diff --git a/perf/benchmark/README.md b/perf/benchmark/README.md
index d1cf840424..84bf548860 100644
--- a/perf/benchmark/README.md
+++ b/perf/benchmark/README.md
@@ -145,12 +145,41 @@ optional arguments:
   --no_clientsidecar    do not run clientsidecar-only for all
   --bothsidecar         run both clientsidecar and serversidecar
   --no_sidecar          do not run clientsidecar and serversidecar
+  --custom_profiling_command
+                        runs a custom profiling commands on the nodes for the client and server,
+                        and produces a flamegraph based on that.
+                        Example on-cpu profile using bcc tools for the envoy sidecar proxy:
+                        --custom_profiling_command=\"profile-bpfcc -df {duration} -p {sidecar_pid}\"
+                        - runner.py will replace {duration} with whatever was specified for --duration.
+                        - runner.py will replace {sidecar_pid} with the actual process id of the envoy
+                          sidecar process.
+  --custom_profiling_name
+                        filename prefix for the result of any --custom_profiling_command
+  --envoy_profiler [heapprofiler|cpuprofiler]
+                       yields visualizations using pprof over profiles collected via the built-in profiler
+                       of the side cars.
+                       NOTE: requires global.proxy.privileged=true,values.global.proxy.enableCoreDump=true
 ```
 
 Note:
 - `runner.py` will run all combinations of the parameters given. However, in order to reduce ambiguity when generating the graph, it would be
  better to change one parameter at a time and fix other parameters
 - if you want to run with `--perf` flag to generate a flame graph, please make sure you have the permission to gather perf data, please refer to step 2 of this [README](https://github.com/istio/tools/tree/master/perf/benchmark/flame#setup-perf-tool)
+- if you want to run with `--custom_profiling_command`, `profilingMode` must be set to `true` in `values.yaml`. Doing so will set up the client and server pods to run the perf/profiling container. It's worth noting that this container  runs `--priviledged`, and that `hostIPC` and `hostPID` will also be enabled,
+weakening security. Resulting flamegraphs will be written to `flame/flameoutput`.
+- sample sidecar profiling commands for `--custom_profiling_command`:
+  - "profile-bpfcc -df {duration} -p {sidecar_pid}" sidecar on-cpu profile
+  - "offcputime-bpfcc -df {duration} -p {sidecar_pid}" sidecar off-cpu profile
+  - "offwaketime-bpfcc -df {duration} -p {sidecar_pid}" sidecar offwaketime profile
+  - "wakeuptime-bpfcc -f -p {sidecar_pid} {duration}" sidecar wakeuptime profile
+  - "perf record -F 99 -g -p {sidecar_pid} -- sleep {duration} && perf script | ~/FlameGraph/stackcollapse-perf.pl | c++filt -n" on-cpu perf-generated profile
+  - "stackcount-bpfcc -U *alloc* -df -D {duration} -p {sidecar_pid}" profile calls to `*alloc*`
+  - "perf record -e page-faults -g -p {sidecar_pid} -F 99 -- sleep {duration} && perf script | ~/FlameGraph/stackcollapse-perf.pl | c++filt -n" page faults
+- It's also possible to run machine-wide profiling, for example:
+  - "profile-bpfcc -df {duration}" for obtaining a machine-wide on-cpu flamegraph.
+  - See [here](http://www.brendangregg.com/FlameGraphs/) for more examples and information.
+- Enabling `profilingMode` in `values.yaml` will also bring up and expose Prometheus's `node_exporter` at the configured port (default: 9100),
+  accessible over http via `/metrics.
 
 For example:
 
diff --git a/perf/benchmark/flame/README.md b/perf/benchmark/flame/README.md
index 0d7f6e3120..bfa99298dd 100644
--- a/perf/benchmark/flame/README.md
+++ b/perf/benchmark/flame/README.md
@@ -8,61 +8,61 @@
 1. Colors are arbitrary.
 1. Function names are sorted left to right.
 
-This document shows how to gather performance data from within the `istio-proxy` container.
+This document shows how to gather performance data from via the `perf` container.
 
-## Setup Perf tool
+## Setup the perf container
 
-Flame graphs are created from data collected using linux `perf_events` by the `perf` tool.
+Enable `profilingMode` in [values.yaml](../values.yaml). This will end up adding the perf
+container to the server and client pods, which both will be running on separate nodes.
 
-1. Ensure that `perf` is installed within the container.
-   Since `istio-proxy` container does not allow installation of new packages, build a new docker image.
+Flame graphs and visualizations are created from data collected using linux `perf_events`
+by the `perf` and [BCC tools](https://github.com/iovisor/bcc), as well as Envoy's built-in profiler.
 
-    ```plain
-    FROM gcr.io/istio-release/proxyv2:release-1.0-20180810-09-15
-    # Install fpm tool
-    RUN  sudo apt-get update && \
-        sudo apt-get -qqy install linux-tools-generic
-    ```
+## Obtaining flame graphs
 
-    Build image and push docker image and use it in your deployment by adding the following annotation.
+Flame graphs can be produced via `runner.py`, and will be stored in `flame/flameoutput`.
 
-    ```plain
-    "sidecar.istio.io/proxyImag" : <name of your image>
-    ```
+A few sample command line arguments. `{duration}` will be replaced by
+whatever was passed for `--duration` to runner.py. `{sidecar_pid}` will
+be replaced by `runner.py` with the process id of the Envoy sidecar.
 
-    This step will go away once the default debug image contains `perf` and related tools.
+It is valid to omit `{sidecar_pid}` in `--custom_profiling_command`.
+This may be useful for machine-wide profiling or arbitrary processes.
 
-1. Ensure that you can run `perf record`
+```bash
+runner/runner.py ... --custom_profiling_command="profile-bpfcc -df {duration} -p {sidecar_pid}" --custom_profiling_name="bcc-oncputime-sidecar"
 
-    Running `perf record` from container requires the host to permit this activity. This is done by running the following command on the vm host.
