Linux Threats Detected
Detecting Conventional and Unconventional Threats on Linux
Keeping your Linux infrastructure secure is a top priority, but constantly updating signatures can be a frustrating and time-consuming task. Sandfly's approach is different - we focus on the underlying tactics of an attack, giving you unmatched threat coverage that never goes out of date. By disrupting tactics, Sandfly is able to find new and evasive attacks that often evade traditional agent-based solutions.

Are your Linux hosts compromised? Find out now.
Protect Hosts NowModular Intrusion Detection and Response
Our agentless Linux security platform sets the bar for threat hunting with its unique approach. Our modular system means that we're constantly adding more detection methods to enhance our capability, so you can rest assured that your infrastructure is always secure.
With Sandfly, you can customize your own threat hunting checks in an easy-to-learn syntax, allowing you to tailor your security measures to your unique needs. Our platform is a powerful tool for security and incident response teams, providing specific information on intruders and allowing teams to deploy a virtual expert Linux forensic investigator instantly
We currently have over 1,100 security and incident response modules, and the list grows each day. Our platform is designed specifically for Linux, so you can be confident that we're hunting for the threats that matter most. Below are just some of the threats we're constantly on the lookout for with Sandfly.

Linux Intrusion, Compromise & Malware Threats Detected
Loadable Kernel Module and eBPF stealth rootkit detection
Standard rootkit detection
Cryptocurrency and cryptominer detection
Weak and default Linux user passwords
Hidden and suspicious processes
Processes performing suspicious network activity
Process masquerading
File masquerading and hiding
Poisoned system commands
Cloaked data from stealth rootkits
Tampered system start-up scripts
Encrypted and suspicious executable files
Unusual system binaries
Suspicious users and permissions
Hidden executables
System shells being used or concealed in suspicious ways
Process injection
Reverse bindshell exploits
Standard bindshell exploits
Compromised websites
Tampered audit records
Destroyed audit records
Webshells and backdoors
Anti-forensics activity
Cloaked backdoors
Privilege escalation backdoors
Malware persistence mechanisms
SSH keys being misused or orphaned
Suspicious user login and logout activities
Suspicious cron job and other scheduled tasks
Linux malware and Advanced Persistent Threat activity
Distributed Denial of Service (DDoS) agents
Password and network sniffers
Many others!