Agentless Linux Intrusion Detection and Incident Response

Secure Linux without endpoint agents.

Protect Hosts Now

Agentless Intrusion Detection and Incident Response for Linux

Sandfly is an agentless intrusion detection and incident response platform for Linux. Sandfly hunts for compromised Linux systems without having to install agents on your endpoints. We find intruders, malware and compromised Linux systems quickly and safely.

Read More
Agentless intrusion detection

Fast & Accurate Incident Response for Linux

Sandfly automatically monitors Linux for security breaches giving your incident response team accurate and detailed information to react quickly. Plus, we bring Linux security and forensics expertise to you instantly even if your team has limited Linux experience. Security teams can use Sandfly's extensive library of detection capabilities to put them onto intruders quickly and efficiently.

Read More
Incident response dashboard example

Find compromised Linux hosts automatically.

Protect Hosts Now

Detect and Respond to Malicious Activity on all Linux systems

Sandfly is agentless and works across a wide range of Linux systems with no modifications. From large cloud clusters down to embedded Linux devices, Sandfly can provide visibility and monitoring. We can even work on legacy systems where security monitoring often is not possible with other means. Cross-platform detection and response means all systems receive the same level of protection.

Read More


Sandfly only requires SSH which runs on most Linux systems. Sandfly has been tested on the following Linux distributions plus many more:

Rasberry Pi


Sandfly will protect most Linux variants and versions running Intel, AMD, Arm or MIPS CPUs without any modifications.


High performance and low CPU impact

Since it is agentless, Sandfly does not impact system CPU loads and stability the way agent-based Linux security can. Configure-and-set random scanning also saves bandwidth while making Sandfly’s security activities invisible to attackers. Sandfly saves you time and money by avoiding false positives while minimizing malware and intruder dwell time.See our video demo.

Read More
Low CPU impact


"Sandfly is the first product I’ve seen that accurately and quickly detects thousands of signs of compromise on the Linux platform. Its unique method automates tasks which would be manually impossible. Automation is key with detection, and Sandfly completely fits this and other requirements. If your organization is using Linux, this should be part of your cybersecurity toolset.”
University of Massachusetts logo
Ken Kleiner

University of Massachusetts Lowell Senior Security Engineer – Adjunct Faculty Instructor in Digital Forensics

View More

Hunt. Discover. Respond.

Sandfly is the Linux security and forensic expert your team needs.


Sandfly automatically searches for signs of intruders on your Linux hosts 24 hours a day. Sandfly deploys instantly, and immediately supports hunts in progress across all your Linux systems, including on-premise and cloud deployments. Sandfly’s agentless scanning protects not just the host operating system but the Docker images it is running, as well.


Sandfly provides over 1,000 modules designed to detect Linux attacks (such as credential theft, lateral movements or process injection). Sandfly can detect attacks against Linux as well as against Linux-based Docker containers. Sandfly knows where to look for signs of compromise on Linux. It’s all we do.


Sandfly can be setup to automatically respond to detected events to help immediately contain and control any intrusion. Agentless response features means you can get full automated protection across all your systems without worrying about compatibility and stability issues.

Let Sandfly keep your Linux systems secure.

Protect Hosts Now