eBPF report shows efficiency, security gains at scale

The eBPF Foundation has published a research report detailing production results from organisations using eBPF for networking, security and observability. Examples include Cloudflare, Netflix, ByteDance and Rakuten.

Titled eBPF In Production, the report compiles case studies and published benchmarks on changes in infrastructure use, operational efficiency and security outcomes following eBPF deployments. It targets executives and senior technical leaders looking for quantified evidence of return on investment and operational impact.

eBPF is a Linux technology that runs programs in the kernel in a controlled way. It is commonly used for network filtering, telemetry collection and policy enforcement, allowing vendors and platform teams to add instrumentation and controls without modifying kernel source code for each new requirement.

The report links eBPF deployments to lower CPU consumption, reduced logging volumes, lower network costs and faster incident response. It also points to uses in DDoS mitigation and endpoint security that depend on low-level visibility into system activity.

Cost and utilisation

Several examples focus on computing and network efficiency. Datadog is cited as reducing CPU usage by 35% with an eBPF-based connection tracker. Meta is referenced as reducing CPU cycles by up to 20% using its Strobelight profiler, described as eBPF-driven.

The benchmarks also include network charges. Polar Signals is cited as cutting cross-zone traffic costs by 50% with eBPF-based observability, a potential benefit for organisations that move large volumes of telemetry and operational data between regions or availability zones.

Operations at scale

The report also highlights operational outcomes it attributes to lower-overhead data collection and traffic management. LinkedIn is cited as reducing Kafka log volume by 70% using an eBPF observability agent. For large event pipelines, lower log volume can reduce storage and network requirements and cut downstream processing.

Elsewhere, the Czech internet company Seznam.cz is cited as doubling throughput while reducing CPU usage by 72x with eBPF load balancing. DoorDash is cited as achieving 40% less memory usage, 98% fewer restarts and 80% faster deployments after migrating to eBPF-based monitoring.

The report frames these results as a shift of parts of observability and networking control closer to the kernel, positioning eBPF as a way to collect and act on data with less overhead than some user-space approaches.

Security outcomes

Security is another major theme. SentinelOne is cited as detecting and stopping ransomware attempts in under one second with an eBPF-based architecture. The report also includes DDoS-related examples from internet infrastructure providers and security specialists.

Cloudflare is cited as mitigating DDoS attacks peaking above 7 Tbps using eBPF-based XDP programs. CoreTech is cited as mitigating a 1 Tbps DDoS attack without downtime using eBPF-powered scrubbing. XDP is a Linux framework that runs packet-processing programs early in the networking stack, reducing the resources required for filtering and routing decisions.

Featured deployments

The report includes longer case studies of Cloudflare, Netflix, ByteDance and Rakuten Mobile. Cloudflare describes eBPF as underpinning networking and observability, as well as high-throughput DDoS mitigation. At Netflix, it links eBPF use to network defence, "noisy neighbour" detection and telemetry collection across the platform.

For ByteDance, it cites a 10% throughput improvement across infrastructure supporting about one million servers after adopting eBPF-based networking. Rakuten Mobile is presented as using eBPF for anomaly detection, security enforcement and observability in a cloud-native telecom environment.

The report argues that these deployments show eBPF use extending beyond narrow tooling categories, describing it as a common layer across networking, security controls and operational monitoring.

Industry positioning

Technology journalist Bill Doerrfeld authored the report, which presents eBPF as a mature infrastructure technology used inside products, projects and tools across several areas of Linux operations.

The eBPF Foundation stewards the technology's ecosystem and upstream community, working with maintainers and member organisations on development priorities and security practices across platforms that use eBPF.

"eBPF has moved decisively from experimentation to enterprise standard," said Bill Mulligan, eBPF Governing Board Member from Isovalent. "This report demonstrates that leading organizations are not just piloting eBPF, they are standardizing on it to reduce costs, mitigate risk, and improve system performance at massive scale."

The report suggests future adoption will focus on standardising eBPF as part of core Linux operations, with more organisations treating it as a shared layer across networking, observability and security rather than a set of isolated tools.