Agentless intrusion detection for Linux


Hunt for Linux rootkits, malware, and compromised hosts without agents.

Agentless Intrusion Detection and Endpoint Security for Linux


Sandfly is an agentless intrusion detection and endpoint protection system for Linux. Sandfly gives instant protection for cloud or non-cloud based Linux systems without the trouble of deploying agents. Sandfly can run on most Linux distributions without any modifications.


Sandfly investigates Linux systems for standard and stealth rootkits, malware, and other signs of compromise in seconds. Sandfly is able to investigate and hunt for threats on your Linux infrastructure thousands of times a day without impacting performance.


Sandfly fully automates the expertise of a forensic investigator for your Linux systems. Our methods provide thorough coverage to detect intrusions, even if attackers are employing stealth and active evasion tactics.


Sandfly is designed to investigate your hosts the way an experienced investigator would. Our investigation swarms are not only fast, but also highly accurate. You can use Sandfly alerts immediately without any interpretation needed. Best of all, Sandfly won’t swamp your team with false alarms. 

Search. Hunt. Discover.

Are You Hunting Intruders, or Are Intruders Hunting You?

Search Your Linux Systems

Sandfly searches for trouble on your Linux hosts directly 24 hours a day just as an expert forensic investigator would. Our methods are specific to finding attackers regardless of how they gained access.

Hunt for Intruders

Sandfly hunts for intrusions, rootkits, and malware active on Linux even if they are actively trying to hide. Sandfly provides a backstop to ensure intruders can’t get comfortable on your network and spread further.

Discover Real Threats

Sandfly is persistent and thorough in monitoring Linux for malicious activity. Sandfly discovers compromises early so you can respond in a targeted and deliberate way.

Rapid Deployment. Rapid Protection.

Chase Threats, not Ghosts

Instead of focusing on an endless stream of false alarm prone signatures, Sandfly relies on spotting the outcomes of successful compromise that almost always indicate an intrusion has happened. Spend time chasing actual threats and not ghosts.

Built for Linux

Sandfly was designed from the ground up to detect compromised Linux hosts. Sandfly searches for signs of compromise on your Linux systems and provides fast and detailed alerts for any problems. Sandfly will spot Linux rootkits, malware, and other signs of compromise 24 hours a day.

Secure in Seconds

Protecting Linux is instant with Sandfly. With no need to touch each endpoint with an agent, Sandfly can provide immediate results with virtually no remote system impact. You can have security monitoring in place in seconds.


At Webmad we chose Sandfly to protect our clients. The agentless install didn’t require any changes on our systems and gave us immediate results with no resource impacts.
BitPrime uses Sandfly to help protect our cryptocurrency exchange platform against attack. Sandfly’s agentless intrusion detection system gives us extra security to help keep our customers safe.

We're Ready to Help Keep Your Linux Systems Secure