@mjg59 @pluralistic eBPF is a re-implementation of concepts from dtrace to avoid CDDL and not invented here syndrome. Windows has dtrace and AMSI. CrowdStrike implemented its own kernel module using those. What you are saying is that someone demanded a higher quality implementation on Linux or shipping binary kernel extensions for Linux was too much pain for them.