Secure Linux Without Endpoint Agents

Sandfly Security – Agentless Linux Compromise Detection and Response

Sandfly Security is proud to be part of the

Vodafone Xone Accelerator Program

Agentless Compromise Detection for Linux

Sandfly is an automated security investigator that hunts for compromised Linux systems without having to install agents on your endpoints. Sandfly accurately discovers active attacks against Linux systems without impacting performance and stability.  We give your security team immediate information to respond to Linux threats 24 hours a day to quickly contain intruders.

Agentless Intrusion Detection for Linux

Fast & Accurate Incident Response for Linux

Sandfly automatically monitors for Linux compromises giving your incident response team accurate and detailed information to react quickly. Even more, we bring Linux security and forensics expertise to you instantly even if your team has limited Linux experience. For experienced teams, Sandfly has an extensive library of detection capabilities to put you onto intruders quickly and efficiently.

Find compromised Linux hosts automatically.

Detect Malicious Activity on all Linux Systems

Most endpoint monitoring tools require agents that are not compatible across the wide range of Linux systems. Sandfly however is agentless and has visibility into these and more. We work across most versions of Linux and CPU types. From large cloud clusters down to embedded Linux devices, Sandfly can provide visibility and monitoring. We can even work on legacy systems where security monitoring often is not possible with other means.

High performance.
Low CPU impact.

Since it is agentless, Sandfly does not impact system CPU loads and stability the way agent-based Linux security can. Configure-and-set random scanning also saves bandwidth while making Sandfly’s security activities invisible to attackers. Sandfly saves you time and money by avoiding false positives while minimizing malware dwell time from weeks to just minutes or seconds. See our video demo.

Hunt. Discover. Respond.

Sandfly is the Linux security and forensic expert your team needs.


Sandfly automatically searches for signs of intruders on your Linux hosts 24 hours a day. Sandfly deploys instantly, and immediately supports hunts in progress across all your Linux systems, including on-premises and cloud deployments. Sandfly’s agentless scanning protects not just the host operating system but the Docker images it is running, as well. To evade attackers, hunting schedules and activities are run randomly to avoid detection.


Sandfly provides nearly 1,000 modules designed to detect Linux attacks (such as credential theft, lateral movements or process injection). Sandfly can detect attacks against Linux as well as against Linux-based Docker containers. Sandfly also detects remnants left behind from previous attacks, such as hidden rootkits, backdoors and rogue accounts. Sandfly knows where to look for signs of compromise on Linux. It’s all we do. 


Sandfly helps incident responders by rapidly hunting for intruder activities without needing to deploy agents. By focusing on finding attack tactics, Sandfly has very low false positives that that won’t waste valuable time. Sandfly is compatible with most incident response and remediation workflows through a simple REST-based API.

Instant Linux Forensics for Managed Security Services

Managed Security Services Providers (MSSPs) can often have few or no options for full-coverage detection across the variety of Linux systems they’re assigned to protect. This forces MSSPs to hire scarce experts to manage a variety of Linux devices or to not provide complete monitoring. Sandfly monitors all Linux-based systems through a single interface—without the need to install and manage any agents on your client’s systems. Sandfly delivers instant Linux security and forensic knowledge to your team and to your customers even if you have limited personnel available.

Let Sandfly keep your Linux systems secure.