On Windows, eBPF is nearing stability, but it's useful mainly for packet‑level control and
filtering. The current hooks (XDP and socket‑bind) work well for early
packet inspection or flow classification, but not for full
observability. For process, file, and registry telemetry, we can rely
on ETW, which is mature and integrates cleanly with an eBPF‑based
datapath.
On macOS, there’s no eBPF equivalent. We can use Apple’s Endpoint
Security and Network Extension frameworks. They provide rich process
and file visibility, but require Apple’s entitlements and notarization
to deploy. Once approved, they’re stable and production‑grade.
Capturing plaintext TLS payloads is difficult on both Windows and
macOS, since encryption happens in user space. A stable approach would
be to introduce a managed proxy with a trusted certificate, which can
safely intercept and decrypt TLS traffic when needed. This avoids
complex per‑platform hooks and remains consistent across environments.
In general, we can add an abstraction layer to hide the platform
complexity. I would need to look deeper at how hard it is, but the
engineering work here is not very complex or unachievable.
On Windows, eBPF is nearing stability, but it's useful mainly for packet‑level control and
filtering. The current hooks (XDP and socket‑bind) work well for early
packet inspection or flow classification, but not for full
observability. For process, file, and registry telemetry, we can rely
on ETW, which is mature and integrates cleanly with an eBPF‑based
datapath.
On macOS, there’s no eBPF equivalent. We can use Apple’s Endpoint
Security and Network Extension frameworks. They provide rich process
and file visibility, but require Apple’s entitlements and notarization
to deploy. Once approved, they’re stable and production‑grade.
Capturing plaintext TLS payloads is difficult on both Windows and
macOS, since encryption happens in user space. A stable approach would
be to introduce a managed proxy with a trusted certificate, which can
safely intercept and decrypt TLS traffic when needed. This avoids
complex per‑platform hooks and remains consistent across environments.
In general, we can add an abstraction layer to hide the platform
complexity. I would need to look deeper at how hard it is, but the
engineering work here is not very complex or unachievable.