actually Blocks Attacks Maicon Ribeiro Esteves Sun, 10 May 2026 09:54:20 +0000 https://dev.to/maicon_ribeiroesteves_32/inner-warden-a-lightweight-open-source-ebpf-edr-for-linux-that-actually-blocks-attacks-22fp https://dev.to/maicon_ribeiroesteves_32/inner-warden-a-lightweight-open-source-ebpf-edr-for-linux-that-actually-blocks-attacks-22fp <h1> Inner Warden: an autonomous eBPF security agent that fights back </h1> <p>Most security tools only send alerts. Then someone has to wake up, read logs, and react.</p> <p>Inner Warden does it differently. It detects, decides, and blocks threats in real time, locally on your server, with a tiny footprint of around 29MB.</p> <h2> What it does </h2> <ul> <li>40+ eBPF kernel hooks (tracepoints, kprobes, LSM, XDP)</li> <li>Behavioral DNA tracking for processes and attackers</li> <li>On device anomaly detection with a small autoencoder</li> <li>Cross layer correlation between kernel, userspace, and network</li> <li>Wire speed blocking through XDP</li> <li>Automatic honeypot, JA3/JA4 fingerprinting, Sigma and YARA rules</li> <li>Mesh network between nodes, so when one detects, all the others block</li> <li>Dry run mode is the default, so it is safe to test</li> </ul> <h2> Who is it for </h2> <ul> <li>Self hosters and homelab people</li> <li>Anyone running a Linux server exposed to the internet</li> <li>Developers running AI agents (LangChain, CrewAI, OpenAI tools, and similar)</li> <li>SREs and sysadmins who want autonomous response instead of 3am alerts</li> </ul> <h2> Live demo </h2> <p>You can watch a real server getting attacked right now here:</p> <p><a href="https://www.innerwarden.com/live" rel="noopener noreferrer">https://www.innerwarden.com/live</a></p> <p>There are scripts on the page if you want to try the attacks yourself.</p> <h2> One command install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> https://innerwarden.com/install | <span class="nb">sudo </span>bash </code></pre> </div> <p>It starts in dry run mode, so nothing is blocked until you decide.</p> <h2> Links </h2> <ul> <li>GitHub: <a href="https://github.com/InnerWarden/innerwarden" rel="noopener noreferrer">https://github.com/InnerWarden/innerwarden</a> </li> <li>Website: <a href="https://www.innerwarden.com" rel="noopener noreferrer">https://www.innerwarden.com</a> </li> <li>Live attack demo: <a href="https://www.innerwarden.com/live" rel="noopener noreferrer">https://www.innerwarden.com/live</a> </li> </ul> <p>The project is under active development (currently v0.13.1) and I am looking for contributors, specially people with experience in:</p> <ul> <li>Low level Rust and eBPF</li> <li>Detection engineering and red teaming</li> <li>Testing and real world scenarios</li> </ul> <p>If you like Rust, eBPF, cybersecurity, or self hosted infrastructure, I would really love your feedback. Try it, break it, open issues. Every bug report helps a lot.</p> <p>Thanks for reading.</p> rust ebpf cybersecurity opensource