◼ Exclusive Investigation ◼ Kernel-Level Runtime Security ◼ eBPF

The Attack Is Already Running.
Your Scanner Is Still Reading Code.

Every exec. Every connect. Every process chain. statool deploys a kernel-level observer using eBPF — zero performance overhead, no agents inside your containers, no code changes. It watches what your processes do, not what your source code says. Real-time event monitoring, AI-powered security insights, process chain analysis, risk scoring, and CI/CD behavioral fingerprinting — all in one runtime intelligence platform.

By The statool Research Unit · eBPF Division · Runtime Intelligence · 05:42 UTC

0msdetection overhead — eBPF kernel probes

100%syscall visibility, no in-process agent

73%of breaches enter via the build stage

AInarrative insight, not just raw alerts

∞language & framework agnostic

◼ Platform Capabilities ◼

⚡

Real-Time Event Stream

Every execve() and connect() syscall captured the moment it fires — not sampled, not delayed. The live feed shows process name, PID, binary path, destination IP, port, and timestamp with sub-millisecond precision. No agent inside your containers. The kernel does the work.

🔗

Process Chain Analysis

Every process carries its full ancestry. npm → bash → curl connecting to an unknown IP is not just a curl event — it is a compromised dependency executing a shell. The full chain surfaces on every event, alert, and anomaly report. Attackers cannot hide their parentage from the kernel.

⚠

Risk Scoring & Alert Rules

A built-in rule engine scores every event: NONE, LOW, MEDIUM, HIGH. Rules fire on reverse shells (bash -i >& /dev/tcp/…), crypto miners, suspicious binary names, and known-bad IPs. High-severity events surface immediately in the dashboard risk feed — no rules to write.

🧠

AI Security Insights

Rule engines produce lists. statool produces narratives. The AI layer reads connection spikes, unusual process chains, CI/CD anomalies, and high-risk detections — then writes a plain-English security briefing an on-call engineer can act on immediately. Powered by OpenAI; works without it too.

🔬

CI/CD Behavioral Fingerprinting

Record the complete behavioral signature of a known-good build — every binary run, every outbound connection. Promote it as your baseline. A malicious postInstall hook connecting to a new IP is caught the moment the connect() syscall fires, before a single byte is exfiltrated.

📡

Hostname & Context Enrichment

Raw IPs are not enough. statool resolves every destination via reverse DNS, reads /proc/<pid>/cmdline and /proc/<pid>/exe for full command-line and binary path context. Per-process statistics track connection counts, exec counts, first/last seen, and highest risk — all in one view.

◼ The Intelligence Briefing ◼

Incident Report

"npm install" Connected To a Server In Belarus. Nobody Noticed For 47 Days.

A typosquatted package — one character off from a popular logging library — sat dormant for weeks. Its postInstall script fired on every CI run, beaconing home with the build machine's hostname, environment variables, and ~/.npmrc contents.

"SAST found nothing. SCA found nothing. The firewall logged it. Nobody read the firewall logs." — Anonymous CISO, Fortune 500

The attack lived entirely in the runtime — in the syscalls made during installation. A kernel-level observer would have flagged the new outbound connect() in under a millisecond, before the first byte was sent.

XZ Utils: Backdoor Planted Over Two Years

A patient contributor earned trust over 24 months before slipping a backdoor into the build system's test harness. The payload only activated when specific environment variables — present in CI but not dev machines — were set. Pure runtime. Invisible to static analysis.

◼ CASE FILE // INSIDER THREAT // OSS SUPPLY CHAIN

VERIFIED

AI Intelligence Layer

The Machine Reads The Pattern. You Read The Briefing.

statool's AI layer reads context: which processes spiked, which connections are new, whether CI/CD anomalies correlate with alert rules, and how current state compares to baseline. Then it writes a single paragraph an operator can act on immediately.

## AI Security Briefing — statool agent

ALERT: Build 'pr-4821' — 2 anomalies detected.

'npm' established an outbound connection to

185.220.101.47:4444 — not in baseline fingerprint

and not a known npm registry. Concurrently,

'wget' executed for the first time in this pipeline,

spawned by 'node' via a postInstall hook.

Recommend: quarantine build artifacts, review

dependency tree for 'evil-logger' package.

Insights are tiered: alert for CI/CD anomalies with new connections, warning for exec-only deviations and connection spikes, info for clean builds. Alert-level insights are always prepended to the top of the feed so the critical signal is never buried.

Codecov: Bash Script Harvests 29,000 CI Environments

A single compromised script, injected into a widely-used coverage reporter, sent every CI environment variable — AWS keys, GitHub tokens, Slack webhooks — to an attacker-controlled server before a developer noticed an extra curl in the build log.

