Theory of Operation

Sandfly is an Automated Security and Forensic Investigator

Sandfly provides agentless security for Linux. It does this with an innovative approach that securely connects to endpoints, pushes over investigative code modules (called sandflies), and then obtains results. The results either show the system is compromised in one or more ways, or shows no evidence of compromise.

Malicious Sniffer on Linux

Malicious Sniffer on Linux

Sandfly runs constantly on your network using a random scheduler and random selection of sandflies to hunt for intruders on your Linux systems. Sandfly functions as a very high performance security investigator searching constantly for trouble. If Sandfly spots anything suspicious, it switches roles and collects data like an expert forensic investigator so you can find out what is going on with the remote system.

Additionally, Sandfly can be used as an on-demand security investigator as well. During an incident you can use Sandfly to search large numbers of Linux hosts for signs of compromise, or launch spot checks if you think a system has been compromised to collect evidence of what might have happened.