Agentless Linux Intrusion Detection and Response

Secure Linux without endpoint agents.

Get 5 Hosts Free

Agentless Intrusion Detection and Response for Linux

Sandfly is an automated security investigator that hunts for compromised Linux systems without having to install agents on your endpoints. Sandfly accurately discovers active attacks against Linux systems without impacting performance and stability. Automated response options allow Sandfly to remediate threats immediately. We give your security team accurate information to respond to Linux threats 24 hours a day to quickly contain intruders.

Read More
Agentless intrusion detection

Fast & Accurate Incident Response for Linux

Sandfly automatically monitors Linux for security breaches giving your incident response team accurate and detailed information to react quickly. Plus, we bring Linux security and forensics expertise to you instantly even if your team has limited Linux experience. Sandfly has an extensive library of detection capabilities to put you onto intruders quickly and efficiently.

Read More
Incident response dashboard example

Find compromised Linux hosts automatically.

Get 5 Hosts Free

Detect and Respond to Malicious Activity on all Linux Systems

Sandfly is agentless and works across a wide range of Linux systems with no modifications. From large cloud clusters down to embedded Linux devices, Sandfly can provide visibility and monitoring. We can even work on legacy systems where security monitoring often is not possible with other means. Cross-platform detection and response means all systems receive the same level of protection.

Read More


Sandfly only requires SSH which runs on most Linux systems. Sandfly has been tested on the following Linux distributions plus many more:

Rasberry Pi


Sandfly will protect most Linux variants and versions running Intel, AMD, Arm or MIPS CPUs without any special modifications.


High performance, Low CPU impact

Since it is agentless, Sandfly does not impact system CPU loads and stability the way agent-based Linux security can. Configure-and-set random scanning also saves bandwidth while making Sandfly’s security activities invisible to attackers. Sandfly saves you time and money by avoiding false positives while minimizing malware dwell time from weeks to just minutes or seconds. See our video demo.

Read More
Low CPU impact


"Sandfly is the first product I’ve seen that accurately and quickly detects thousands of signs of compromise on the Linux platform. Its unique method automates tasks which would be manually impossible. Automation is key with detection, and Sandfly completely fits this and other requirements. If your organization is using Linux, this should be part of your cybersecurity toolset.”
University of Massachusetts logo
Ken Kleiner

University of Massachusetts Lowell Senior Security Engineer – Adjunct Faculty Instructor in Digital Forensics

View More

Hunt. Discover. Respond.

Sandfly is the Linux security and forensic expert your team needs.


Sandfly automatically searches for signs of intruders on your Linux hosts 24 hours a day. Sandfly deploys instantly, and immediately supports hunts in progress across all your Linux systems, including on-premises and cloud deployments. Sandfly’s agentless scanning protects not just the host operating system but the Docker images it is running, as well.


Sandfly provides over 1,000 modules designed to detect Linux attacks (such as credential theft, lateral movements or process injection). Sandfly can detect attacks against Linux as well as against Linux-based Docker containers. Sandfly knows where to look for signs of compromise on Linux. It’s all we do.


Sandfly can be setup to automatically respond to detected events to help immediately contain and control any intrusion. Agentless response features means you can get full automated protection across all your systems without worrying about compatibility and stability issues.

Instant Linux Forensics for Managed Security Services

Managed Security Services Providers (MSSPs) can often have few or no options for full-coverage detection across the variety of Linux systems they’re assigned to protect. This forces MSSPs to hire scarce experts to manage a variety of Linux devices or to not provide complete monitoring. Sandfly monitors all Linux-based systems through a single interface—without the need to install and manage any agents on your client’s systems. Sandfly delivers instant Linux security and forensic knowledge to your team and to your customers even if you have limited personnel available.

Read More

Let Sandfly keep your Linux systems secure.

Get 5 Hosts Free