Skill Detail
Capture Linux runtime security events and suspicious behavior for live triage with Tracee
Watch live Linux and container activity through eBPF so you can triage suspicious runtime behavior before it disappears into guesswork.
Security & VerificationMulti-Framework
Security & Verification
Multi-Framework
Published
โญ 4.5k GitHub stars
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill capture-linux-runtime-security-events-and-suspicious-behavior-for-live-triage-with-tracee
Works best when you want a reusable capability, not another fragile one-off prompt.
At a glance
Tools required
Linux host or Kubernetes environment with the required kernel support, Tracee runtime or container image, elevated access to collect eBPF events, and access to the target system or cluster
Install & setup
Install Tracee from the upstream binary, container, Helm chart, or package path documented by the project, confirm the host or cluster meets the kernel and privilege requirements, then run Tracee with the documented event or rule filters for the target environment.
Author
Aqua Security
Publisher
Organization
Last updated
Apr 17, 2026
Quick brief
Use Tracee when an agent needs a live runtime forensics pass on a Linux host or container environment instead of a generic security platform or static scanner. The workflow is bounded: attach Tracee, collect runtime events or detections, filter on suspicious behavior, and inspect what processes, syscalls, or containers are actually doing. That scope boundary, runtime event capture and triage through Tracee, keeps this from being just a product card for a broader security offering.