Why five rules outperform two hundred

Modern enterprise security suites often boast lists of hundreds or thousands of active detection rules. While this provides a comforting sense of broad coverage, raw telemetry tells a different story. In practice, high-volume rulesets generate excessive false positives, overwhelming engineering teams and leading to alert fatigue. As a result, critical alerts are often ignored or disabled entirely, leaving systems exposed to the very exploits they were designed to detect.

At AncileBase, we took a telemetry-first approach to look at how rules actually perform in the wild. By analyzing anonymous event logs across thousands of Linux servers, we discovered that 98% of security incidents can be traced back to just five basic categories of behavior. In contrast, the remaining 2% of incidents are scattered across hundreds of micro-rules that generate almost all the noise.

The Cost of Noise

When a security agent flags normal server behavior as suspicious, it triggers a chain reaction of wasted engineering time. Our telemetry shows that fleets running 200+ signatures experience a false-positive rate of up to 4.2% per host daily. For a 50-server fleet, that translates to multiple alerts per day, most of which are ignored. Engineering teams start treating security notifications as spam, creating a dangerous blind spot.

Moreover, the hardware costs of running complex regex matching libraries inside a user-space daemon are substantial. Scraper processes constantly poll system logs and read auditd outputs, using precious CPU cycles and disk I/O. This performance penalty often forces platform teams to turn off logging features, defeating the purpose of the security suite.

Hyper-Focusing the Detection Layer

AncileBase focuses exclusively on the five most critical threat vectors: web shell spawns, privilege escalation, SSH brute force anomalies, unauthorized database queries, and log tampering. By optimizing the logic for these five signatures, we achieve near-zero false positives while retaining high-fidelity coverage of the actual kill-chain.

Rather than trying to detect every conceivable style of payload, we focus on behavioral invariants. An attacker might obfuscate their reverse shell payload in a million different ways, but once execution happens, it must spawn a shell process. By hooking directly into process lifecycle events, we catch the execution rather than the static file structure.

eBPF as the Equalizer

To monitor behavioral invariants without degrading performance, we compile our rules directly into eBPF byte code. This allows the Linux kernel to evaluate process lifecycles, file writes, and database network packets in kernel space, discarding normal events before they reach user space.

This design delivers a 99% reduction in user-space event volumes. Only verified anomalies are passed up to the AncileBase user-space daemon, minimizing CPU usage and maintaining a system overhead under 0.3% CPU even under heavy production load.

Designing Actionable Telemetry

An alert is only as good as the context it provides. Traditional security systems dispatch alerts with cryptic severity scores like "Medium Severity - Rule ID 840". This forces engineers to search through documentation just to understand what happened.

AncileBase structures alerts around human-readable process trees and clear event summaries. An engineer receiving an alert will see the exact host, the user context, the parent process lineage (e.g., nginx -> python3 -> sh), and the triggered invariant. This immediate clarity reduces the mean time to resolution from hours to seconds.