Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Theory of Operation

An Automated Security and Forensic Investigator

Sandfly provides agentless security for Linux. It does this with an innovative approach that securely connects to endpoints, pushes over investigative code modules (called sandflies), and then obtains results. The results either show the system is compromised in one or more ways, or shows no evidence of compromise.

Sandfly runs constantly on your network using a random scheduler and random selection of sandflies to hunt for intruders on your Linux systems. Sandfly functions as a very high performance security investigator searching constantly for trouble. If Sandfly spots anything suspicious, it switches roles and collects data like an expert forensic investigator so you can find out what is going on with the remote system.

Additionally, Sandfly can be used as an on-demand security investigator as well. During an incident you can use Sandfly to search large numbers of Linux hosts for signs of compromise, or launch spot checks if you think a system has been compromised to collect evidence of what might have happened.

Updated 2 years ago

Theory of Operation

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.