Sandfly was designed from the ground up to search for attackers. We employ tactics to be fully automated and random to make evasion more difficult.
Because of the above, the scheduling system in Sandfly works differently than what you may be used to. Instead of scheduling big monolithic scans at 3AM each morning for instance, you instead tell Sandfly to schedule small, fast, and random investigations to happen all day long.
Dividing compromise detection into small random tasks is the best way to provide security coverage that won’t impact your remote systems like monster monolithic scanners can do. In fact, Sandfly’s impact on hosts is so low you can have frequent scans throughout the day and never know they are happening.