Capsule8 Docs
Capsule8 Docs

Welcome to Capsule8 Docs!

First time?

If you’re using Capsule8 for the first time, read below for a high-level overview of Capsule8 Protect.

Capsule8 is an enterprise Linux protection solution, providing detection and resilience for Linux infrastructure in any environment. We use kprobes and perf to collect system telemetry via distributed agents, which allows us to find and stop attacks and other unwanted activity on Linux systems.

Capsule8 is deployed as a lightweight security detection and response agent that is installed on every Linux server you want to protect. You can deploy it wherever you have Linux – in public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.

With Capsule8 you can:

  • Monitor and detect unwanted security events across your enterprise Linux systems
  • Integrate the Capsule8 agent (“sensor”) with your existing logging and alerting infrastructure
  • Create custom rule sets (“detections”) for detection and response

Overview of components


A lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response


Sets of detection/response rules that monitor specified resources for a certain set of abnormal activity or conditions


The output of detection policies, notifying when systems behaviors violate the specified policy


Capsule8’s optional web interface for sensor configuration, system analytics, and alert output.