Skip to main content

💻 Endpoint detection (EDR)

LimaCharlie

Cloud-managed EDR with a generous free tier — runs as SecOps infrastructure.

Beginner ⏱ 30 minutes 💸 Free up to 5 sensors / 30-day retention Proprietary (free tier)

Official site →

Why use it

LimaCharlie ships full enterprise EDR — process telemetry, file events, network connections, registry, memory hunting — and gives the first 5 sensors away free. The Cyentrix team uses it when we want enterprise-grade detections without standing up infrastructure.

What you get

  • Full EDR telemetry on every sensor
  • D&R rules (their detection/response language)
  • YARA scanning of memory and disk
  • Real-time response actions (kill, isolate, retrieve file)
  • API access for automation and SOAR-style workflows

System requirements

Cpuminimal on endpoint
Ram~50 MB on endpoint
Diskcloud-hosted; nothing on your side
OsLinux, Windows, macOS
DockerNo

Installation

Sign up at limacharlie.io. Create an organisation. Generate a sensor installer for the OS you want to enrol. Run the one-line install — sensor checks in within seconds.

Suggested configuration

Enable the community D&R rules pack as a starting baseline. Build a Slack/Discord output adapter so high-severity detections ping you in real time. Use the YARA service to scan persistence on a daily schedule. Note: free-tier retention is 30 days — pull anything you want longer-term to your own SIEM.

Integration ideas

  • Forward detections to your own SIEM via webhook
  • Pull events into TheHive via the LimaCharlie API
  • Combine with MISP for IoC-driven detections

Alternatives

  • Velociraptor — Self-hosted, hunt-focused; less continuous monitoring.
  • Wazuh agent — Free, self-hosted; less EDR depth.

Cyentrix verdict

The cleanest way to feel what enterprise cloud EDR is like at home. The 5-sensor cap covers most homelabs comfortably.