Sandfly Operation


The dashboard of Sandfly is simple. Green all is well. Red there is a problem. Sandflies are written to not bother you with false alarms. If there’s an alert, then it’s important.

Dashboard example

Add Hosts

Adding hosts to Sandfly is simple and fast. You can add an IP list or put in a net block and Sandfly will scan it and add hosts where it was able to login automatically. You don’t need to do anything on the hosts you want monitored other than have valid SSH credentials. SSH credentials are stored securely with public key encryption and cannot be recovered from the database once added.

View Hosts

After hosts are added, you can view operating system details about each one. This is useful for inventory and baseline purposes during an investigation.

Host view


You can now perform an initial manual scan to make sure everything looks fine on your systems. Sandfly will run the selected sandflies across the hosts and report back findings. No news is good news.

You can run scans manually whenever you feel like it. However, the real power of Sandfly comes from the next step where we schedule an automated presence of sandflies to be used across all your hosts.

Sandfly list

Want to see Sandfly in action?

Protect Hosts Now

Random Scheduler

Sandfly was designed from the ground up to search for attackers. We employ tactics to be fully automated and random to make evasion more difficult.

Because of the above, the scheduling system in Sandfly works differently than what you may be used to. Instead of scheduling big monolithic scans at 3AM each morning for instance, you instead tell Sandfly to schedule small, fast, and random investigations to happen all day long.

Dividing compromise detection into small random tasks is the best way to provide security coverage that won’t impact your remote systems like monster monolithic scanners can do. In fact, Sandfly’s impact on hosts is so low you can have frequent scans throughout the day and never know they are happening.

Sandfly scheduler


Once you setup a random schedule, you can put in email alerts or output to your favorite log monitor. Sandfly contains rich structured data of the results that is identical to what you see in the Sandfly UI. This means what you see in our UI will be the same as you see in Kibana, Splunk, Graylog, etc.

For example, Sandfly data can be viewed easily in Kibana with our native Elasticsearch output. We also support Splunk with our free Splunk App. Alarms exported from Sandfly contain all the data you need to make informed decisions about your Linux fleet.

Elasticsearch Kibana output

View Alerts

Sandfly has an easy to use forensic viewer if alerts are detected. Sandfly always provides a plain English description of the issue with supporting details to put you onto intruders quickly.

SSH password sniffer detected

Malware Analysis And Assistance

Once the presence of malware is detected, hunters and investigators can drill down to see other related data detected by other sandflies for a picture of the entire exploit and impact.

Viewing all alerts

Custom Sandfly Modules for Incident Response

Sandfly allows custom modules so security teams can create their own threat hunting methods. Or, users can clone any of over 1,000 built-in modules using Sandfly’s extensive Linux forensics and investigation library.

Custom Sandfly modules

Leave Sandfly to Work

Sandfly is designed to automatically prune its databases and take care of other internal maintenance tasks unattended. It will keep an eye on your hosts and send out any alerts if it finds a problem. You can go back to doing other things and let Sandfly stand guard.

If you receive alerts, they will contain a wealth of information about the attack including a plain English explanation of what is going on along with detailed forensic data. Your security team can then determine the best course of action to take. Sandfly is careful to not alter anything on the disk so forensic data is not compromised if needed for later use.