Absolutely. Sandfly is unique in the industry because incident responders can use Sandfly to instantly scan and detect compromises even if no prior security monitoring is in place or even if other EDR products are operating but have not detected anything (yes, we've seen this).

For instance, you can point Sandfly at a cluster of Linux systems and get immediate results back about what they are, and their security status and start handling a situation - without first having to deploy software onto potentially compromised systems.

Further, once an incident is uncovered, Sandfly has hundreds of modules to help incident response teams investigate the affected systems and pull back almost any kind of critical forensic data from your Linux fleet - agentlessly. This is a unique and powerful feature during a real-world, fast moving incident when minutes matter.

Some examples of things we can help with during an incident:

  • Flag all new binaries created over a certain time window (e.g. past four hours).

  • Pull all users and their SSH keys.

  • Parse SSH keys and use that data to instantly search other hosts for the same key in use.

  • Grab hashes of running processes and search across all systems for identical processes either running, or have been seen running in the past.

  • Find any file or directory name, cryptographic hash or creator across all hosts instantly.

  • Flag suspicious hidden or encrypted binaries anywhere on a file system.

  • Grab all processes with network connections and the addresses they are connected to or listening on.

  • Do all the above on virtually any version of Linux whether legacy, modern or even embedded systems.