💻 Endpoint detection (EDR)
Velociraptor
DFIR-grade endpoint visibility and live hunting at fleet scale.
Why use it
Velociraptor is the open-source DFIR collection platform built by ex-Google IR engineers. Run hunts across hundreds of hosts, collect arbitrary artefacts, and live off the land in a way no traditional EDR allows.
What you get
- Live remote shell into endpoints
- Hundreds of pre-built artefacts (browser history, prefetch, AmCache, persistence)
- VQL — its query language — for custom hunts
- Fleet-wide hunts that run in minutes
- Forensic-quality file collection without disrupting the host
System requirements
| Cpu | 4 cores (server) |
|---|---|
| Ram | 4 GB (server), 50 MB (agent) |
| Disk | 20 GB+ for collected artefacts |
| Os | Linux server, agents on Linux/Win/macOS |
| Docker | Yes |
Installation
Download the single-binary release. Run ./velociraptor config generate -i to create a config interactively. Start the server: ./velociraptor --config server.yaml frontend. Generate agent installers (MSI, deb, pkg) from the GUI.
Suggested configuration
Enable the standard Windows artefact pack: Sysinternals Autoruns, Prefetch, AmCache, browser history, scheduled tasks. Schedule a daily hunt for new persistence and unsigned binaries in temp directories. Pipe high-confidence findings to TheHive.
Integration ideas
- Forward alerts to TheHive for case management
- Pull intel from MISP to feed hunt queries
- Combine with Wazuh for continuous monitoring + on-demand hunts
Alternatives
- osquery — Lighter, less hunt-oriented.
- GRR — Older Google project; Velociraptor is the spiritual successor.
Cyentrix verdict
If you take incident response seriously at home, this is the upgrade after Wazuh. The MITRE-mapped artefacts alone justify it.