-    For example, if you are running on a GKE cluster, you should `ssh` to the node using the command:
+runner/runner.py ... --custom_profiling_command="offcputime-bpfcc -df {duration} -p {sidecar_pid}" --custom_profiling_name="bcc-offcputime-sidecar"
 
-    ```bash
-    gcloud compute ssh gke-perf-test-default-pool-xxxxxx
-    ```
+runner/runner.py ... --custom_profiling_command="offwaketime-bpfcc -df {duration} -p {sidecar_pid}" --custom_profiling_name="bcc-offwaketime-sidecar"
 
-    Then run the following command:
+runner/runner.py ... --custom_profiling_command="wakeuptime-bpfcc -f -p {sidecar_pid} {duration}" --custom_profiling_name="bcc-wakeuptime-sidecar"
 
-    ```bash
-    sudo sysctl kernel.perf_event_paranoid=-1
-    sudo sysctl kernel.kptr_restrict=0
-    ```
+runner/runner.py ... --custom_profiling_command="stackcount-bpfcc -p {sidecar_pid} *alloc* -fD {duration}" --custom_profiling_name="bcc-stackcount-alloc"
 
-    This setting is very permissive so it must be used with care.
+runner/runner.py ... --custom_profiling_command="perf record -F 99 -g -p {sidecar_pid} -- sleep {duration} && perf script | ~/FlameGraph/stackcollapse-perf.pl | c++filt -n"
+--custom_profiling_name="perf-oncputime-sidecar"
 
-    If running perf still gives error:```You may not have permission to collect stats. Consider tweaking /proc/sys/kernel/perf_event_paranoid:```
-    after running above commands, try ssh into node and run the container with --privileged flag.
+runner/runner.py ... --custom_profiling_command="perf record -e page-faults -g -p {sidecar_pid} -- sleep {duration} && perf script | ~/FlameGraph/stackcollapse-perf.pl | c++filt -n" --custom_profiling_name="perf-pagefaults-sidecar"
 
-1. Run [`get_proxy_perf.sh`](get_proxy_perf.sh) to get the profiling svg. The following command collects samples at `177Hz` for `20s`. The svg file should be created under `flameoutput` dir
+```
 
-    ```plain
-    ./get_proxy_perf.sh -p svc05-0-7-564865d756-pvjhn -n service-graph05 -s 177 -t 20
-    ...
-    [ perf record: Woken up 1 times to write data ]
-    [ perf record: Captured and wrote 0.061 MB /etc/istio/proxy/perf.data (74 samples) ]
+## Leveraging Istio's sidecar built-in profiling
 
-    Wrote /etc/istio/proxy/perf.data.perf
-    ...
-    generating svg file svc05-0-7-564865d756-pvjhn-2020-01-29-22-34-19.perf
-    ...
-    ```
+Istio's sidecar proxy (Envoy) is usually build with `tcmalloc`, and as such traditional memory profiling
+methods may give unsatisfactory results. Fortunately, the proxy provides a built-in means to collect
+profiling data, and the benchmark tool is able to leverage that. Doing so, however, requires a writeable
+file system as well as priviliges to install new packages for the sidecar containers. The following
+command (re)configures istio to satisfy these requirements:
+
+```bash
+istioctl manifest apply --set "values.global.proxy.enableCoreDump=true" --set "values.global.proxy.privileged=true"
+```
+
+After doing so `runner.py` can be run with `--envoy_profiler [heapprofiler|cpuprofiler]`. This will start/stop
+the built-in profilers of the sidecars, obtain the collected profiles, and visualize them via `pprof`.
+The resulting output will end up in `flame/flameoutput` just like in the other flows:
+
+```bash
+runner/runner.py --envoy_profiler cpuprofiler|heapprofiler ...
+```
diff --git a/perf/benchmark/flame/flame.sh b/perf/benchmark/flame/flame.sh
deleted file mode 100755
index ad09de7263..0000000000
--- a/perf/benchmark/flame/flame.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -e
-
-WD=$(dirname "${0}")
-WD=$(cd "${WD}" && pwd)
-
-FLAMEDIR="${WD}/FlameGraph"
-
-if ! command -v c++filt > /dev/null; then
-    echo "Install c++filt to demangle symbols"
-    exit 1
-fi
-
-cd "${WD}" || exit 1
-
-if [[ ! -d ${FLAMEDIR} ]]; then
-    echo "Cloning FlameGraph repo in ${WD}"
-    git clone https://github.com/brendangregg/FlameGraph
-fi
-
-# Given output of `perf script` produce a flamegraph
-FILE=${1:?"perf script output"}
-FILENAME=$(basename "${FILE}")
-BASE=$(echo "${FILENAME}" | cut -d '.' -f 1)
-SVGNAME="${BASE}.svg"
-
-mkdir -p "${WD}/flameoutput"
-"${FLAMEDIR}/stackcollapse-perf.pl" "${FILE}" | c++filt -n | "${FLAMEDIR}/flamegraph.pl" --cp > "./flameoutput/${SVGNAME}"
-
-echo "Wrote ${SVGNAME}"
-if [[ -n "${BUCKET}" ]];then
-    gsutil cp "${SVGNAME}" "${BUCKET}"
-fi
diff --git a/perf/benchmark/flame/get_perfdata.sh b/perf/benchmark/flame/get_perfdata.sh
deleted file mode 100755
index 4881935ffd..0000000000
--- a/perf/benchmark/flame/get_perfdata.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -e
-
-WD=$(dirname "${0}")
-WD=$(cd "${WD}" && pwd)
-
-FILENAME=${1:?"perffilename"}
-DURATION=${2:?"duration"}
-FREQ=${3:-"99"}
-
-PID=$(pgrep envoy)
-
-# This is specific to the kernel version
-# example: /usr/lib/linux-tools-4.4.0-131/perf
-# provided by `linux-tools-generic`
-PERFDIR=$(find /usr/lib -name 'linux-tools-*' -type d | head -n 1)
-if [[ -z "${PERFDIR}" ]]; then
-    echo "Missing perf tool. Install apt-get install linux-tools-generic"
-    exit 1
-fi
-
-PERF="${PERFDIR}/perf"
-
-"${PERF}" record -o "${WD}/${FILENAME}" -F "${FREQ}" -p "${PID}" -g -- sleep "${DURATION}"
-"${PERF}" script -i "${WD}/${FILENAME}" --demangle > "${WD}/${FILENAME}.perf"
-
-echo "Wrote ${WD}/${FILENAME}.perf"
diff --git a/perf/benchmark/flame/get_proxy_perf.sh b/perf/benchmark/flame/get_proxy_perf.sh
deleted file mode 100755
index dd0f10e2b2..0000000000
--- a/perf/benchmark/flame/get_proxy_perf.sh
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/bin/bash
-
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -e
-
-function usage() {
-  echo "usage:
-        ./get_proxy_perf.sh -p <pod_name> -n <pod_namespace> -s <sample_frequency> -t <time>
-    
-    e.g.