◼ CASE FILE // CREDENTIAL THEFT // CI RUNNER

GLOBAL

Runtime Visibility

The Full Picture: Syscall To Risk Score In One View.

# Live event stream — statool dashboard

NONE exec node /usr/bin/node

NONE exec npm /usr/bin/npm

NONE conn npm → registry.npmjs.org:443

LOW exec bash /bin/bash ← npm→bash

HIGH exec wget /usr/bin/wget ← npm→bash→wget

HIGH conn wget → 185.220.101.47:4444

⚠ ALERT: Reverse shell pattern detected

Chain: npm → bash → wget → C2

statool fires on process chain patterns, not just individual commands. A wget spawned by node via a bash intermediary is a fundamentally different signal from a user running wget in a terminal. statool sees the difference because the kernel sees the difference.

Risk levels — NONE, LOW, MEDIUM, HIGH — are computed per-event using a policy engine that evaluates binary name, spawn chain, destination IP, and port. Per-process statistics track connection counts, exec counts, first/last seen, and highest risk ever observed.

◼ CI/CD Pipeline Security ◼

Behavioral Fingerprinting

Your Build Has A Behavioral Signature.
An Attacker Cannot Forge It.

A fingerprint is the complete set of (process, destination) pairs from a known-good build. It captures exactly what binaries ran and where they connected. The attacker may control your dependency tree — but they do not control your baseline. Any deviation is an anomaly. The build fails. The alert fires.

SolarWinds: The Build That Shipped A Backdoor To 18,000 Customers

Attackers inserted malicious code after all source reviews were complete. The resulting binary was digitally signed and distributed globally. No SAST, no SCA, no container scan caught it. A runtime observer watching the build's outbound connections would have.

◼ CASE FILE // BUILD CHAIN COMPROMISE // NATION STATE

CONFIRMED

Attacks that bypass static analysis do so because they occur at runtime. They execute code that was never in your repository. They connect to servers that were never in your allowlist. The only defense is runtime observation — and the only tamper-proof vantage point is the kernel.

Pipeline Integration

Three API Calls. Any Pipeline. Any Language.

No agents in your containers. No Dockerfiles to change. No SDK to import. Works with Jenkins, GitHub Actions, GitLab CI, CircleCI, Buildkite — anything that can run curl.

# Before your build

$ ID=$(curl -sf -X POST $STATOOL/pipeline/sessions \

-d '{"name":"build-$BUILD_NUMBER"}' | jq -r .id)

# Your build runs unchanged

$ npm ci && npm run build && npm test

# After your build

$ curl -X POST $STATOOL/pipeline/sessions/$ID/stop

$ N=$(curl $STATOOL/pipeline/sessions/$ID | jq .anomaly_count)

$ [ "$N" -eq 0 ] || exit 1

Run one good build
statool records every exec and connect syscall. This becomes the behavioral baseline — the fingerprint of a clean build.
Promote the fingerprint
One API call locks the baseline. Every future build is compared against it in real time at the kernel level.
Deviations fail the build
New binary? New outbound connection? Unknown IP? The build is flagged before it can exfiltrate data or persist to disk.
Anomalies surface in insights
Every CI/CD anomaly is automatically promoted to the AI insights feed with full process chain, hostname, and command-line context.

◼ What Bypasses Your Current Stack ◼

Supply Chain

The postInstall Hook: Most Dangerous Five Bytes In Software

npm, pip, gem, cargo — every package ecosystem provides a mechanism for running arbitrary code at install time. It is the most powerful and least-scrutinised surface in modern software. SAST never sees it. SCA only knows about known-bad packages. statool instruments it at the kernel level. There is no hooking the hook.

Evasion

Legitimate Domains As Cover: The New C2 Playbook

Modern attackers use Cloudflare Workers, AWS Lambda URLs, and GitHub Gists as command-and-control proxies. Every domain is legitimate. Every certificate is valid. Every URL filter passes it. statool does not care about domain reputation — it watches whether the connection was in the baseline. If it was not, the build fails.

Defense

Behavioral Defense: The Only Control That Catches What The Code Doesn't Show

A behavioral fingerprint cannot be forged without matching it exactly. The attacker would need their malicious build to connect to exactly the same servers, run exactly the same binaries — at which point the attack achieves nothing. statool makes the baseline the security control.

Watch Your First Build. Free.

Deploy in under 5 minutes. No kernel modules. No code changes to your pipeline.
Self-hosted. Jenkins, GitHub Actions, GitLab CI, CircleCI — all supported.

No spam. No sales calls. Early access programme — limited capacity.

The Attack Is Already Running.Your Scanner Is Still Reading Code.