Endpoint Visibility & Response

Detect. Investigate. Respond.

Cagan unifies threat detection, digital forensics, and live response in one self-hosted platform. A lightweight agent on every host, multi-engine detection, and complete operator accountability.

cagan // detection-streamLIVE
ENDPOINTS
1,284
ONLINE
1,251
FINDINGS / 24H
168
CAMPAIGNS
6
Credential access via LSASS readT1003
Encoded PowerShell commandT1059
Scheduled task persistenceT1053
Unsigned binary in temp pathT1204
New local admin accountT1136
osquery inventory updatedn/a
cagan >hunt --engine yara,sigma,caganql --scope fleet
40+
Live Response Commands
200+
Artifact Types
MITRE
ATT&CK Mapped
Self-Hosted
Runs On Your Infra
Who it is for

Built For Security And Operations Teams

From SOC analysts running threat hunts to DFIR teams collecting forensic evidence, Cagan brings detection, response, and compliance into one platform.

SecOps / SOC

Run YARA, Sigma, and osquery campaigns across the fleet. Triage findings by severity with MITRE ATT&CK context from one console.

Incident Response

Quarantine compromised endpoints, collect forensic artifacts, and investigate with 40+ live response commands and a full audit trail.

DFIR Teams

Profile-driven acquisition, multi-engine analysis, evidence rendering, and timeline preservation for forensic investigations.

IT Operations

Inventory hardware, software, network, users, and security posture across every endpoint. Track connectivity and agent versions fleet-wide.

Compliance And Audit

Granular role-based access, an audit trail for every operation, a tamper-resistant agent, and mutual-TLS by default.

Platform Engineering

Container runtime visibility, security findings, signed agent updates, and dynamic device group targeting.

Platform

One Platform, End To End

Everything a team needs to find threats, investigate them, and respond with confidence.

Multi-Engine Detection

YARA, Sigma, and CaganQL run together on every artifact, with osquery queries and forensic parsing. Findings are scored by severity and mapped to MITRE ATT&CK automatically.

Live Response

Open a secure session to any endpoint and run 40+ forensic commands. Every action is governed and recorded for audit.

Threat Hunting At Fleet Scale

Launch detection and collection campaigns across the fleet. Track progress and results per device in real time.

Cases With AI Analysis

Group findings into cases, build the timeline, and let AI summarize what happened and what to do next.

Forensic Acquisition

Collect artifacts with profile-driven acquisition. Preserve evidence and render it for investigation.

Fleet And Asset Visibility

Inventory hardware, software, users, certificates, network, and firmware across Linux, macOS, and Windows, with live connectivity status.

Container Security

See running containers, images, exposed ports, and security findings across the fleet.

Enterprise Controls

Granular role-based access, a SIEM-ready audit trail, mutual-TLS by default, and a tamper-resistant agent.

Reporting And Export

Generate PDF reports from templates with TLP classification for findings, cases, and acquisitions. Export evidence for stakeholders.

Device Groups And Targeting

Organize endpoints into manual or dynamic groups. Target campaigns, policies, and scans by tag and scope.

Notifications And Alerts

Stay informed on script approvals, campaign outcomes, and case updates with per-user notification preferences.

Agent Policy And Updates

Control concurrency, resource limits, and scan scope per group. Roll out signed agent updates fleet-wide or by group.

How it works

From Deployment To Response In Three Steps

A simple operating model that scales from a single host to the whole fleet.

01

Enroll

Deploy the agent on Linux, macOS, and Windows with one command. Identity and secure transport are provisioned automatically.

02

Detect And Hunt

Collect artifacts and run YARA, Sigma, and osquery campaigns across the fleet. Suspicious activity surfaces as scored findings.

03

Investigate And Respond

Open live response sessions, build cases, and contain incidents with quarantine and full operator accountability.

Detection

Corroborated Detections, Not Lone Signatures

YARA, Sigma, and CaganQL run together on every artifact, with osquery for live system queries and forensic parsers that normalize the evidence. Findings are scored and mapped to MITRE ATT&CK automatically.

YARASignature and memory scanning.
SigmaLog and event correlation.
CaganQLCorrelation, sequence, and threshold rules.
osquerySystem state queries.
Pattern AnalysisForensic artifact parsing.
MITRE ATT&CKTechnique Mapping
Initial Access
Execution
Persistence
Priv. Esc.
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
LessMore
Findings by severity163 total
CRITICAL4
HIGH17
MEDIUM31
LOW48
INFO63
Inside Cagan

See How Operators Work

Detection campaigns, forensic analysis, and fleet management in one console.

Fleet Dashboard

Fleet Dashboard

Real-time fleet overview with connectivity status, job trends, and enrollment charts.

Collection Analysis

Collection Analysis

Findings scored by severity, mapped to MITRE ATT&CK, with evidence rendering.

Campaigns

Campaigns

Multi-engine campaigns with per-device state tracking across the fleet.

Asset Inventory

Asset Inventory

Fleet-wide endpoint visibility with connectivity, OS breakdown, and dynamic grouping.

Rules And Scripts

Rules And Scripts

Versioned registry for YARA, osquery, and scripts with diff review and approval.

Live Response

Live Response

Cross-platform terminal with 40+ forensic commands and a recorded audit trail.

Visibility

Every Endpoint, Always Accounted For

Inventory hardware, software, users, and security posture across Linux, macOS, and Windows. Connectivity is computed in real time, so you always know what is online, offline, or lost.

3
Platforms
Live
Connectivity
Dynamic
Device Groups
Fleet connectivity
ONLINEOFFLINELOST
LINUX18
MACOS12
WINDOWS24
Why Cagan

Capable Where It Counts

A focused platform that values simplicity, reliability, and accountability.

01

One Lightweight Agent

A single Rust agent runs on every platform with minimal CPU and memory and no runtime dependencies.

02

Self-Hosted By Design

Run the entire platform in one container on your own infrastructure. Your data never leaves your environment.

03

Multi-Engine, Not Single-Signature

YARA, Sigma, and CaganQL run together on every artifact, backed by osquery queries and forensic parsing, so detections are corroborated instead of guessed.

04

Accountable By Default

Every operator action is governed and recorded in a SIEM-ready audit trail.

Architecture

Minimal Footprint, Maximum Capability

A containerized server that runs anywhere and a Rust agent that performs everywhere.

Containerized Server

The server, API, and console run together in one container. It runs comfortably on modest hardware with no complex infrastructure.

Lightweight Rust Agent

Built in Rust for performance and reliability. A small, dependency-free binary with minimal CPU and memory overhead.

Multi-Platform

Linux, macOS, and Windows on ARM64 and AMD64, with consistent capabilities everywhere.

Security and trust

Secure By Default, Accountable By Design

Strong defaults protect your endpoints and your evidence, with a clear record of every action.

Mutual-TLS By Default

Agents and server authenticate each other on every connection.

Tamper-Resistant Agent

Removing the agent requires a signed authorization, so endpoints stay protected.

Signed, Managed Updates

Updates are verified before they roll out, fleet-wide or by group.

SIEM-Ready Audit Trail

Every operation is logged in a standard CEF format your SIEM can ingest.

Granular Access Control

Role-based permissions scope what every operator can see and do.

Self-Hosted

Your telemetry and evidence stay on infrastructure you control.

FAQ

Questions, Answered

Get started

See Cagan On Your Own Endpoints

Request a demo and we will walk you through detection, investigation, and response on a fleet that looks like yours.

Or email demo@cagan.io