Skip to main content

Introduction

Pulsar is a powerful, blazing fast security observability framework designed specifically to address the challenges of embedded security of Linux devices.

Powered by eBPF and written in Rust, Pulsar is lightweight, safe by design and gives you full access to your devices security.

Architecture

Architecture

At its core, Pulsar is an event-driven framework for monitoring the activity of Linux devices. Pulsar allows you to collect runtime information about the system from the Linux kernel through its modules, enrich and transform this information into events and publish the events on a shared event bus.

Through the Pulsar rules engine, you can write and apply any rule to generate alerts when undesired system behaviour occurs (e.g. accessing certain areas of the filesystem).

Any event that matches one of the rules enforced by the rules engine is known as a threat event.

Features

In general, the information collected by default from the kernel by the Pulsar modules through the eBPF probes can be grouped into 4 distinct categories:

  • File I/O: I/O operations on disk and memory.

  • Network: data from the network stack.

  • Processes: processes information, including file execution and file opening.

  • System Activity: device activity, including system calls.

Pulsar modular design makes it easy to adapt the core architecture to diverse use cases. In fact, if there isn't yet a module that does what you need, you can simply create one yourself and load it; all the events collected by the new module will be available on the event bus for further processing and threat analysis.

Next Steps

If what you've heard so far sounds interesting, check out the Getting Started section of the documentation to start using Pulsar. Or, follow along to dive deeper into the main Concepts behind Pulsar's design.