RuntimeGuard monitors runtime activity on Linux servers and detects ransomware behaviour in real time using lightweight kernel-level telemetry.
Ransomware, cryptominers and supply-chain malware increasingly target Linux infrastructure. Many security tools are still built around desktop endpoints and add too much complexity or overhead for server environments.
DevOps and infrastructure teams often lack direct visibility into runtime process and file activity on production Linux hosts. That makes it harder to spot attacks before data is impacted.
Monitor process and file activity in real time on Linux infrastructure. Full kernel-level visibility via eBPF — no per-application instrumentation, no performance overhead.
Detect behaviour patterns commonly associated with ransomware: file write bursts, rename storms, and abnormal process execution — caught in a sliding time window before encryption spreads.
Webhook and Slack alerts fire the moment suspicious behaviour is detected. Integrate with your existing incident response workflows without changing your toolchain.
Every new host starts in learning mode. RuntimeGuard observes silently and surfaces what would have triggered — so you validate and tune before any alert fires in production.
A file server behaves differently from a web server. Configure detection thresholds per host or per tenant — defaults get you started, overrides keep false positives out.
A low-overhead eBPF agent designed for cloud, VM and bare-metal workloads. CO-RE compiled — one binary runs on any modern Linux distribution running kernel 5.8+.
Admin, analyst and viewer roles with API-level enforcement. Assign the right level of access to every team member — operations, security analysts and read-only stakeholders — without sharing a single key.
Full trail of every configuration change — logged with tenant, role, method, path, status code and IP. Viewable in the dashboard by admins. PostgreSQL-backed with tenant isolation, ready for compliance evidence.
Every incident links to an interactive process tree — all processes active in the ±5-minute window assembled into a parent–child attack graph with pan, zoom and per-node detail. Follow the chain from suspicious process back to root cause without touching the host.
Write your own detection rules in Sigma-compatible YAML alongside the 26 built-in rules. Supports field modifiers (contains, startswith, regex), logsource categories and compound conditions. YAML is validated on save — no broken rules in production.
Watch any file or directory for writes, renames, deletes and permission changes. Every match is logged with process name, PID and timestamp — ready for PCI-DSS, CIS Benchmark and SOC2 audit packages.
Scans /etc/ld.so.preload, /proc/modules and /proc/*/exe every 30 seconds to detect LD_PRELOAD rootkits, malicious kernel modules and fileless malware with deleted-on-disk binaries. No kernel module required.
Automate your incident response with SOAR-level playbooks. Isolate hosts, block IPs, notify webhooks and trigger PagerDuty alerts — automatically, the moment a matching incident opens. Enforcing mode only; full execution log for audit.
Block dangerous pods before they start. A ValidatingAdmissionWebhook checks every pod against your policy: privileged containers, hostPID/Network/IPC, dangerous capabilities, hostPath volumes and image registry allowlists. Dry-run mode for safe rollout.
Every outbound connection is checked against Feodo Tracker and Emerging Threats C2 IP blocklists — free, refreshed hourly. Every executed binary is checked against MalwareBazaar, VirusTotal and AlienVault OTX. Matches open a critical incident and kill the process immediately.
Raw DNS traffic captured via AF_PACKET raw socket. Shannon entropy analysis on every DNS subdomain detects base64 or hex-encoded payloads pushed through DNS tunnels — the covert channel that bypasses most firewalls and connection monitors.
Manage unlimited customer tenants from a single login. Cross-tenant SOC feed, per-tenant drill-down, isolated incidents and API keys. Built for managed service providers protecting multiple client environments at scale.
Sign in with Google Workspace or Microsoft Entra accounts via OIDC. RBAC roles apply to SSO identities — admin, analyst and viewer access enforced at login. No separate credentials to manage for enterprise teams.
A lightweight eBPF agent is deployed on your Linux host in minutes via a single curl command.
The host starts in learning mode. RuntimeGuard observes behaviour silently — no alerts, no noise.
Review what would have triggered. Adjust thresholds per host until the signal is right for your environment.
Switch the host to enforcing mode. Detection rules are now active and alerts go live.
Incidents are created and alerts are sent via webhook or Slack before damage spreads.
Install the RuntimeGuard agent on any Linux server running kernel 5.8 or higher. Works on Ubuntu, Debian, RHEL, Amazon Linux and more.
Join the early access programme and start monitoring Linux runtime activity today.