-      ./get_proxy_perf.sh -p svc05-0-4-0-67bff5dbbf-grl94 -n service-graph05 -s 177 -t 20
-
-    -p name of pod.
-    -n namespace of the given pod.
-    -s sample frequence in Hz.
-    -t time of profiling in second."
-  exit 1
-}
-
-POD_NAME=""
-POD_NAMESPACE=""
-SAMPLE_FREQUENCY="177"
-PERF_TIME="20"
-
-while getopts p:n:s:t: arg ; do
-  case "${arg}" in
-    p) POD_NAME="${OPTARG}";;
-    n) POD_NAMESPACE="${OPTARG}";;
-    t) SAMPLE_FREQUENCY="${OPTARG}";;
-    s) PERF_TIME="${OPTARG}";;
-    *) usage;;
-  esac
-done
-
-if [ -z "${POD_NAME}" ]; then
-    echo "pod name must be provided."
-    usage
-    exit 1
-fi
-
-if [ -z "${POD_NAMESPACE}" ]; then
-    echo "pod namespace must be provided."
-    usage
-    exit 1
-fi
-
-WD=$(dirname "${0}")
-WD=$(cd "${WD}" && pwd)
-
-echo "copy profiling script to proxy..."
-kubectl cp "${WD}"/get_perfdata.sh "${POD_NAME}":/etc/istio/proxy/get_perfdata.sh -n "${POD_NAMESPACE}" -c istio-proxy
-
-echo "start profiling..."
-kubectl exec "${POD_NAME}" -n "${POD_NAMESPACE}" -c istio-proxy -- /etc/istio/proxy/get_perfdata.sh perf.data "${SAMPLE_FREQUENCY}" "${PERF_TIME}"
-
-TMP_DIR=$(mktemp -d -t proxy-perf-XXXXXXXXXX)
-trap 'rm -rf "${TMP_DIR}"' EXIT
-TIME="$(date '+%Y-%m-%d-%H-%M-%S')"
-PERF_FILE_NAME="${POD_NAME}"-"${TIME}".perf
-PERF_FILE="${TMP_DIR}"/"${PERF_FILE_NAME}"
-kubectl cp "${POD_NAME}":/etc/istio/proxy/perf.data.perf "${PERF_FILE}" -n "${POD_NAMESPACE}" -c istio-proxy
-
-echo "generating svg file ${PERF_FILE_NAME}"
-"${WD}"/flame.sh "${PERF_FILE}"
diff --git a/perf/benchmark/runner/runner.py b/perf/benchmark/runner/runner.py
index e1f2194ca4..228e648f19 100644
--- a/perf/benchmark/runner/runner.py
+++ b/perf/benchmark/runner/runner.py
@@ -16,17 +16,21 @@
 
 import collections
 import os
+import html
 import json
 import socket
 import argparse
 import subprocess
 import shlex
 import uuid
+import stat
 import sys
 import tempfile
 import time
 from subprocess import getoutput
 from urllib.parse import urlparse
+from threading import Thread
+from time import sleep
 import yaml
 from fortio import METRICS_START_SKIP_DURATION, METRICS_END_SKIP_DURATION
 
@@ -34,6 +38,7 @@
 NIGHTHAWK_GRPC_SERVICE_PORT_FORWARD = 9999
 POD = collections.namedtuple('Pod', ['name', 'namespace', 'ip', 'labels'])
 NIGHTHAWK_DOCKER_IMAGE = "envoyproxy/nighthawk-dev:59683b759eb8f8bd8cce282795c08f9e2b3313d4"
+SCRIPT_START = time.strftime("%Y-%m-%d-%H%M%S")
 
 
 def pod_info(filterstr="", namespace=NAMESPACE, multi_ok=True):
@@ -57,6 +62,7 @@ def pod_info(filterstr="", namespace=NAMESPACE, multi_ok=True):
 def run_command(command):
     process = subprocess.Popen(shlex.split(command))
     process.wait()
+    return process.returncode
 
 
 def run_command_sync(command):
@@ -71,7 +77,6 @@ def kubectl_cp(from_file, to_file, container):
         from_file=from_file,
         to_file=to_file,
         container=container)
-    print(cmd, flush=True)
     run_command_sync(cmd)
 
 
@@ -85,7 +90,7 @@ def kubectl_exec(pod, remote_cmd, runfn=run_command, container=None):
         c=c,
         namespace=NAMESPACE)
     print(cmd, flush=True)
-    runfn(cmd)
+    return runfn(cmd) == 0
 
 
 class Fortio:
@@ -117,7 +122,11 @@ def __init__(
             ingress=None,
             mesh="istio",
             cacert=None,
-            load_gen_type="fortio"):
+            load_gen_type="fortio",
+            custom_profiling_command=None,
+            custom_profiling_name="default-profile",
+            devmode=False,
+            envoy_profiler=None):
         self.run_id = str(uuid.uuid4()).partition('-')[0]
         self.headers = headers
         self.conn = conn
@@ -130,6 +139,8 @@ def __init__(
         self.r = "0.00005"
         self.telemetry_mode = telemetry_mode
         self.perf_record = perf_record
+        self.custom_profiling_command = custom_profiling_command
+        self.custom_profiling_name = custom_profiling_name
         self.server = pod_info("-lapp=" + server, namespace=self.ns)
         self.client = pod_info("-lapp=" + client, namespace=self.ns)
         self.additional_args = additional_args
@@ -142,6 +153,13 @@ def __init__(
         self.run_ingress = ingress
         self.cacert = cacert
         self.load_gen_type = load_gen_type
+        self.devmode = devmode
+        self.envoy_profiler = envoy_profiler
+
+        if self.perf_record != False:
+            if not self.custom_profiling_command is None:
+                sys.exit("--perf and --custom_profiling_command are mutually exclusive")
+            self.custom_profiling_command = "perf record -F 99 -g -p {sidecar_pid} -- sleep {duration} && perf script | ~/FlameGraph/stackcollapse-perf.pl | c++filt -n"
 
         if mesh == "linkerd":
             self.mesh = "linkerd"
@@ -178,28 +196,24 @@ def clientsidecar(self, load_gen_cmd, sidecar_mode):
     def bothsidecar(self, load_gen_cmd, sidecar_mode):
         return load_gen_cmd + "_" + sidecar_mode + " " + self.compute_uri(self.server.labels["app"], "port")
 
-    def ingress(self, load_gen_cmd):
+    def ingress(self, load_gen_cmd, sidecar_mode):
         url = urlparse(self.run_ingress)
         # If scheme is not defined fallback to http
         if url.scheme == "":
             url = urlparse("http://{svc}".format(svc=self.run_ingress))
-
-        return load_gen_cmd + "_ingress {url}/echo?size={size}".format(
-            url=url.geturl(), size=self.size)
+        if self.load_gen_type == "fortio":
+            return load_gen_cmd + sidecar_mode + " {url}/echo?size={size}".format(url=url.geturl(), size=self.size)
+        elif self.load_gen_type == "nighthawk":
+            return load_gen_cmd + sidecar_mode + " {url}/".format(url=url.geturl())
+        else:
+            sys.exit("invalid load generator %s, must be fortio or nighthawk", self.load_gen_type)
 
     def execute_sidecar_mode(self, sidecar_mode, load_gen_type, load_gen_cmd, sidecar_mode_func, labels, perf_label_suffix):
         print('-------------- Running in {sidecar_mode} mode --------------'.format(sidecar_mode=sidecar_mode))
         if load_gen_type == "fortio":
-            kubectl_exec(self.client.name, sidecar_mode_func(load_gen_cmd, sidecar_mode))
+            return kubectl_exec(self.client.name, sidecar_mode_func(load_gen_cmd, sidecar_mode))
         elif load_gen_type == "nighthawk":
-            run_nighthawk(self.client.name, sidecar_mode_func(load_gen_cmd, sidecar_mode), labels + "_" + sidecar_mode)
-
-        if self.perf_record and len(perf_label_suffix) > 0:
-            run_perf(
-                self.mesh,
-                self.server.name,
-                labels + perf_label_suffix,
-                duration=40)
+            return run_nighthawk(self.client.name, sidecar_mode_func(load_gen_cmd, sidecar_mode), labels + "_" + sidecar_mode)
 
     def generate_test_labels(self, conn, qps, size):
         size = size or self.size
@@ -246,6 +260,126 @@ def generate_fortio_cmd(self, headers_cmd, conn, qps, duration, grpc, cacert_arg
 
         return fortio_cmd
 
+    def run_envoy_profiler(self, exec_cmd, podname, profile_name, envoy_profiler, labels):
+        filename = "{datetime}_{labels}-{profile_name}-{podname}".format(
+            datetime=SCRIPT_START, profile_name=profile_name, labels=labels, podname=podname)
+        exec_cmd_on_pod = "kubectl exec -n {namespace} {podname} -c istio-proxy -- bash -c ".format(
+            namespace=os.environ.get("NAMESPACE", "twopods"),
+            podname=podname
+        )
+        profile_url = "curl -X POST -s http://localhost:15000/{envoy_profiler}?enable".format(envoy_profiler=envoy_profiler)
+        script = "{profile_url}=y; sleep {duration}; {profile_url}=n;".format(profile_url=profile_url, duration=self.duration)
+        print(getoutput("{exec_cmd} \"{script}\"".format(exec_cmd=exec_cmd_on_pod, script=script)))
+
+        # When we get here, the heap profile has been written.
+        # We install pprof & some nessecities for generating the visual into the istio-proxy container the first
+        # time we get here, so we can a the visualization of the process out.
+        script = "test ! -f ~/go/bin/pprof && echo 1"
+        if getoutput("{exec_cmd} \"{script}\"".format(exec_cmd=exec_cmd_on_pod, script=script)) == "1":
+            script = "sudo apt-get update && sudo apt-get install -y --no-install-recommends wget git binutils graphviz &&"
+            script = script + " cd /tmp/ &&"
+            script = script + " curl https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz --output go1.14.2.linux-amd64.tar.gz &&"
+            script = script + " sudo tar -C /usr/local -xzf go1.14.2.linux-amd64.tar.gz &&"
+            script = script + " export PATH=$PATH:/usr/local/go/bin &&"
+            script = script + " go get -u github.com/google/pprof"
+            print(getoutput("{exec_cmd} \"{script}\"".format(exec_cmd=exec_cmd_on_pod, script=script)))
+
+        script = "rm -r /tmp/envoy; cp -r /var/lib/istio/data/ /tmp/envoy; cp -r /lib/x86_64-linux-gnu /tmp/envoy/lib; cp /usr/local/bin/envoy /tmp/envoy/lib/envoy"
+        print(getoutput("{exec_cmd} \"{script}\"".format(exec_cmd=exec_cmd_on_pod, script=script)))
+        output_name = "tmp.svg"
+
+        visualization_arg = ""
+        if envoy_profiler == "heapprofiler":
+            visualization_arg = "-alloc_space"
+        print(getoutput("{exec_cmd} \"cd /tmp/envoy;  PPROF_BINARY_PATH=/tmp/envoy/lib/ ~/go/bin/pprof {visualization_arg} -svg -output '{output_name}' /tmp/envoy/lib/envoy envoy.*\"".format(
+            exec_cmd=exec_cmd_on_pod, output_name=output_name, visualization_arg=visualization_arg)))
+        # Copy the visualization into flame/output.
+        kubectl_cp(podname + ":/tmp/envoy/{output_name}".format(output_name=output_name),
+                   "flame/flameoutput/{filename}.svg".format(filename=filename), "istio-proxy")
+
+    def run_profiler(self, exec_cmd, podname, profile_name, profiling_command, labels):
+        filename = "{datetime}_{labels}-{profile_name}-{podname}".format(
+            datetime=SCRIPT_START, profile_name=profile_name, labels=labels, podname=podname)
+        profiler_cmd = "{profiling_command} > {filename}.profile".format(
+            profiling_command=profiling_command,
+            filename=filename
+        )
+        html_escaped_command = html.escape(profiling_command)
+        flamegraph_cmd = "./FlameGraph/flamegraph.pl --title='{profiling_command} Flame Graph'  < {filename}.profile > {filename}.svg".format(
+            profiling_command=html_escaped_command,
+            filename=filename
+        )
+
+        # We build a small bash script which will run the profiler & produce a flame graph
+        # We the copy this script into the container, and run it
+        with tempfile.NamedTemporaryFile(dir='/tmp', delete=True) as tmpfile:
+            dest = tmpfile.name + ".sh"
+            with open(dest, 'w') as f:
+                s = """#!/bin/bash
+set -euo pipefail
+({profiler_cmd}) >& /tmp/{filename}_profiler_cmd.log
+({flamegraph_cmd}) >& /tmp/{filename}_flamegraph_cmd.log
+                """.format(profiler_cmd=profiler_cmd, flamegraph_cmd=flamegraph_cmd, filename=filename)
+                f.write(s)
+            st = os.stat(dest)
+            os.chmod(dest, st.st_mode | stat.S_IEXEC)
+            kubectl_cp(dest, podname + ":" + dest, "perf")
+
+        process = subprocess.Popen(shlex.split("{exec_cmd} \"{dest}\"".format(exec_cmd=exec_cmd, dest=dest)))
+
+        if process.wait() == 0:
+            # Copy the resulting flamegraph out of the container into flame/flameoutput/
+            kubectl_cp(podname + ":{filename}.svg".format(filename=filename),
+                       "flame/flameoutput/{filename}.svg".format(filename=filename), "perf")
+            print("Wrote flame/flameoutput/{filename}.svg".format(filename=filename))
+        else:
+            print("WARNING: Did not obtain a flamegraph. See /tmp/{filename}_*.log".format(filename=filename))
+
+    def maybe_start_profiling_threads(self, labels, perf_label):
+        threads = []
+        if self.envoy_profiler:
+            for pod in [self.client.name, self.server.name]:
+                exec_cmd_on_pod = "kubectl exec -n {namespace} {podname} -c istio-proxy -- bash -c ".format(
+                    namespace=os.environ.get("NAMESPACE", "twopods"),
+                    podname=pod
+                )
+                script = "set -euo pipefail; sudo rm -rf {dir}/* || true; sudo mkdir -p {dir}; sudo chmod 777 {dir};".format(dir="/var/lib/istio/data/")
+                print(getoutput("{exec_cmd} \"{script}\"".format(exec_cmd=exec_cmd_on_pod, script=script)))
+                threads.append(Thread(target=self.run_envoy_profiler, args=[
+                    exec_cmd_on_pod, pod, "envoy-" + self.envoy_profiler, self.envoy_profiler, labels + perf_label]))
+        if self.custom_profiling_command:
+            # We run any custom profiling command on both pods, as one runs on each node we're interested in.
+            for pod in [self.client.name, self.server.name]:
+                exec_cmd_on_pod = "kubectl exec -n {namespace} {podname} -c perf -- bash -c ".format(
+                    namespace=os.environ.get("NAMESPACE", "twopods"),
+                    podname=pod
+                )
+
+                # Wait for node_exporter to run, which indicates the profiling initialization container has finished initializing.
+                # once the init probe is supported, move this to a http probe instead in fortio.yaml
+                ready_cmd = "{exec_cmd} \"which perf\"".format(
+                    exec_cmd=exec_cmd_on_pod)
+                perf_path = getoutput(ready_cmd).strip()
+                attempts = 1
+                while perf_path != "/usr/sbin/perf" and attempts < 60:
+                    sleep(1)
+                    perf_path = getoutput(ready_cmd).strip()
+                    attempts = attempts + 1
+
+                # Find side car process id's in case the profiling command needs it.
+                sidecar_ppid = getoutput(
+                    "{exec_cmd} \"pgrep -f 'pilot-agent proxy sidecar'\"".format(exec_cmd=exec_cmd_on_pod)).strip()
+                sidecar_pid = getoutput("{exec_cmd} \"pgrep -P {sidecar_ppid}\"".format(
+                    exec_cmd=exec_cmd_on_pod, sidecar_ppid=sidecar_ppid)).strip()
+                profiling_command = self.custom_profiling_command.format(
+                    duration=self.duration, sidecar_pid=sidecar_pid)
+                threads.append(Thread(target=self.run_profiler, args=[
+                    exec_cmd_on_pod, pod, self.custom_profiling_name, profiling_command, labels + perf_label]))
+        for thread in threads:
+            thread.start()
+
+        return threads
+
     def generate_nighthawk_cmd(self, cpus, conn, qps, duration, labels):
         labels = "nighthawk_" + labels
         nighthawk_args = [
@@ -290,6 +424,16 @@ def generate_nighthawk_cmd(self, cpus, conn, qps, duration, labels):
 
         return nighthawk_cmd
 
+    def create_execution_delegate(self, perf_label, sidecar_mode, sidecar_mode_func, load_gen_cmd, labels):
+        def execution_delegate():
+            threads = self.maybe_start_profiling_threads(labels, perf_label)
+            ok = self.execute_sidecar_mode(
+                sidecar_mode, self.load_gen_type, load_gen_cmd, sidecar_mode_func, labels, perf_label)
+            for thread in threads:
+                thread.join()
+            return ok
+        return execution_delegate
+
     def run(self, headers, conn, qps, size, duration):
         labels = self.generate_test_labels(conn, qps, size)
 
@@ -303,7 +447,6 @@ def run(self, headers, conn, qps, size, duration):
 
         headers_cmd = self.generate_headers_cmd(headers)
 
-        load_gen_cmd = ""
         if self.load_gen_type == "fortio":
             load_gen_cmd = self.generate_fortio_cmd(headers_cmd, conn, qps, duration, grpc, cacert_arg, labels)
         elif self.load_gen_type == "nighthawk":
@@ -318,77 +461,38 @@ def run(self, headers, conn, qps, size, duration):
             # See the comment above, we restrict execution to a single nighthawk worker for
             # now to avoid noise.
             workers = 1
-            load_gen_cmd = self.generate_nighthawk_cmd(workers, conn, qps, duration, labels)
+            load_gen_cmd = self.generate_nighthawk_cmd(
+                workers, conn, qps, duration, labels)
 
-        perf_label = ""
-        sidecar_mode = ""
-        sidecar_mode_func = None
+        executions = []
 
         if self.run_baseline:
-            sidecar_mode = "baseline"
-            sidecar_mode_func = self.baseline
-            self.execute_sidecar_mode(sidecar_mode, self.load_gen_type, load_gen_cmd, sidecar_mode_func, labels, perf_label)
+            executions.append(self.create_execution_delegate(
+                "", "baseline", self.baseline, load_gen_cmd, labels))
 
         if self.run_serversidecar:
-            perf_label = "_srv_serveronly"
-            sidecar_mode = "serveronly"
-            sidecar_mode_func = self.serversidecar
-            self.execute_sidecar_mode(sidecar_mode, self.load_gen_type, load_gen_cmd, sidecar_mode_func, labels, perf_label)
+            executions.append(self.create_execution_delegate(
+                "_srv_serveronly", "server_sidecar", self.serversidecar, load_gen_cmd, labels))
 
         if self.run_clientsidecar:
-            perf_label = "_srv_clientonly"
-            sidecar_mode = "clientonly"
-            sidecar_mode_func = self.clientsidecar
-            self.execute_sidecar_mode(sidecar_mode, self.load_gen_type, load_gen_cmd, sidecar_mode_func, labels, perf_label)
+            executions.append(self.create_execution_delegate(
+                "_srv_clientonly", "client_sidecar", self.clientsidecar, load_gen_cmd, labels))
 
         if self.run_bothsidecar:
-            perf_label = "_srv_bothsidecars"
-            sidecar_mode = "both"
-            sidecar_mode_func = self.bothsidecar
-            self.execute_sidecar_mode(sidecar_mode, self.load_gen_type, load_gen_cmd, sidecar_mode_func, labels, perf_label)
+            executions.append(self.create_execution_delegate(
+                "_srv_bothsidecars", "both_sidecar", self.bothsidecar, load_gen_cmd, labels))
 
         if self.run_ingress:
-            perf_label = "_srv_ingress"
-            print('-------------- Running in ingress mode --------------')
-            kubectl_exec(self.client.name, self.ingress(load_gen_cmd))
-            if self.perf_record:
-                run_perf(
-                    self.mesh,
-                    self.server.name,
-                    labels + "_srv_ingress",
-                    duration=40)
-
-
-PERFCMD = "/usr/lib/linux-tools/4.4.0-131-generic/perf"
-FLAMESH = "flame.sh"
-PERFSH = "get_perfdata.sh"
-PERFWD = "/etc/istio/proxy/"
+            executions.append(self.create_execution_delegate(
+                "_srv_ingress", "ingress", self.ingress, load_gen_cmd, labels))
 
-WD = os.getcwd()
-LOCAL_FLAMEDIR = os.path.join(WD, "../flame/")
-LOCAL_FLAMEPATH = LOCAL_FLAMEDIR + FLAMESH
-LOCAL_PERFPATH = LOCAL_FLAMEDIR + PERFSH
-LOCAL_FLAMEOUTPUT = LOCAL_FLAMEDIR + "flameoutput/"
-
-
-def run_perf(mesh, pod, labels, duration=20):
-    filename = labels + "_perf.data"
-    filepath = PERFWD + filename
-    perfpath = PERFWD + PERFSH
-
-    # copy executable over
-    kubectl_cp(LOCAL_PERFPATH, pod + ":" + perfpath, mesh + "-proxy")
-
-    kubectl_exec(
-        pod,
-        "{perf_cmd} {filename} {duration}".format(
-            perf_cmd=perfpath,
-            filename=filename,
-            duration=duration),
-        container=mesh + "-proxy")
-
-    kubectl_cp(pod + ":" + filepath + ".perf", LOCAL_FLAMEOUTPUT + filename + ".perf", mesh + "-proxy")
-    run_command_sync(LOCAL_FLAMEPATH + " " + filename + ".perf")
+        for execution in executions:
+            if not execution():
+                print("WARNING: execution failed. Performing a single retry.")
+                # TODO(oschaaf): optionize this, add --max-retries-per-test or some such.
+                if not execution():
+                    print("ERROR: retry failed. Aborting.")
