This chapter is fully dedicated to Linux endpoint/server security monitoring and live forensics at scale. A set of low-level visibility tools like Tracee, Falco, Sysdig, or Sysmon4Linux have been used to enhance host visibility. You will play with short use-case scenarios that effectively show not only the tool's values, but first of all, allow you to "see" and better understand the true behavior of attacks and corresponding TTPs at scale through the visibility/DFIR layers you can find in PurpleLabs.