Sandfly uses random scanning intervals to search for live and dormant attacks against your hosts. This is done to limit any potential performance impacts, but also provides evasion resistance against attackers. Random scans make it harder for attackers to know if a system is being monitored and when they may want to try hiding.

Live attacks generally are active malware currently in memory and running on the system. This can be malicious processes, backdoors, or related suspicious activity.

Dormant attacks are changes made to a system that are not active in memory, but can still result in serious breaches to security. For instance, backdoor user accounts placed into the password file. Or, rogue SSH keys to allow access either by deliberately placing them in the system, or by stealing known good credentials and using them to move around.

So the way Sandfly works is a bit different than traditional Endpoint Detection and Response (EDR) in that Sandfly can find both categories of attacks. Additionally, the application does not use permanently running agents on your endpoints. This means that it provides very wide compatibility (can run on systems up to a decade old). It also means that the product has very high performance with little risk to system stability as it is not tied into the kernel.