Detecting Living-off-the-Land attacks at the kernel layer with eBPF
LOTL attacks use only legitimate OS syscalls — already whitelisted by EDR. Here is why behavioral sequence analysis at the eBPF layer catches them when everything else misses.
The blind spot no one talks about
Living-off-the-land (LotL) attacks don't bring their own malware. They use the tools already present on the system — curl, bash, ptrace, python. Each syscall is individually legitimate. Each binary is signed, whitelisted, and expected. The attack is invisible to signature-based EDR because there is no signature to match.
For AI agents, this is a critical problem. An LLM-based agent compromised via prompt injection will use the tools it was already granted access to. It will spawn a shell using the interpreter it was already allowed to invoke. The behavior looks legitimate at the individual-syscall level. EDR sees a healthy CI runner.
Why sequence matters, not just presence
The key insight is that LotL attacks are detectable not by the identity of individual syscalls, but by the sequence and relationship between them. A legitimate CI agent's startup sequence looks like:
execve → openat → mmap → read → mmap → read → …A compromised agent executing a ptrace-based memory scrape introduces a sequence that has never appeared in the baseline:
… → ptrace(ATTACH) → process_vm_readv → sendmsg → …The syscalls are legal. The sequence is structurally anomalous.
How eBPF makes this observable
eBPF programs attach at the kernel level — specifically at sched_switch, sys_enter_execve, sys_enter_connect, and sys_enter_sendmsg hooks. Unlike userspace agents or kernel modules, an eBPF program cannot be evaded by a compromised process; the process cannot observe that it is being watched, and it cannot instruct the kernel to stop reporting its own syscalls.
The probe collects the raw kernel event stream. A behavioral fingerprint — a model of the agent's expected scheduling event distribution and process-causal graph — is built during a 30-second baseline window at process startup. From that point, every batch of kernel events is compared against the baseline.
What the detection looks like in practice
When H7 detects the ptrace(ATTACH) → process_vm_readv sequence in the April 2026 CI/CD compromise scenario, the timeline is:
03:14:22.001— baseline established foragent-ci-runner-4903:14:29.441— behavioral divergence measure crosses the detection threshold; unexpected ptrace sequence flagged03:14:29.443—LIVING_OFF_THE_LANDalert raised; operator notified03:14:29.451— signed.calcertificate emitted (Ed25519, offline-verifiable)
Total time from behavioral drift to signed forensic artifact: 10ms. Exfiltration window: 0 bytes.
The forensic artifact
The .cal certificate produced at 03:14:29.451 contains the complete kernel event sequence preceding the alert, the agent identity, a nanosecond-precision timestamp, and an Ed25519 signature that can be verified offline with a single command:
$ make verify
[verify] signature: VALID ✓
[verify] agent: agent-ci-runner-49
[verify] action: ALERT_EMITTEDThis certificate satisfies DORA Art. 17 incident reporting requirements as a non-repudiable forensic artifact — not because Pulsaride says so, but because it is cryptographically verifiable by any party with the published public key.
Try it yourself in 10 minutes
The H7 demo kit ships with the attack scripts for this exact scenario. Clone the repo, run make attack-vercel, and watch the detection and certificate emission in real time — no cloud account, no signup required.
Try it in 10 minutes
Clone the demo kit and reproduce the detection yourself — no cloud account, no signup.