Hunt what AV misses.
Cross-platform endpoint detection and response with YARA rules, live response, and process tree forensics. Deploy on Linux, macOS, and Windows — from one console.
rule Suspicious_PowerShell {
strings:
$enc = "-enc" nocase
$iex = "IEX" nocase
condition:
any of them
}What Sandworm EDR does.
eBPF-powered telemetry
The Rust agent uses eBPF kernel hooks on Linux to capture syscalls, network events, and file operations with minimal overhead — no kernel module required.
YARA rule engine
Write, deploy, and tune YARA rules from the console. Match on memory, disk, or both. Rules are versioned and can be pushed from your existing Git workflow.
File integrity monitoring (FIM)
Watch specific paths and directories for unauthorized changes. Every modification is recorded with before/after hashes, the responsible process, and the user context.
Live response shell
Drop into a live shell on any enrolled endpoint. Collect artifacts, kill processes, pull memory — without opening RDP or an additional remote access tool.
Process tree and memory forensics
Full process tree for every detection. Dump and scan process memory for injected code, unlinked DLLs, and payloads that never touch disk.
Auto-containment
Isolate a compromised host from the network in one click. The agent connection stays active so investigation continues while lateral movement is blocked.
How Sandworm EDR works
- 1
Deploy the Rust agent
Install the lightweight Sandworm EDR agent on Linux, macOS, or Windows endpoints. On Linux, it attaches eBPF probes to capture kernel events without a kernel module. On macOS and Windows, it uses platform-native APIs. All three report through the same console.
- 2
Stream telemetry and apply YARA rules
The agent continuously streams process, file, and network events. YARA rules pushed from the console are evaluated locally — on memory and on-disk — in real time. FIM watches trigger the moment a monitored path changes.
- 3
Triage detections with full context
Every alert surfaces a complete process tree, the responsible user, the full command line, and any matched YARA rule or FIM event. Analysts see the chain of custody, not just a file hash.
- 4
Contain, collect, and close
Isolate the host with one click, then use the live response shell to pull artifacts, dump memory, or run ad-hoc YARA scans. When the investigation is done, re-enroll the endpoint from the same console.
Built for…
SOC teams who need endpoint telemetry they can act on
Process trees, not process names. FIM events with user context, not just inotify noise. Context that lets an analyst close a ticket instead of opening three more.
Incident responders who need to contain and collect
Isolate the host, open a live shell, pull the artifacts, and close the case — from one console, without coordinating a separate remote access tool.
Threat hunters writing their own detection content
YARA rules deployed from Git. No vendor ticket, no recompile, no waiting for a signature update cycle. Your rules run on the next heartbeat.
Compliance teams who need auditable file integrity evidence
FIM watches produce a tamper-evident log of every change to monitored paths. Export the record for PCI DSS, CIS, or internal audit — without a separate tool.
Integrations
- Windows agents
- macOS agents
- Linux agents
- SIEM forwarding
- YARA rules
Frequently asked questions
- How do I roll out the Sandworm EDR agent across my fleet?
The agent ships as a single self-contained binary for Linux (x86-64 and arm64), macOS (arm64 and x86-64), and Windows (x86-64). Distribute it with whatever you already use — Ansible, Intune, Jamf, a package manager, or a simple wrapper script. On first run the agent reads a tenant token and enrolls automatically; no interactive setup on the endpoint is needed.
- What telemetry does the agent collect and where is it stored?
The agent streams structured event records — process lifecycle events, file-system activity, network connections, and YARA match results — to your Sandworm EDR backend. File contents and memory are never uploaded automatically. Raw artifacts are transferred only when an analyst explicitly initiates a live-response pull. All event data is written to your own deployment and stays within your network boundary.
- What does Sandworm EDR cost?
Sandworm EDR is included in both the Platform and Sovereign bundles and is available as a standalone add-on. Current pricing is on the /pricing page. If you are evaluating for a large fleet or a government deployment, contact us — those engagements are scoped separately.
- How does Sandworm EDR differ from a traditional AV or a commercial EDR?
Traditional AV relies on signature databases that update on the vendor's schedule. Sandworm EDR puts the rule engine in your hands — push a YARA rule from Git and it evaluates on the next agent heartbeat, not after a signature cycle. The eBPF telemetry layer on Linux captures syscall-level events that user-space agents miss entirely without a kernel module, giving you a level of visibility most commercial EDRs cannot match on Linux.
- Does eBPF work on older enterprise Linux distributions?
The eBPF agent requires Linux kernel 5.8 or later, covering RHEL 8+, Ubuntu 20.04+, and Debian 11+. On kernels below 5.8, the agent falls back to kprobe-based hooks where available. macOS and Windows agents use platform-native APIs and carry no kernel version constraint.
- What is next on the Sandworm EDR roadmap?
Current work includes tighter Mendicant AI integration to accelerate autonomous triage of endpoint detections — Mendicant runs on frontier AI models today while the in-house engine matures — and expanded container and Kubernetes workload visibility for teams running eBPF inside pod sandboxes.
Also in Sandworm.
Sandworm SIEM
Security information and event management with real-time correlation.
See Sandworm SIEM →See the endpoint.
We'll deploy Sandworm EDR on a test fleet and walk through a live detection — your rules, your endpoints.