Linux Incident Response

Incident response

Incident Response (IR) teams need to respond quickly to breaches to ensure damage is contained. With traditional agent-based tools this can become difficult if there is not full coverage due to compatibility or performance risks. Sandfly deploys instantly even on systems that have never had any security monitoring used on them before.

Linux threats unmasked.

Ride along with Sandfly as we hunt for intrusion and compromised Linux on our firing range.

Watch the Video

Use Cases


Deploy during an incident

Sandfly can be deployed into a live incident without any drama to gain immediate compromise detection and forensics. Sandfly deploys quickly, minimizing risk and avoids compatibility issues.


Instant Linux forensic expert

Leverage our extensive library to identify Linux attacks like malware, stealth rootkits, backdoors, and credential theft. We are your instant Linux forensic investigator.


Compromise detection

Sandfly works on systems that have active or historic attack traces. This helps IR teams build a total picture of what is happening and ensures no compromised systems are left behind even if intruders are trying to hide.



Customize any of our 1,000+ built-in modules as a framework to create your own threat hunting arsenal. Custom threat hunting modules can be deployed instantly against all protected systems.


Drift detection

Drift profiles can be made for a known-good host. That profile can then be used to see if any similar systems have any changes that need to be investigated. This allows IR teams to focus efforts only on hosts that show differences saving valuable time.


Eliminate blind spots

Get visibility into all systems. Sandfly works on servers, virtual machines, on-prem, cloud, embedded, and appliance systems. IR teams get instant visibility across all systems with one tool.

Incident Response Features

Sandfly Security has many features that make it ideal for Linux incident response.



Eliminates performance overhead, deployment hassles, and potential stability risk associated with agents. Sandfly allows instant investigation of systems.


Widest Linux coverage

Sandfly supports a wide range of Linux distributions and versions compared to other EDR solutions. IR teams can assess more systems, more quickly, than ever before for compromise.


Fast and efficient

Sandfly scans systems very quickly, providing near-instantaneous visibility into potential threats. This is critical during incident response when time is of the essence.


Active response

Take action upon detecting suspicious activity, including suspending or killing processes. IR teams gain valuable options for containing threats during an incident.


Forensic capabilities

Sandfly can collect and analyze forensic data from Linux systems, aiding in understanding the scope and timeline of an attack.


Linux security by design

Our focus is Linux. We focus on attacker tactics instead of specific signatures that affect this platform. Our detection methods work on old and new malware, rootkits, and more.

Start your free trial today

See how Sandfly can revolutionize your IR strategy and keep your organization ahead of the curve.

Protect Hosts Now