Skip to content

Tracee Logo >

Before moving on, please consider giving us a star ⭐️ by clicking the button at the top of the GitHub page

Tracee Documentation

👋 Welcome to Tracee Documentation! To help you get around, please notice the different sections at the top global menu:

  • You are currently in the Getting Started section where you can find general information and help with first steps.
  • In the Tutorials section you can find step-by-step guides that help you accomplish specific tasks.
  • In the Docs section you can find the complete reference documentation for all of the different features and settings that Tracee has to offer.
  • In the Contributing section you can find technical developer documentation and contribution guidelines.

Tracee: Runtime Security and Forensics using eBPF

Tracee uses eBPF technology to tap into your system and give you access to hundreds of events that help you understand how your system behaves. In addition to basic observability events about system activity, Tracee adds a collection of sophisticated security events that expose more advanced behavioral patterns. You can also easily add your own events using the popular Rego language. Tracee provides a rich filtering mechanism that allows you to eliminate noise and focus on specific workloads that matter most to you.


You can easily start experimenting with Tracee using the Docker image as follows:

docker run \
  --name tracee --rm -it \
  --pid=host --cgroupns=host --privileged \
  -v /etc/os-release:/etc/os-release-host:ro \

To learn how to install Tracee in a production environment, check out the Kubernetes guide.

Tracee is an Aqua Security open source project.
Learn about our open source work and portfolio Here.
Join the community, and talk to us about any matter in GitHub Discussion or Slack.