Is Vardar monitoring completely passive?

Yes. Vardar connects via a read-only SPAN or mirror port on your network switch. It never sits inline with production traffic, installs agents, or injects latency. Zero production risk.

How long does deployment take?

Under 24 hours to full visibility. The edge device connects to a mirror port in minutes, and AI behavioral profiling begins automatically — no manual configuration required.

Do I need OT security expertise to operate Vardar?

No. Vardar is designed for IT teams without dedicated OT security staff. Alerts are delivered in plain English with actionable next steps — no security degree required.

The Role of eBPF/XDP in Next-Generation Network Security

For most of the past twenty years, "network security" meant a box. A firewall, an IDS, a SPAN-tap collector. Even the modern "cloud-native" wave largely kept the same architecture, just rehosted: a kernel-bypass agent here, a userland sidecar there, a probe somewhere on a mirror port. The packets came in, were copied or rerouted out of the kernel, and inspected by something running in user space. It was slow, it was lossy at scale, and increasingly it was tampered with by attackers who knew exactly where the user-space agent lived.

That model is now being quietly replaced. eBPF (extended Berkeley Packet Filter) and its companion data path XDP (eXpress Data Path) are moving security inside the kernel itself — and in the case of XDP, all the way down into the network interface driver. The result is detection and enforcement that runs at line rate, sees what the kernel sees, and is much harder for an attacker to disable. For OT/IoT environments, where conventional agents cannot be deployed and visibility has always been the hardest problem, this shift is particularly significant.

What Changed in 2026

Three developments have pushed eBPF/XDP into the mainstream security conversation this year.

First, the performance ceiling moved. A May 2026 eServers XDP DDoS firewall benchmark measured XDP programs sustaining 14–24 million packets per second of wire-rate drops on a 10 Gbps NIC with "negligible" CPU usage — a result iptables/nftables cannot approach without dedicated hardware. XDP runs 5–10× more CPU-efficient than iptables string matching at high packet rates, because it drops the packet inside the NIC driver before the kernel ever allocates an sk_buff, processes Netfilter hooks, or touches the TCP stack.

Second, observability moved into the kernel — at very low cost. A May 2026 Tech Bytes eBPF observability deep-dive measured Grafana's Beyla idling around 75 MB of memory and 0.02% CPU under self-instrumentation, with full network observability still inside 1.2% CPU under demo traffic. Industry analysis on kernel-level security observability puts traditional user-space EDR overhead at 5–15%, versus 1–3% for kernel-resident eBPF programs — and notes that the eBPF approach is far harder for attackers to bypass, disable, or tamper with than a user-space agent.

Third, the safety story matured. Microsoft Research published KrakenGuard in May 2026 — a fine-grained eBPF isolation framework that demonstrably blocks misuse of restricted helpers, unauthorized memory and map access, and unsafe packet modifications. The eBPF verifier was always strong, but the operational concern of "what if a malicious or buggy eBPF program loads?" now has a credible mitigation. And the publication of CVE-2026-43464 — a Mellanox mlx5 XDP buffer accounting bug — reminded the field that this is now serious enterprise infrastructure, getting CVE-grade scrutiny.

Put together: eBPF/XDP are no longer a research curiosity. They are how modern security teams instrument production.

Where eBPF/XDP Fits in the Security Stack

Three layers of value are now well-understood.

Layer 1: Wire-rate enforcement (XDP). Drop, redirect, or rewrite packets inside the NIC driver before the kernel network stack runs. Use cases: DDoS mitigation, malicious-IP enforcement, protocol filtering, microsegmentation in container networks, OT protocol whitelisting at the edge. Red Hat now ships xdp-filter as a standard component of RHEL 10's firewall stack, specifically for high-performance traffic filtering and DDoS prevention.

Layer 2: Network observability (tc, kprobes, tracepoints). Attach eBPF programs to TC hooks, kprobes, uprobes, and LSM hooks to derive per-flow telemetry — latency, retransmits, DNS failures, TLS metadata — without any application instrumentation. This is the layer that has displaced traditional packet brokers for a wide class of east-west visibility problems.

