Zero-overhead, zero-config eBPF process tracer for Linux.
Trace malware behavior, investigate suspicious binaries, and audit container workloads — without strace overhead or the complexity of system-wide EDR daemons.
Launch a command under observation — or attach to an existing process — and see what it actually does at runtime: process lifecycle, file activity, network connections, privilege transitions, and more.
Designed for: security research, malware triage, incident response, and deep debugging. Not designed for: EDR, SIEM, or whole-system tracing.
go install github.com/Mutasem-mk4/procscope/cmd/procscope@latest
sudo procscope -- ./suspicious-binaryFull Installation Guide | Usage & Output Formats
| Category | Events | Details |
|---|---|---|
| Process | exec, fork, exit | Support Matrix |
| Files | open, rename, unlink, chmod | Support Matrix |
| Network | connect, accept, bind, listen | Support Matrix |
| Privileges | setuid, setgid, ptrace | Support Matrix |
- Runtime: Go 1.24+
- Observation: eBPF (CO-RE)
- Linux kernel 5.8+ with BTF support.
- Root privileges or specific eBPF capabilities.
- Architectures: amd64, arm64.
See Support Matrix for details.
- Zero Config: No complex policies or yaml files.
- Focused: Automatically follows forks but stays scoped to your target tree.
- Evidence Ready: Generates structured evidence bundles and Markdown reports for IR teams.
- Low Overhead: eBPF-powered observation with minimal performance impact.
Compare with Tracee, Tetragon, and strace
procscope is community-driven. See CONTRIBUTING.md and CODE_OF_CONDUCT.md to get involved.
Developed by Mutasem Kharma (معتصم خرما).