In the face of increasingly capable malicious actors, security leaders have been dealing with huge upheavals. While initiatives like Zero Trust networking and Supply Chain Security have transformed enterprise security, they’ve largely focused on users and workloads. Identity is continuously verified. Access is least-privileged. Segmentation is granular.
On the other hand, the networking hardware that underpins our networks—including the internet – has largely been treated as trustworthy. The control plane software inside that networking infrastructure has traditionally relied on hardening and patching, rather than continuous runtime enforcement.
When switches were primarily fixed-function hardware, this model was reasonable. In today’s programmable, platforms, it’s no longer sufficient.
Modern switches run sophisticated control-plane software responsible for routing, segmentation, telemetry, automation, and management APIs. They are, in effect, highly privileged compute systems embedded inside the network fabric. And increasingly, they’re being treated as such by attackers. As discussed in Peter Bailey’s recent LinkedIn post, the security conversation is shifting toward protecting the infrastructure software that underpins everything else.
Security agencies have warned that threat actors actively exploit vulnerabilities in network infrastructure devices to gain and maintain persistent access. When the network itself becomes the foothold, the blast radius extends far beyond a single compromised workload.
The exposure window CISOs can’t ignore
One of the structural challenges in securing networking infrastructure is patch velocity. Updating core switching infrastructure requires coordination, testing, and change windows, so patch timelines are often measured in weeks rather than days.
At the same time, exploitation timelines have compressed dramatically. Threat intelligence research has shown that vulnerabilities in network infrastructure are frequently exploited rapidly after disclosure, while remediation may take 30 days or more. This creates a persistent exposure window —one that can’t be closed by patching alone.
For CISOs, the implication is clear: Protection must operate in real time during that window.
Moving runtime security into the switch
Cisco LiveProtect addresses this gap by embedding runtime protection directly into the operating systems of modern switches.
Based on eBPF and Tetragon technology developed by Cisco’s Isovalent team, Cisco LiveProtect enables security policies to execute inside the kernel of the switch control plane. Rather than relying solely on external monitoring or delayed response workflows, it allows behavior to be observed and controlled at the point of execution.
Because this protection runs in-kernel, it operates with full system context and minimal latency, closing the gap between detection and response. And because eBPF programs can be deployed dynamically, Cisco LiveProtect allows protection to be deployed across devices without disrupting traffic.
Proven at hyperscale, ready for the network
The eBPF technology that underpins Cisco LiveProtect is well proven, and has been operating at hyperscale for years.
Major cloud and internet platforms including Google, Meta, and Netflix use eBPF extensively in production to power networking, observability, and security across large-scale distributed environments, as documented in Linux Foundation research on the state of eBPF. The technology is designed for safety. eBPF programs are verified before they run, ensuring they can’t crash or destabilize the system. They’re compiled into efficient native instructions and execute with extremely low overhead, which is why hyperscalers rely on them in performance-sensitive production environments.
In short: eBPF has already proven itself in some of the most demanding infrastructure environments in the world.
From hyperscale software to networking hardware
By combining Cisco’s networking platforms with deep eBPF expertise from Isovalent, Cisco LiveProtect brings kernel-level runtime enforcement directly into switching hardware. It extends modern workload-style protection to one of the most privileged components in enterprise infrastructure: the network control plane.
Initially deployed in Cisco Nexus smart switches, this approach represents a meaningful evolution. Just as hyperscalers embedded eBPF into their software infrastructure over the past decade, kernel-level enforcement is now arriving inside enterprise networking platforms. We believe that this is just the beginning, and that eBPF and Tetragon will become the industry baseline for securing hardware devices as well as application workloads.
Securing the foundation
The network is the foundation upon which applications, identities, and policies depend. If that foundation is compromised, every dependent control is at risk.
Cisco LiveProtect brings real-time, performance-neutral protection directly into that foundation —closing the exposure window between vulnerability and patch. With eBPF at its core and Cisco’s networking leadership as its platform, Cisco LiveProtect brings security directly into the network.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
