Capsule8 Docs
Capsule8 Docs



The sensor is a lightweight agent installed on your hosts. It collects events from your host to analyze. Our sensor is an autonomous system that does everything in a single binary, including telemetry collection, analytics, automated response, and more.


If you haven’t already, enable the Linux debug subsystem, which we use to instrument kernel and userspace events. Newer kernels have it enabled by default. To enable the debug subsystem, use the following command:

sudo mount -t debugfs nodev /sys/kernel/debug


The sensor can be installed on many different platforms directly on the host. Most systems have a one-line install option.

If you do not see your desired platform or distribution below, please contact your Capsule8 representative.

Recommended minimum hardware specs
  • CPU: 64-bit 1.0 GHz
  • RAM: 256MB

Data Collection

The Capsule8 sensor collects many different data types by default.

  • Container lifecycle
  • File opens
  • Kernel function calls
  • Network activity
  • Process lifecycle
  • Raw system calls

Sensor Architecture

The sensor collects host telemetry through a kprobe event monitor. We use perf, an instrumentation tool within the Linux kernel, to extract kprobe events. The sensor includes a telemetry service via a grpc server to receive telemetry events.

Leveraging this telemetry, the Capsule8 sensor adds detection, integration, and investigation capabilities.

Component Description
Analytics A detection engine that analyzes collected events.
Integrations Integrations allow alerts and metaevents to be exported into third party systems.
Metaevents A “flight recorder” that stores facts about the host for use in investigation.

Sensor Overhead

The Capsule8 sensor is designed to be production-friendly, so we allow you to configure resource usage by the sensor in two ways: