I believe you may have missed my point. 
I meant that normally speaking, security tools like behavior blockers should not trigger a lot of CPU and disk activity and should also not use a lot of RAM. And that’s because they basically only need to come in action when certain behaviors/API’s are triggered.
So stuff like monitoring of process execution, network connections, service/driver loading and registry modification can all be done, without using many resources. Of course RAM usage can be high in case the GUI is a bit heavy.