fusioncore.ai fusioncore.ai

← Blog

Stress-Testing Pixie's Adaptive Write

Adaptive-write window-proof: live capture of the stress test (autoplay, muted, looped).

How to write only what matters?

Three-state operator lifecycle: IDLE, ANOMALY, CAPTURED, with cost note.
What the operator does — three states, one operator. Storage cost scales with anomalies, not traffic.

You have a Kubernetes cluster running for months. An attacker hits one pod for 90 seconds. What does your SOC see? Today, without anomaly-triggered capture, the answer is one of two : either nothing — because the action wasnt captured — or terabytes of constant telemetry. With the adaptive write feature in place, the answer changes: ±5 min of detailed network and stack_trace diagnostics around every anomaly, automatically, and the option to configure your own queries to capture additional bpf_traces or different time windows.

What is the trigger? The violation of whats “normal”

Causal chain: workload under attack, Kubescape detector, adaptive_export operator, Pixie eBPF, ClickHouse sink.
What triggers what — workload → Kubescape → adaptive_export → Pixie eBPF → ClickHouse. No anomaly, no forensic write.

Whenever an SBOB (future post coming on how they are tuned) is either violated or a static IoC (Indicator of Compromise) Rule is firing, the capture is toggled ACTIVE. However, it captures the past, not just the future. Because we have a backwards window of 24hrs. No single component sees the full picture in isolation — they’re chained by anomaly identity (a hash over <pid, comm, pod, namespace>). As you can guess, having a good initial trigger point is important here and avoiding false positives is crucial

Gantt timeline of the 10-minute capture window across workload, Kubescape, and forensic store.
What is captured, and when — ±5 min around each Kubescape event.

The operator centers a 10-minute capture on each Kubescape event: five minutes before (already retained in Pixie’s Edge Module), and five minutes after (unless otherwise specified by the User). Outside that window the cluster writes nothing.

Side-by-side: always-on capture (cost scales with traffic) vs anomaly-triggered capture (cost scales with anomalies).
Why this matters for the budget — anomaly-triggered capture vs always-on.

1. Stress-testing Pixie’s adaptive write

Overall architecture: Pixie cluster, edge nodes, adaptive-export operator, and ClickHouse forensic warehouse.
Overall topology — Pixie cloud, edge cluster, adaptive-export operator, ClickHouse sink.

Funding & licence

This work was supported by the netidee programme of the Internet Foundation Austria. Antrag Nr. 7918, project SovereignSOC, Fördernehmer: SBA Research, Key Researcher: Dr. Constanze Roedig.

© 2026 Dr. Constanze Roedig. All rights reserved. No part of this post may be reproduced, redistributed or used to train derivative models without prior written permission. Code referenced from any linked repositories is licensed separately under Apache 2.0 and/or GPL v2 (see each repo for its declared licence).

← All posts