Benchmarking detection latency across fleet sizes

Kernel space event capture is notoriously resource-intensive if done incorrectly. Traditionally, agents rely on polling or heavy user-space daemon parsing which degrades system performance. We benchmarked AncileBase eBPF capture across fleet sizes ranging from 5 to 100 nodes to verify latency scaling.

In this benchmark, we measured two primary variables: CPU overhead per host and event-to-alert dispatch latency. We simulated continuous heavy workload profiles on every host, including synthetic disk stress, network packet saturation, and rapid process creation loops.

eBPF Ring Buffer Performance

By utilizing eBPF ring buffers directly, AncileBase passes events to user space asynchronously. Even under synthetic disk and network stress tests (generating over 50,000 events per second), CPU consumption remained under 0.3% per host. Latency from event trigger to alert dispatch stayed below 20ms.

eBPF ring buffers solve the multi-cpu contention issues that plagued older perf ring buffers. Because memory allocations are shared directly between the kernel and user space, we bypass costly context-switching overheads, maintaining a steady memory envelope under 20MB.

Scaling to 100 Nodes

As fleets grow, central server processing becomes the bottleneck. By executing event filtering and redaction on-host, AncileBase distributes the workload. The central SaaS aggregator processes alerts in constant time, scaling cleanly up to hundreds of nodes without latency degradation.

Our benchmarks show that the central cloud dashboard can ingest alerts from 100 nodes without queuing. Because verified benign signals are discarded at the local kernel level, the data volume sent to the SaaS dashboard remains extremely low, preventing network congestion.

Distributed Containment and Response

Beyond alerting, scaling a fleet requires immediate containment capability. When a critical signature is flagged on a host, the local agent has the authority to immediately lock the compromised process namespace without waiting for round-trip approval from the SaaS cloud.

This decentralized architecture guarantees that a server can quarantine itself within milliseconds of threat detection, effectively isolating the compromise and preventing lateral movement across the internal VPC.