GitHub Open Console

Features

Multi-layer endpoint detection combining ETW, eBPF, Sigma, YARA, and IOC matching — all in a single privacy-first agent.

// detection layers

Telemetry Collection

Radegast EDR collects native host telemetry from the kernel, not from user-space hooks. This means higher fidelity and harder to bypass.

🪟

Windows — ETW

Event Tracing for Windows (ETW) provides native kernel-level telemetry covering process creation, image load, network connections, file activity, registry changes, DNS queries, PowerShell script blocks, WMI events, service creation, and scheduled tasks.

Windows 10/11 Server 2016+
🐧

Linux — eBPF

Extended Berkeley Packet Filter (eBPF) provides kernel-level observability on Linux 5.8+ with BTF. Collects process execution, network connections, file activity, and outbound DNS queries parsed from raw payloads.

Linux 5.8+ BTF x86_64 aarch64

Detection Layers

Three complementary detection approaches run in parallel on every normalized event.

🔍

Sigma — Behavioral Detection

Sigma is the community standard for behavioral detections. Radegast EDR evaluates Sigma rules on normalized events, letting detection engineers reuse thousands of existing community rules without rewriting them into a proprietary format.

Example detections: suspicious PowerShell activity, WMI execution, service creation, scheduled task creation, Linux process/network/DNS anomalies.

Sigma Community rules Hot reload
🧬

YARA — File & Memory Scanning

YARA rules are evaluated at process creation for executable scanning. Memory scanning targets private executable regions to detect packed, obfuscated, or runtime-unpacked payloads without scanning every file on disk.

YARA Process creation Memory regions Hot reload
🗂️

IOC Matching

Fast deterministic indicator matching against threat intelligence feeds. Useful for threat hunting and incident response, strongest when combined with behavioral and YARA layers.

  • File hashes (MD5, SHA-1, SHA-256)
  • IP addresses
  • Domains (including DNS QueryName on both Windows and Linux)
  • Path regexes
Hashes IPs Domains Paths

Output & Integration

📤

ECS NDJSON Alerts

All alerts are written as Elastic Common Schema (ECS) 9.3.0 NDJSON files. Drop them directly into Elastic Stack, Splunk, or any log ingestion pipeline with no transformation required.

logs/alerts.json.*
{"@timestamp":"2026-05-29T...","event.kind":"alert", "rule.name":"Suspicious PowerShell...", "process.name":"powershell.exe", ...}
ECS 9.3.0 NDJSON SIEM-ready
🔄

Hot Reload

Rules and IOC indicator files are hot-reloaded without restarting the agent. Update your detection pack and the agent picks it up immediately — no downtime, no gaps in coverage.

Zero downtime Rules IOC files
🛡️

Active Response

Optionally terminate malicious processes on detection. Supports dry-run mode and allowlists to tune response actions before going live.

Optional Dry-run mode Allowlists

Privacy & Security

🔐

End-to-end Encryption

All EDR data flowing through the Radegast platform is end-to-end encrypted. Your telemetry is yours — not readable by anyone except you, not even by Radegast.

E2E encrypted Zero-knowledge
🦀

Memory-safe by Design

Written entirely in Rust. No null pointer dereferences, no buffer overflows, no use-after-free bugs by construction. The agent is as trustworthy as the language that built it.

Rust Memory-safe No GC pauses
🔓

Fully Transparent

You can inspect exactly what telemetry is collected, how detections are evaluated, and what active response actions can be taken. No black boxes. Apache 2.0 licensed.

Apache 2.0 Open-source Auditable

Ready to deploy?

Get started in 60 seconds with the Radegast console, or run the agent standalone from the Rustinel releases.