+                    sys.exit(1)
 
 
 def validate_job_config(job_config):
@@ -463,12 +567,16 @@ def run_perf_test(args):
             mesh=args.mesh,
             telemetry_mode=args.telemetry_mode,
             cacert=args.cacert,
-            load_gen_type=args.load_gen_type)
+            load_gen_type=args.load_gen_type,
+            custom_profiling_command=args.custom_profiling_command,
+            custom_profiling_name=args.custom_profiling_name,
+            envoy_profiler=args.envoy_profiler)
 
     if fortio.duration <= min_duration:
         print("Duration must be greater than {min_duration}".format(
             min_duration=min_duration))
-        exit(1)
+        if not args.devmode:
+            exit(1)
 
     port_forward_process = None
 
@@ -532,13 +640,15 @@ def run_nighthawk(pod, remote_cmd, labels):
             # - initiation time to completion (spanning the complete lifetime of a request/reply, including queue/connect time)
             # - per worker output may sometimes help interpret plots that don't have a nice knee-shaped shape.
             kubectl_cp("{dest}.fortio.json".format(
-                dest=dest), "{pod}:/var/lib/fortio/{datetime}_nighthawk_{labels}.json".format(pod=pod, labels=labels, datetime=time.strftime("%Y-%m-%d-%H%M%S")), "shell")
+                dest=dest), "{pod}:/var/lib/fortio/{datetime}_{labels}.json".format(pod=pod, labels=labels, datetime=SCRIPT_START), "shell")
+            return True
     else:
         print("nighthawk remote execution error: %s" % exit_code)
         if output:
             print("--> stdout: %s" % output.decode("utf-8"))
         if err:
             print("--> stderr: %s" % err.decode("utf-8"))
+        return False
 
 
 def csv_to_int(s):
@@ -588,6 +698,14 @@ def get_parser():
         "--perf",
         help="also run perf and produce flame graph",
         default=False)
+    parser.add_argument(
+        "--custom_profiling_command",
+        help="Run custom profiling commands on the nodes for the client and server, and produce a flamegraph based on their outputs. E.g. --custom_profiling_command=\"profile-bpfcc -df {duration} -p {sidecar_pid}\"",
+        default=None)
+    parser.add_argument(
+        "--custom_profiling_name",
+        help="Name to be added to the flamegraph resulting from --custom_profiling_command",
+        default="default-profile")
     parser.add_argument(
         "--ingress",
         help="run traffic through ingress, should be a valid URL",
@@ -613,6 +731,16 @@ def get_parser():
         help="fortio or nighthawk",
         default="fortio",
     )
+    parser.add_argument(
+        "--devmode",
+        help="In development mode, very short duration argument values are allowed.",
+        default=False,
+    )
+    parser.add_argument(
+        "--envoy_profiler",
+        help="Obtains perf visualization based on Envoy's built-in profiling. Valid values are 'heapprofiler' or 'cpuprofiler'.",
+        default=None,
+    )
 
     define_bool(parser, "baseline", "run baseline for all", False)
     define_bool(parser, "serversidecar",
@@ -620,7 +748,7 @@ def get_parser():
     define_bool(parser, "clientsidecar",
                 "run clientsidecar-only for all", False)
     define_bool(parser, "bothsidecar",
-                "run both clientsiecar and serversidecar", True)
+                "run both clientsidecar and serversidecar", True)
 
     return parser
 
diff --git a/perf/benchmark/templates/fortio.yaml b/perf/benchmark/templates/fortio.yaml
index 789a891600..49963d1363 100644
--- a/perf/benchmark/templates/fortio.yaml
+++ b/perf/benchmark/templates/fortio.yaml
@@ -27,6 +27,12 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ $.name }}
+{{- if $.Values.profilingMode }}
+  annotations:
+    prometheus.io/scrape: 'true'
+    prometheus.io/scheme: 'http'
+    prometheus.io/port: '{{ $.Values.nodeExporterPort }}'
+{{- end }}
 spec:
   ports:
   - name: http-echo
@@ -40,7 +46,11 @@ spec:
     protocol: TCP
   - name: grpc-pinga
     port: 8076
+{{- if $.Values.profilingMode }}
+  - name: prometheus-node-exporter
+    port: {{ $.Values.nodeExporterPort }}
     protocol: TCP
+{{- end }}
   - name: nighthawk-service
     port: 9999
     protocol: TCP
@@ -367,7 +377,7 @@ spec:
         config.linkerd.io/skip-inbound-ports: "8077"
 {{- end }}
         # exclude inbound ports of the uncaptured container
-        traffic.sidecar.istio.io/excludeInboundPorts: "8076,8077,8078,9999"
+        traffic.sidecar.istio.io/excludeInboundPorts: "8076,8077,8078,9999,{{ $.Values.nodeExporterPort }}"
         traffic.sidecar.istio.io/excludeOutboundPorts: "80,8076,8077,8078"
         sidecar.istio.io/proxyCPU: {{ $.Values.proxy.cpu }}
         sidecar.istio.io/proxyMemory: {{ $.Values.proxy.memory }}
@@ -388,9 +398,30 @@ spec:
                 - "fortioclient"
 {{- end }}
             topologyKey: "kubernetes.io/hostname"
+{{- if $.Values.profilingMode }}
+      hostIPC: true
+      hostPID: true   
+{{- end }}
       volumes:
       - name: shared-data
