Sandfly easily has the lowest CPU impact of any Linux EDR product on the market. In fact, Sandfly was designed from the beginning to run without making your life worse by consuming massive CPU resources on your critical infrastructure.
Sandfly goes on a host to do intermittent and random security sweeps. These sweeps take normally 30-60 seconds to complete and then vanish. The result is that CPU impacts blend into normal system operation and most users don't report seeing anything unusual even on heavily loaded boxes.
Further, the way Sandfly operates it avoids doing things like massive file scanning, scan on open and similar activities which are extremely expensive in terms of CPU and disk impacts (and work poorly for finding Linux intruders anyway). Sandfly even allows you to tailor the sweep priority level to your tastes. By default we run on a medium-low setting which will rarely ever cause a system impact, but you can lower it even further if you wish with essentially no impact on how we work.