Get Sandfly

Get Sandfly


How many Linux systems do you need to secure?

Choose your payment plan

Home Lab

Industry leading protection for your home Linux network.

$8.33 per year*

Save 17% annually
Secure 10 Linux hosts
Agentless Linux Threat Detection
SSH Key Tracking
Password Auditing
Detailed Host and Forensic Views
Automated Scanning
Requires: Sandfly version 5.3.1 or later, a dedicated virtual machine, and an internet connection.
✨ Recommended ✨

Professional

Full featured subscription for professional use.

$62.50 per year*

Save 22% annually ($6.25 per host)
Secure 10 Linux hosts
All Features Enabled
Unlimited Users
Customized Threat Hunting and Response
Powerful Third Party Integrations
SSO and More...
Requires: Sandfly version 5.3.1 or later, a dedicated virtual machine, and an internet connection.

Air Gapped

Full featured license for air-gapped and isolated networks.

$66.67 per year*

($6.67 per host)
Secure 10 Linux hosts
All Professional Features
Works on Air Gapped and Isolated Networks
Customized Threat Hunting and Response
Powerful Third Party Integrations
SSO and More...
Requires: a dedicated virtual machine. License requires manual renewal at end of term.

Compare License Features

Home Lab
Professional
Air Gapped
Visible Alerts
UnlimitedUnlimitedUnlimited
Email Notifications
1UnlimitedUnlimited
Syslog Notifications
0UnlimitedUnlimited
Schedules
2UnlimitedUnlimited
Additional Users
No
Jump Hosts
No
No Internet Required
NoNo
Data Retention
30 Days30 Days30 Days
Dynamic Pool Scanning
Container Scanning
Distributed Scanning
No
SSH Hunter
Custom Sandflies
Automated Response
Technical Support
Community Only
Postgres Replication
No
Sentinel Replication
No
Splunk Integration
No
Elasticsearch Integration
No
Ad Hoc Scan
No

Got more questions?

Contact An Expert

Frequently Asked Questions

Sandfly was designed to monitor large Linux networks for signs of intrusion and requires a dedicated VM to operate. It can scan most Linux devices as long as they are running SSH which makes it suitable for a broad range of commercial applications.

For personal use, Sandfly can be used to protect small home networks from intrusion but isn't intended to be installed on and protect a single device like a traditional virus scanning product would.

We secure the widest range of Linux systems of any product on the market and protect virtually all distributions of Linux. 

This spans, for example, systems that are 10+ years old up to modern distributions at cloud providers. Sandfly works with Linux versions running Intel, AMD, Arm, MIPS and IBM Power CPUs without any special modifications. We also support embedded systems with MIPS or ARM processors such as Raspberry Pi. Basically, because of its agentless architecture, Sandfly only requires that your Linux hosts be running SSH. 

Sandfly has been tested against the following Linux distributions, but will work on many more:

  • CentOS
  • RedHat
  • Ubuntu
  • Suse
  • Oracle
  • Alma
  • Rocky
  • Fedora
  • Debian
  • Arch
  • Amazon Linux Images
  • Digital Ocean Linux Images
  • Microsoft Azure Images
  • Raspberry Pi and other embedded systems
  • Customized Distributions

Basically, as many as you have resources to protect. The server/node architecture of Sandfly can be distributed using named queues and jump hosts to scale as needed. Each node for instance can protect many thousands of hosts with minimal hardware resources, and new nodes can be added to scale upwards.

Servers are limited only by the CPU/RAM you wish to dedicate to load scaling. Multiple servers can be used to distribute larger deployments. You can also choose how much and where to store forensic data according to your requirements. For context, we have customers using Sandfly to protect tens of thousands of Linux hosts.

A basic install requires one or more systems capable of running Docker or Podman (Sandfly is Dockerized) with these minimum requirements:

  • A server with a minimum 8GB  RAM running Linux for smaller deployments and scaling up from there. This server runs the REST API and database.
  • A scanning node with a minimum 2GB of RAM running Linux. A node runs multiple containers for performance and redundancy so you can cover thousands of hosts very easily.

We also offer  a simple, single host install where both server and node run on the same system. However, for higher security and production performance, we recommend you run each on their own VM.