         emptyDir: {}
+{{- if $.Values.profilingMode }}
+      - name: sys
+        hostPath:
+          path: /sys
+      - name: lsb-release
+        hostPath:
+          path: /etc/lsb-release
+      - name: modules-generated
+        hostPath:
+          path: /var/cache/kernel/modules
+      - name: headers-generated
+        hostPath:
+          path: /var/cache/kernel/headers
+      - name: usr-host
+        hostPath:
+          path: /usr
+{{- end }}
       {{- if eq $.Values.loadGenType "nighthawk" }}
       - name: nighthawk-test-server-config
         configMap:
@@ -456,6 +487,33 @@ spec:
         args:
         - /bin/sleep
         - infinity
+{{- if $.Values.profilingMode }}
+      - name: perf
+        image: {{ $.Values.perfImage }}
+        imagePullPolicy: Always
+        securityContext:
+          privileged: true
+          capabilities:
+            add:
+              - SYS_ADMIN
+              - SYS_PTRACE
+        command: ["/bin/bash"]
+        args: ["-c", "./setup-node-for-profiling.sh :{{ $.Values.nodeExporterPort }}"]
+        ports:
+        - containerPort: {{ $.Values.nodeExporterPort }}
+          protocol: TCP
+        volumeMounts:
+          - mountPath: /sys
+            name: sys
+          - mountPath: /etc/lsb-release.host
+            name: lsb-release
+          - mountPath: /lib/modules
+            name: modules-generated
+          - mountPath: /usr/src
+            name: headers-generated
+          - mountPath: /usr-host
+            name: usr-host
+{{- end }}
       - name: uncaptured
         securityContext:
           runAsUser: 1
diff --git a/perf/benchmark/values.yaml b/perf/benchmark/values.yaml
index a8c80041d2..4f7ec1f32e 100644
--- a/perf/benchmark/values.yaml
+++ b/perf/benchmark/values.yaml
@@ -44,6 +44,8 @@ client: # client overrides
 
 cert: false
 interceptionMode: REDIRECT
-
+profilingMode: true
+perfImage: oschaaf/istio-tools:profiling
+nodeExporterPort: 9100
 namespace: ""
 loadGenType: ""
diff --git a/perf/docker/Dockerfile.profiling b/perf/docker/Dockerfile.profiling
new file mode 100644
index 0000000000..ad3429de12
--- /dev/null
+++ b/perf/docker/Dockerfile.profiling
@@ -0,0 +1,41 @@
+FROM ubuntu:18.04
+
+WORKDIR /root
+
+COPY profiling/setup-node-for-profiling.sh setup-node-for-profiling.sh
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update && \
+  apt-get install -y --no-install-recommends \
+    git=1:2.17.1-1ubuntu0.6 \
+    gcc=4:7.4.0-1ubuntu2.3 \
+    make=4.1-9.1ubuntu1 \
+    curl=7.58.0-2ubuntu3.8 \
+    wget=1.19.4-1ubuntu2.2 \
+    libelf-dev=0.170-0.4ubuntu0.1 \
+    bc=1.07.1-2 \
+    bpfcc-tools=0.5.0-5ubuntu1 \
+    bison=2:3.0.4.dfsg-1build1 \
+    flex=2.6.4-6 \
+    ca-certificates=20180409 \
+    libdw-dev=0.170-0.4ubuntu0.1 \
+    systemtap-sdt-dev=3.1-3ubuntu0.1 \
+    libunwind-dev=1.2.1-8 \
+    libaudit-dev=1:2.8.2-1ubuntu1 \
+    libssl-dev=1.1.1-1ubuntu2.1~18.04.5 \
+    libslang2-dev=2.3.1a-3ubuntu1 \
+    libgtk2.0-dev=2.24.32-1ubuntu1 \
+    libperl-dev=5.26.1-6ubuntu0.3 \
+    python-dev=2.7.15~rc1-1 && \
+  chmod +x setup-node-for-profiling.sh && \
+  update-ca-certificates && \
+  wget -qO- https://github.com/prometheus/node_exporter/releases/download/v0.18.1/node_exporter-0.18.1.linux-amd64.tar.gz | tar -C . -xvzf - && \
+  cp node_exporter-*/node_exporter /usr/bin/ && \
+  rm -rf node_exporter-* && \
+  git clone --depth=1 https://github.com/BrendanGregg/FlameGraph && \
+  rm -rf /var/lib/apt/lists/* && \
+  rm -rf /tmp/*
+ 
+CMD ["setup-node-for-profiling.sh"]
+
diff --git a/perf/docker/profiling/setup-node-for-profiling.sh b/perf/docker/profiling/setup-node-for-profiling.sh
new file mode 100644
index 0000000000..18f9f8d8a9
--- /dev/null
+++ b/perf/docker/profiling/setup-node-for-profiling.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+USR_SRC="/usr/src"
+KERNEL_VERSION="$(uname -r)"
+CHROMEOS_RELEASE_VERSION="$(grep 'CHROMEOS_RELEASE_VERSION' /etc/lsb-release.host | cut -d '=' -f 2)"
+
+build_kernel()
+{
+  # Build the headers
+  cd "${WORKING_DIR}"
+  zcat /proc/config.gz > .config
+  make ARCH=x86 oldconfig > /dev/null
+  make ARCH=x86 prepare > /dev/null
+
+  # Build perf
+  cd tools/perf/
+  make ARCH=x86  > /dev/null
+  mv perf /usr/sbin/
+}
+
+prepare_node()
+{
+  WORKING_DIR="/linux-lakitu-${CHROMEOS_RELEASE_VERSION}"
+  SOURCES_DIR="${USR_SRC}/linux-lakitu-${CHROMEOS_RELEASE_VERSION}"
+  mkdir -p "${WORKING_DIR}"
+  curl -s "https://storage.googleapis.com/cos-tools/${CHROMEOS_RELEASE_VERSION}/kernel-src.tar.gz" \
+    | tar -xzf - -C "${WORKING_DIR}"
+  build_kernel
+  rm -rf "${USR_SRC}${WORKING_DIR}"
+  mv "${WORKING_DIR}" "${USR_SRC}"
+}
+
+prepare_node
+mkdir -p "/lib/modules/${KERNEL_VERSION}"
+ln -sf "${SOURCES_DIR}" "/lib/modules/${KERNEL_VERSION}/source"
+ln -sf "${SOURCES_DIR}" "/lib/modules/${KERNEL_VERSION}/build"
+
+sysctl kernel.perf_event_paranoid=-1
+sysctl kernel.kptr_restrict=0
+
+# fire up the node exporter process, listening at the passed in address:port
+node_exporter --web.listen-address "$1"
+