How Sandfly Works

Visibility in Seconds

Sandfly is an agentless and scalable solution that will find compromised Linux hosts without the need for specialized forensic skills. With Sandfly, you simply point it at the hosts you want protected and it will monitor them for intruders and malicious activity automatically. We support Linux systems over a decade old to modern deployments instantly without the need to modify any endpoint.

Sandfly runs on all versions of Linux, including cloud and virtual systems, on premise, and embedded systems supporting Internet of Things (IoT) and Industrial Control Systems (ICS). Sandfly also scans inside containers for attacks attempting to replicate in those images, giving you the widest coverage available for Linux.

Host List 4.0

System Requirements


Sandfly works on virtually all Linux distributions, including legacy and embedded devices. Here is a small list of what we support:


Sandfly will protect most Linux variants and versions running Intel, AMD, Arm, MIPS and IBM Power CPUs without any modifications.

Easy Integration

Sandfly is flexible, integrates easily and can be driven by administrators using other security platforms of their choice. Sandfly offers a full library of REST-based APIs to support various functions and connectivity requirements.

Sandfly can send events over syslog to log aggregation systems or SIEM of your choice. We can also export events directly to an Elasticsearch cluster, Postgres database or use our Splunk App to send data directly into Splunk.

Platform Agnostic

Sandfly was developed on cloud infrastructure and works immediately at places like Amazon AWS, Azure, Digital Ocean, Linode, etc. But in reality, Sandfly doesn’t care where your Linux hosts are located. As long as the Linux systems allow SSH access, Sandfly can protect them immediately. Whether it’s in the cloud, on your own network, in Docker images, part of an ICS system, or any other configuration, Sandfly will tirelessly monitor for suspicious activity.


Sandfly is fully containerized and sets up in minutes. For a basic install, you need two systems capable of running Docker or Podman with these minimum requirements:

  1. A Server with 4GB or more of RAM running Linux (depending on your install size).

  2. A Node with 2GB of RAM running Linux. Each node covers thousands of hosts and can be geographically distributed.


Sandfly is easy to set up and immediately begins threat hunting and discovery operations within seconds after you add a host. See the setup video here.

See how Sandfly can help you today.

Protect Hosts Now

Attack Pattern Analysis

Sandfly uses purpose-built forensic engines to detect Linux attacks. Once the presence of malware is detected, investigators can drill down to see detailed forensic data on the attack processes and activities for a picture of the entire exploit and its impact.

Fast Searches

The average sandfly module takes under one second execute. A swarm of sandflies can typically assess a system in under 30 seconds and then vanish without a trace. Sandflies have minimal system impacts because they don’t require agents that hook into the kernel.

Fully Automated

The system will select Sandfly Investigations to run based on a random schedule and in random quantities. Each sandfly looks for a particular problem (such as suspicious processes or users) and reports back findings. These activities are correlated against other tactics discovered by other sandflies, such as a process embedded through a stealth rootkit.

Your Data is Yours

Sandfly does not send your data out to us or any other third-party. Detection and analysis occurs locally on your systems – not on anyone else’s. Sandfly runs perfectly fine on air-gapped and tightly regulated networks on premises or in the cloud.

We make Linux security easy.

Protect Hosts Now