Detect. Investigate. Respond.
Cagan unifies threat detection, digital forensics, and live response in one self-hosted platform. A lightweight agent on every host, multi-engine detection, and complete operator accountability.
Built For Security And Operations Teams
From SOC analysts running threat hunts to DFIR teams collecting forensic evidence, Cagan brings detection, response, and compliance into one platform.
SecOps / SOC
Run YARA, Sigma, and osquery campaigns across the fleet. Triage findings by severity with MITRE ATT&CK context from one console.
Incident Response
Quarantine compromised endpoints, collect forensic artifacts, and investigate with 40+ live response commands and a full audit trail.
DFIR Teams
Profile-driven acquisition, multi-engine analysis, evidence rendering, and timeline preservation for forensic investigations.
IT Operations
Inventory hardware, software, network, users, and security posture across every endpoint. Track connectivity and agent versions fleet-wide.
Compliance And Audit
Granular role-based access, an audit trail for every operation, a tamper-resistant agent, and mutual-TLS by default.
Platform Engineering
Container runtime visibility, security findings, signed agent updates, and dynamic device group targeting.
One Platform, End To End
Everything a team needs to find threats, investigate them, and respond with confidence.
Multi-Engine Detection
YARA, Sigma, and CaganQL run together on every artifact, with osquery queries and forensic parsing. Findings are scored by severity and mapped to MITRE ATT&CK automatically.
Live Response
Open a secure session to any endpoint and run 40+ forensic commands. Every action is governed and recorded for audit.
Threat Hunting At Fleet Scale
Launch detection and collection campaigns across the fleet. Track progress and results per device in real time.
Cases With AI Analysis
Group findings into cases, build the timeline, and let AI summarize what happened and what to do next.
Forensic Acquisition
Collect artifacts with profile-driven acquisition. Preserve evidence and render it for investigation.
Fleet And Asset Visibility
Inventory hardware, software, users, certificates, network, and firmware across Linux, macOS, and Windows, with live connectivity status.
Container Security
See running containers, images, exposed ports, and security findings across the fleet.
Enterprise Controls
Granular role-based access, a SIEM-ready audit trail, mutual-TLS by default, and a tamper-resistant agent.
Reporting And Export
Generate PDF reports from templates with TLP classification for findings, cases, and acquisitions. Export evidence for stakeholders.
Device Groups And Targeting
Organize endpoints into manual or dynamic groups. Target campaigns, policies, and scans by tag and scope.
Notifications And Alerts
Stay informed on script approvals, campaign outcomes, and case updates with per-user notification preferences.
Agent Policy And Updates
Control concurrency, resource limits, and scan scope per group. Roll out signed agent updates fleet-wide or by group.
From Deployment To Response In Three Steps
A simple operating model that scales from a single host to the whole fleet.
Enroll
Deploy the agent on Linux, macOS, and Windows with one command. Identity and secure transport are provisioned automatically.
Detect And Hunt
Collect artifacts and run YARA, Sigma, and osquery campaigns across the fleet. Suspicious activity surfaces as scored findings.
Investigate And Respond
Open live response sessions, build cases, and contain incidents with quarantine and full operator accountability.
Corroborated Detections, Not Lone Signatures
YARA, Sigma, and CaganQL run together on every artifact, with osquery for live system queries and forensic parsers that normalize the evidence. Findings are scored and mapped to MITRE ATT&CK automatically.
See How Operators Work
Detection campaigns, forensic analysis, and fleet management in one console.

Fleet Dashboard
Real-time fleet overview with connectivity status, job trends, and enrollment charts.

Collection Analysis
Findings scored by severity, mapped to MITRE ATT&CK, with evidence rendering.

Campaigns
Multi-engine campaigns with per-device state tracking across the fleet.

Asset Inventory
Fleet-wide endpoint visibility with connectivity, OS breakdown, and dynamic grouping.

Rules And Scripts
Versioned registry for YARA, osquery, and scripts with diff review and approval.

Live Response
Cross-platform terminal with 40+ forensic commands and a recorded audit trail.
Every Endpoint, Always Accounted For
Inventory hardware, software, users, and security posture across Linux, macOS, and Windows. Connectivity is computed in real time, so you always know what is online, offline, or lost.
Capable Where It Counts
A focused platform that values simplicity, reliability, and accountability.
One Lightweight Agent
A single Rust agent runs on every platform with minimal CPU and memory and no runtime dependencies.
Self-Hosted By Design
Run the entire platform in one container on your own infrastructure. Your data never leaves your environment.
Multi-Engine, Not Single-Signature
YARA, Sigma, and CaganQL run together on every artifact, backed by osquery queries and forensic parsing, so detections are corroborated instead of guessed.
Accountable By Default
Every operator action is governed and recorded in a SIEM-ready audit trail.
Minimal Footprint, Maximum Capability
A containerized server that runs anywhere and a Rust agent that performs everywhere.
Containerized Server
The server, API, and console run together in one container. It runs comfortably on modest hardware with no complex infrastructure.
Lightweight Rust Agent
Built in Rust for performance and reliability. A small, dependency-free binary with minimal CPU and memory overhead.
Multi-Platform
Linux, macOS, and Windows on ARM64 and AMD64, with consistent capabilities everywhere.
Secure By Default, Accountable By Design
Strong defaults protect your endpoints and your evidence, with a clear record of every action.
Mutual-TLS By Default
Agents and server authenticate each other on every connection.
Tamper-Resistant Agent
Removing the agent requires a signed authorization, so endpoints stay protected.
Signed, Managed Updates
Updates are verified before they roll out, fleet-wide or by group.
SIEM-Ready Audit Trail
Every operation is logged in a standard CEF format your SIEM can ingest.
Granular Access Control
Role-based permissions scope what every operator can see and do.
Self-Hosted
Your telemetry and evidence stay on infrastructure you control.
Questions, Answered
See Cagan On Your Own Endpoints
Request a demo and we will walk you through detection, investigation, and response on a fleet that looks like yours.