Linux Threats Detected
Sandfly Hunts for the Common and Uncommon Threats Against Linux
Sandfly hunts for the building blocks that make an attack work, not on static signatures. Instead of getting on a hamster wheel of constantly outdated signature updates, Sandfly looks for Linux attack tactics and techniques that never go out of date.
Our unique focus gives us the industry leading threat coverage for Linux exploits and compromise detection. Sandfly can easily find common and not-so-common rootkits, malware, and suspicious activity lurking on your Linux infrastructure without the risk of loading agents on any endpoint.

Are your Linux hosts compromised? Find out now.
Protect Hosts NowModular Intrusion Detection and Response
Sandfly is an agentless Linux security platform that constantly hunts for intruders. When threats are found, Sandfly becomes an expert forensic investigator providing specific information on what is happening.
For security and incident response teams, we allow you to write your own custom sandfly checks in an easy to learn syntax. You can custom craft your own threat hunting checks and deploy them instantly without loading any software or updates across your Linux systems.
The modular approach we use means that more detection methods are being added all the time to enhance our capability.
We currently have over 1,100 security and incident response modules designed specifically for Linux, and the list grows each day. Below is a list of just some of the threats we hunt for on Linux.

Linux Intrusion, Compromise & Malware Threats Detected
Loadable Kernel Module and eBPF stealth rootkit detection
Standard rootkit detection
Cryptocurrency and cryptominer detection
Hidden and suspicious directories
Hidden and suspicious processes
Processes performing suspicious network activity
Process masquerading
File masquerading and hiding
Poisoned system commands
Cloaked data from stealth rootkits
Tampered system start-up scripts
Encrypted and suspicious executable files
Unusual system binaries
Suspicious users and permissions
Hidden executables
System shells being used or concealed in suspicious ways
Process injection
Reverse bindshell exploits
Standard bindshell exploits
Compromised websites
Tampered audit records
Destroyed audit records
Webshells and backdoors
Anti-forensics activity
Cloaked backdoors
Privilege escalation backdoors
Malware persistence mechanisms
SSH keys being misused or orphaned
Suspicious user login and logout activities
Suspicious cron job and other scheduled tasks
Linux malware and Advanced Persistent Threat activity
Distributed Denial of Service (DDoS) agents
Password and network sniffers
Many others!