Layer 3: Runtime security and threat detection (kprobes, LSM, syscalls). Monitor process behavior, file access, capability use, and syscall sequences. This is the EDR-replacement layer, and it is the one most resistant to attacker tampering, because the eBPF program lives in the kernel and is loaded by privileged code with cryptographic signing.

For OT/IoT environments specifically, layers 1 and 2 are the most consequential. Layer 3 still presumes a Linux host, which most PLCs and HMIs are not. But the gateway, jump host, file transfer relay, and engineering workstation — every device that sits between corporate IT and the OT network — is increasingly a Linux box, and eBPF makes it possible to monitor and enforce policy on those boundary nodes without deploying yet another agent.

What This Means for OT/IoT Security

The traditional OT security architecture has been hamstrung by two constraints: legacy embedded devices that cannot run any agent, and a strong operational mandate not to touch the production network. Passive monitoring from a SPAN port has been the dominant answer, but it has obvious limits — no enforcement, lossy at scale, and dependent on whatever traffic the network admin happened to mirror.

eBPF/XDP changes the calculus for the boundary devices, which is where most modern OT compromises actually transit:

The industrial DMZ jump host can now run XDP-based protocol whitelisting that allows only known OT protocols (Modbus, OPC UA, S7, DNP3) to specific destination devices, dropping everything else at wire speed.
The vendor remote access gateway can have its full syscall surface observed via eBPF, generating tamper-resistant audit of every action taken by a vendor session — including the actions that bypass the official jump host UI.
The historian and engineering workstation can run lightweight eBPF-based EDR that does not require kernel module loading, does not depend on a user-space agent the attacker can kill, and survives kernel updates without breaking.
The OT collection appliance itself can use XDP to ingest mirrored traffic at multi-million-packet-per-second rates without dropping packets — solving the "passive monitoring is lossy at scale" problem that has plagued OT visibility for years.

Crucially, none of this requires touching the legacy PLCs and HMIs. The protection wraps around them, at the boundary, at line rate, with kernel-resident enforcement that is significantly harder to subvert than any user-space agent.

Where to Be Careful

eBPF is powerful, but the maturity curve is not over. Three operational realities worth holding in mind:

Kernel version matters. XDP features, helper availability, and verifier behavior vary across kernel releases. The mlx5 multi-buffer CVE published in May 2026 affected kernel lines 6.6, 6.12, 6.17, 6.18, 6.19, and 7.0 — production deployment requires a clear kernel-version policy and patch discipline.
Verifier strictness is increasing, sometimes breaking older programs. A May 2026 arXiv paper on legacy eBPF program migration documented cases where context-type mismatches between XDP and TC hooks silently corrupt packet classification — accepted by older verifiers, rejected or misinterpreted by newer ones.
eBPF is a privileged capability. Loading eBPF programs typically requires CAP_BPF or root. Operationally, this means treating eBPF program deployment with the same scrutiny as kernel module loading: signed code, change management, audit.

eBPF is privileged kernel code. Treat program loading with the same scrutiny as a kernel module — signed binaries, strict change management, and audit logging. A misconfigured eBPF program is an outage; a malicious one is a kernel compromise.

Ready to Secure Your OT Network?

Get a free risk assessment of your industrial environment.

Request Free Assessment

The Direction of Travel

The clearest signal of where network security is going is what the hyperscalers and security platforms are quietly building on. Container networking, cloud DDoS protection, service mesh observability, and increasingly endpoint detection are all being rebuilt on eBPF/XDP foundations. For OT/IoT operators, the practical implication is that the boundary devices — the very places where modern OT compromises actually happen — are about to get significantly more defensible, without any disruption to the legacy industrial assets behind them.

The future of network security is not another box on a rack. It is a verified, signed, kernel-resident program running 5–10× more efficiently than what it replaces, at wire rate, where the attacker cannot reach it. For industrial environments that have spent a decade asking how to get real visibility and enforcement without breaking production, that is exactly the answer that has been missing.

Sources: