Gretl detects server anomalies without rules using eBPF and LanceDB

This review examines Gretl, a security anomaly detection system detailed in a founder's blog post. It covers Gretl's architecture, eBPF-based kernel event capture, and feature hashing for vector representation.

TL;DR

Best for: Organizations seeking to detect novel or previously unknown process-level security anomalies on Linux servers, particularly those with eBPF-compatible kernels, without the overhead of maintaining extensive rule sets. Skip if: Your infrastructure primarily relies on older Linux kernels (pre-5.8) or non-Linux operating systems, where eBPF is unavailable or requires significant fallback mechanisms. Also, skip if you require immediate, real-time alerts for every event. Bottom line: Gretl offers a technically sound, rule-less approach to security anomaly detection that is promising for modern Linux environments, shifting the paradigm from explicit threat definitions to learned normalcy.

METHODOLOGY

This v0 review draws on the founder's published claims in the dev.to blog post titled "Detecting unusual processes on your servers without writing a single rule," accessed on 2026-05-24. The review covers Gretl's described architecture, its use of eBPF for kernel-level event capture, and the implementation of feature hashing with LanceDB for anomaly detection. We analyzed the provided Rust and JavaScript code snippets to understand the technical approach. This review does not include independent performance benchmarks, long-term workflow integration assessments, or edge-case testing. It also does not cover the system's behavior under heavy load or its false positive/negative rates. Update cadence: Gretl will be re-tested when independent benchmarks become available or when observed behavior diverges from published claims.

WHAT IT DOES

Gretl is presented as a security anomaly detection system designed to learn "normal" server behavior and flag deviations without requiring predefined rules or signatures. It aims to catch novel attacks, unusual deployment patterns, and forgotten rogue processes that traditional rule-based systems might miss. The system operates in two main steps:

Kernel-level event capture with eBPF

Gretl uses eBPF to attach programs to kernel events, specifically the sys_enter_execve tracepoint. This allows the system to capture details for every process execution before it starts running. For each execution, Gretl captures the process name (comm), full command line (argv), parent process name, UID of the calling process, and any active network connections (source/destination IP, port). The eBPF kernel program is written in Rust using the Aya framework. Events are written to a ring buffer and consumed by a userspace agent, which batches and POSTs them to the backend every 60 seconds. For servers running Linux kernel versions 5.8 or newer with BTF enabled, this requires zero instrumentation within containers or application code. For environments without eBPF support, a Node.js agent falls back to reading /proc/<pid>/cmdline and /proc/<pid>/status directly, tracking new PIDs at intervals. This provides process telemetry but sacrifices the real-time kernel hook.

Vector representation using feature hashing

To enable comparison and similarity measurement between diverse process executions, Gretl transforms each raw event into a fixed-length vector. This is achieved using feature hashing. Event fields such as process name, parent process, event type, local port, remote port, and tokenized command line arguments are tokenized. Each token is then hashed into a position within a 128-dimensional vector, accumulating signed contributions. The resulting vector is L2-normalized to a unit vector, ensuring cosine distance is well-defined for similarity calculations. This approach is deterministic, requires no external model, and adds no latency to the vectorization process. The blog post illustrates this with a JavaScript function featureVector.

WHAT'S INTERESTING / WHAT'S NOT

What's interesting about Gretl is its fundamental shift from a reactive, rule-based security model to a proactive, anomaly-detection paradigm. The reliance on eBPF for kernel-level event capture is a strong technical choice, offering low overhead and comprehensive visibility into process execution without requiring modifications to application code or container images. This is a significant advantage over traditional agents that might struggle with containerized or immutable environments. The use of feature hashing for vector representation is also pragmatic. It avoids the complexity and latency of large language models or pre-trained embeddings, providing a deterministic and efficient way to represent structured-text process events for similarity comparison. The explicit mention of a fallback mechanism for non-eBPF kernels demonstrates a practical design consideration for broader applicability, even if it compromises real-time fidelity.

What's not explicitly covered or verifiable in the current signal is the system's performance under various real-world loads. While eBPF is low-overhead, the cumulative effect of capturing every execve event and then processing, vectorizing, and storing it could be substantial in busy environments. The blog post does not detail the specific anomaly detection algorithms applied to these vectors (e.g., clustering, one-class SVM, isolation forests) or how thresholds for