eBPF-powered agent catches threats from initial access to lateral movement — without heavy agents and without sending telemetry to someone else's cloud. 20+ built-in detection rules, one-click response, 100% self-hosted.
15 min demo · We show detection, investigation, and response on a live Linux host.
From SSH brute-force to full host compromise — detect, investigate, and respond.
Detect bash/sh spawning outbound connections — the #1 post-exploitation technique. Alert fires in under 100ms.
Stateful detection of repeated auth failures. See source IP, username, and timing — isolate the host in one click.
Track writes to /etc/passwd, /etc/shadow, cron dirs, and SSH authorized_keys. Know who changed what and when.
From any alert, expand the full process tree: see how the attacker got in and what they touched next.
One-click network isolation + process tree kill. Stop the attack without SSH-ing into the box.
Most open-source tools stop at collecting events. SecureExec closes the loop.
When a threat is detected, your team can isolate the host, kill the process tree, or block the executable — all from the web console. No SSH, no manual intervention.
SSH brute-force, initial access, payload download, persistence, C2 — see the entire incident as a chronological narrative, not raw events. Expandable timeline entries show process context, file changes, and network connections. Phase labels (Initial Access, Persistence, C2) are assigned automatically.
An LLM-powered agent that investigates alerts the way a senior analyst would — gathering evidence, building context, and delivering a verdict. Self-hosted option keeps your data on your infrastructure.
No dedicated SOC? No problem. The AI analyst triages every alert automatically: checks the process tree, correlates events across the host, searches IOCs fleet-wide, queries threat intelligence — and produces an evidence-backed investigation report with a confidence score and recommended response actions.
From kernel hook to actionable alert in under 100ms.
Kernel-level tracepoints and kprobes capture syscalls — process exec, file ops, connect(), DNS queries.
Events are enriched with process context, container ID, and username, then streamed via gRPC.
20+ built-in rules evaluate every event. Custom rules supported via Starlark scripting.
Events are indexed and searchable. Process tree, full-text search, and alert investigation in the web console.
Production-ready rules that fire on real threats. Tuned to minimize false positives with process context and allowlists.
Stateful detection of repeated SSH failures from the same source IP within a time window, with cooldown logic.
Catches shell processes (bash, sh, zsh) making outbound network connections — the #1 post-exploitation technique.
Detects UID changes to root from non-root processes, excluding known system services.
Flags suspicious unshare/setns calls with user, PID, or mount namespace flags from unexpected processes.
Detects memfd_create usage — the primary vector for fileless malware on Linux.
Alerts on new cron job creation in /etc/cron.* and /var/spool/cron/ by non-system processes.
Detects miner process names, stratum protocol patterns in command lines, mining pool ports, and known pool DNS queries.
Alerts on ransom note creation, file renames to encrypted extensions, mass file renaming, and backup wipe commands.
Alerts on writes to any .ssh/authorized_keys file by processes other than ssh-copy-id.
Detects cross-process memory writes via process_vm_writev — used by injection tools to write shellcode into other processes.
When an alert fires, click "Process Tree" to see the full execution chain — ancestors, children, and correlated security events — in an interactive visual graph. IOC enrichment automatically discovers other processes that touched the same IPs, DNS names, or files, turning lineage into a true attack graph. Cut investigation time from 30 minutes to under 2.
Learn about Process TreeEverything you need to detect, investigate, and respond to threats on Linux servers.
Kernel-level visibility via eBPF — capture process exec, file operations, network connections, and DNS queries with zero blind spots and near-zero overhead.
Ready-to-use rules for SSH brute-force, reverse shells, privilege escalation, container escape, fileless malware, and persistence techniques.
One-click interactive graph from any alert — see the full parent-child chain, correlated events, and IOC-enriched attack graph with auto-discovered related processes.
Full Docker Compose deployment on your infrastructure. Your event data never leaves your servers. Air-gapped deployments supported.
Every event is indexed — instant full-text search across millions of events with configurable retention policies.
Single binary, zero dependencies. Under 1% CPU and minimal memory usage on production servers — deploys in 60 seconds.
Every team asks: why not Wazuh, CrowdStrike, or auditd? Here's the honest answer.
SecureExec | Wazuh | CrowdStrike / S1 | auditd + osquery | |
|---|---|---|---|---|
| eBPF kernel visibility | ||||
| Built-in detection rules | ||||
| Process tree visualization | ||||
| Host isolation (1 click) | ||||
| Block by hash / path | ||||
| Self-hosted & air-gapped | ||||
| Agent < 1% CPU | ||||
| Transparent pricing |
Built for teams who need real response capabilities, not just log forwarding.
Not a slide deck. A live walkthrough on a real Linux host.
15 min demo · We show detection, investigation, and response on a live Linux host.
Start free, scale as you grow. No hidden fees.
Deploy in minutes with Docker Compose, or request a guided demo for your team.