GhostWire Sentinel
Endpoint threat hunting agent for Linux devices, kiosks, and edge systems — detects stealth persistence, baseline drift, suspicious outbound behavior, and silent attacker tradecraft.
Captures a security-relevant snapshot of a Linux host (processes, services, cron jobs, SSH keys, outbound connections) and compares it to an approved baseline to detect drift. Runs anomaly, beaconing, and persistence detectors on the live snapshot for immediate alerts. Built for Linux kiosks, signage players, IoT/edge devices, and unattended servers where silent backdoors are the primary threat.
Catalog entry only — a full write-up lands closer to release.
Related across catalogs
- DeviceWatch OSSecurity project· Demo ready
Security and health monitoring agent for Linux devices, kiosks, signage players, and edge systems — captures CPU, memory, network, processes, and USB telemetry.
- Beaconing Traffic DetectorSecurity project· Demo ready
Detects periodic outbound callback (C2 beacon) behavior from timestamped network logs by scoring inter-arrival timing consistency per source/destination pair.
- Exploitation VisibilitySecurity project· Demo ready
Detection engineering lab — compares expected attack signals against collected logs to surface visibility gaps and prioritize new detection rules.
- Port Scan LabSecurity project· Demo ready
Detection lab for identifying Nmap-style port scan and reconnaissance activity from firewall logs.
- Rule Tuning LabSecurity project· Demo ready
Detection tuning lab — measures false-positive rate, precision, and noise grade per detection rule, then suggests tuning improvements based on labeled log samples.
Want a heads-up when GhostWire Sentinel releases?