Private-Cloud XDR & SIEM · Built in Rust

Security operations you actually own.

Detection, investigation, threat hunting, fleet operations, and governance — delivered as a single signed Rust binary. No cloud dependency. No vendor lock-in. No telemetry egress unless you enable it.

Explore Features See the Architecture Download Release →
$ curl -sSf https://github.com/pinkysworld/Wardex/releases/latest | bash
SLSA provenance Cosign-signed images CycloneDX SBOM Secret-scanned CI

Why Wardex

Three things most XDR platforms can't offer.

Wardex is built for security teams that need professional tooling without handing their telemetry to a vendor.

Data sovereignty by default

Your telemetry never leaves your infrastructure. Deploy on-prem, in your VPC, or air-gapped. Every integration — SIEM, IdP, threat feeds — is yours to configure or disable.

Memory-safe Rust, one binary

Rust edition 2024, MSRV 1.88. No runtime to manage, no JVM to patch, no Python toolchain drift. A single reproducible binary serves agents, API, and the browser console.

Verifiable supply chain

Every release ships with SLSA build provenance attestations, CycloneDX SBOMs, and cosign-signed container images. CI is SHA-pinned and secret-scanned on every push.

Platform Capabilities

Detection, investigation, and response — integrated.

One platform covering the full SOC lifecycle. Every surface is driven by the same data model and permission system.

Real-Time Detection

Adaptive scoring, Sigma rules, YARA scanning, side-channel fusion, and kernel-level event bridging work together out of the box.

Threat Hunting

Campaign clustering across the fleet, deception canaries, attacker profiling, and memory forensics for proactive investigations.

SOC Workbench

Queue, cases, SLAs, process trees, timelines, and storyline views keep analysts inside one investigation surface with full context.

File Integrity Monitoring

SHA-256 baselines for critical system paths with change detection and per-agent snapshots across Linux, macOS, and Windows.

UEBA & Geo-Validation

Behavioural baselines with impossible-travel detection catch compromised credentials that static rules miss.

Approval-Gated Response

Quarantine, isolate, and remediate with documented approvals, full audit trails, and automatic rollback on failure.

See all features →

Insights

Inside Wardex: live operator views from a real control plane.

Captured from a local Wardex v0.53.0 instance with seeded alerts, enrolled endpoints, active incidents, and an in-progress hunt. No static mockups.

One control plane for posture, triage, fleet recovery, and hunt workflows.

Live local capture Seeded alerts + incidents Fleet + hunt context

Wardex keeps detection, investigation, and endpoint operations inside the same product surface. Analysts do not have to swivel between stitched-together tools to move from an alert to a host, a case, or a hunt.

  • Dashboard posture, fleet state, and threat volume share the same data model.
  • Fleet recovery stays next to version drift, heartbeat loss, and rollout status.
  • Incidents, cases, and hunts remain linked to the same endpoints and evidence.
See Full Platform Read Operator Docs
Dashboard Live operator view
Wardex dashboard with live security overview, alert charts, and threat metrics from a real local instance.

Fleet Operations

Spot version drift and offline endpoints in one sweep.

Version lag, heartbeat gaps, and endpoint detail stay visible without leaving the fleet workspace.

Fleet & Agents Coverage + rollout detail
Wardex fleet view showing enrolled endpoints, operating systems, versions, and endpoint detail for an offline finance MacBook.

Incident Response

Move from incident list to action plan without another tool.

Open incidents carry linked agents, narrative context, and next-response actions inside the same SOC workbench.

SOC Workbench Incident detail in context
Wardex SOC workbench showing open incidents and the detail view for a credential abuse investigation.

Threat Hunting

Pivot into live hunts directly from rule context.

Run an ad hoc hunt, reuse the query, and widen scope from the same detection engineering surface.

Threat Detection Hunt workflow
Wardex threat detection workspace with a live hunt drawer open from rule context.

By the Numbers

Ship-ready, today.

Deploy Anywhere

Linux. macOS. Windows. Air-gapped.

Ship a single binary with systemd, launchd, or Windows Service integration. Package as Debian and Homebrew artifacts straight from CI, or roll your own Helm chart for Kubernetes.

  • Debian packages with signed APT repository
  • Homebrew tap for macOS and Linux
  • Signed container images with cosign
  • Helm chart for Kubernetes rollouts
  • Auto-update with SHA-256 verification and atomic rollback

Deployment Models →

# Linux (Debian / Ubuntu)
$ curl -fsSL https://pinkysworld.github.io/Wardex/apt/pubkey.gpg \
    | sudo gpg --dearmor -o /usr/share/keyrings/wardex.gpg
$ sudo apt install wardex

# macOS
$ brew tap pinkysworld/wardex
$ brew install wardex

# Kubernetes
$ helm install wardex ./deploy/helm/wardex

 ready to serve

Own your detection stack.

Evaluate Wardex in your own environment today. The source code is open for inspection and non-production use under BSL 1.1.

View Licensing Star on GitHub