How Deepfence’s Lightweight Sensors Work

Deepfence’s lightweight sensors gather data and telemetry and forward this to the Deepfence Console for analysis.

radar with dots icon

Vulnerability Scans

Query the host and running applications and containers for operating system and language dependencies. Dependency identifiers are submitted to the Deepfence Console for matching against vulnerability feeds. Vulnerability scans can be executed when a host registers with the Console, on a schedule or on-demand.

check in circle icon

Compliance Checks

Query the host for local and network configuration, using a set of carefully curated OpenSCAP policies based on industry and community standard sources. Compliance Checking tests are run on-demand on each host.

gear with arrows icon

Sensor Installation

Configure local sensors for process integrity, file system integrity, and network deep packet inspection (DPI) capture. Sensors are implemented by standard kernel features (fsnotify, eBPF, proc); no additional kernel modules are required. Sensor data is captured locally, pre-filtered, and then forwarded to the Console for reassembly, classification, and processing.

Deepfence goes beyond an agentless approach which fails to provide the deep visibility required, and avoids heavyweight, stateful agents that impact performance. Deepfence’s approach minimizes load on production infrastructure by performing the necessary inspection and processing on a separate Console.

Key Benefits

lightweight sensors icon

Lightweight to minimize impact on production infrastructure

On-host sensors for deep visibility into dependencies and activity

Secure host-to-console communications ensure data remains private

Supported Platforms

Sensors support a wide range of deployment options

Kubernetes blue mark


Sensors are deployed as a daemonset, a common pattern for log, metrics, monitoring, and security services that run alongside Kubernetes workloads in a non-intrusive manner.

Docker blue mark


Sensors are deployed as a Docker container on each Docker host.

Bare metal and VM-based platforms

Sensors are deployed as a Docker container on each operating system instance, using a Docker runtime. Both Windows and Linux instances are supported.


Deepfence supports AWS Fargate, where sensors are deployed as a daemon service alongside each serverless instance.