Skip to content


The tracee subcommand analyze allows you to execute behavior signatures on past data. For example, you can collect the ptrace event into one node using the following command:

tracee --events=ptrace --output=json:events.json

Then, on another node, you can check if the behavior signature for anti-debugging was triggered using the following command:

tracee analyze --events=anti_debugging events.json

The analyze command can also be used to test new signatures from the collected past data. You can run tracee on a node, collect several events, and based on the collected events, create your behavior signature. Afterward, you can test if the signature would be triggered using the analyze command.