Features
Everything a modern SOC needs, in one binary.
Wardex consolidates detection engineering, alert triage, investigation, threat hunting, response automation, fleet operations, and governance into a single Rust platform. Organised by SOC discipline below.
Detection Engineering
Catch attacks as they unfold.
Multiple detection engines compose into a single adaptive score per event. Rules, heuristics, and machine signals cross-validate each other instead of fighting.
Sigma Rule Engine
Native Sigma parsing with in-memory compilation. Field schema bridges kernel events directly into rule evaluation — no extra translation layer.
Adaptive Anomaly Scoring
Per-host baselines with EWMA drift tracking. Gradual behavioural changes elevate risk scores without triggering noise on every short spike.
YARA Malware Scanning
Embedded YARA engine scans executables, scripts, and memory regions against a curated malware signature database with hot-reload support.
Kernel Event Bridge
Process creation, file writes, DNS queries, and network connections flow through a unified schema on Linux (eBPF), macOS (EndpointSecurity), and Windows (ETW).
MITRE ATT&CK Coverage
Every rule maps to ATT&CK techniques. The coverage matrix shows exactly where your detection depth sits and highlights gaps worth filling.
Scheduled Hunts
Author hunts as saved queries, schedule them, and promote high-signal results directly into the alert queue with suppression rules to control noise.
SOC Workbench
Every pivot your analysts need.
From alert intake to case closure, analysts stay inside a single investigation surface. Context follows the analyst, not the tab.
Alert Queue with SLAs
Priority-weighted queue with acknowledgement, assignment, escalation, and SLA countdown. Bulk actions keep high-volume days manageable.
Process Tree & Timeline
Pivot from any alert into the full process genealogy, file access timeline, and network connection graph for the affected host.
Storyline View
Related events collapse into a coherent narrative. See the attack arc at a glance instead of scrolling through thousands of raw records.
Entity Extraction
IPs, domains, paths, hashes, usernames, and MITRE techniques are extracted automatically from alert reasons and investigation notes.
Case Management
Cases aggregate alerts, evidence, analyst notes, and response actions with per-step timestamps and exportable evidence packages.
False-Positive Advisor
When an analyst marks an alert as benign, the system suggests suppression rule patches so the same noise doesn't reappear tomorrow.
Threat Hunting
Go find them before they find you.
Purpose-built tools for proactive investigation, campaign analysis, and adversary tracking across your fleet.
Campaign Clustering
Jaccard-similarity analysis correlates alerts by technique, target, and timing to surface multi-host campaigns that individual detections miss entirely.
Canary Deployment
Randomised honeypots, honey files, honey credentials, and canary services. Track attacker interactions to build detailed behaviour profiles.
Memory Analysis
Detect code injection, process hollowing, RWX regions, and unbacked executable memory with platform-specific collection plans.
Threat Feed Ingestion
Pull MISP, OSINT, and custom JSON-lines feeds. IoCs enrich every alert automatically and age out on a configurable decay schedule.
Lateral Movement Graph
Authentication traversals, process spawning chains, and SMB/WinRM sessions render into a graph so cross-host compromise reads at a glance.
Hunt DSL
Saved, parameterised hunt templates run on schedule or on-demand. Results route through the same queue + suppression pipeline as live detections.
Advanced Analytics
Intelligence-driven detection without the cloud.
Multi-signal fusion, behavioural baselines, and privacy-preserving ML — trained and evaluated entirely inside your environment.
Side-Channel Score Fusion
Combine traditional detection signals with hardware side-channel analysis. Critical findings boost compound threat scores by up to +1.5.
EWMA Drift Tracking
Exponentially weighted moving averages catch the gradual behavioural drift that static baselines miss entirely.
Impossible-Travel Detection
Geo-IP validation flags authentication events that imply travel speeds exceeding 900 km/h — credential sharing and account compromise in one signal.
Digital Twin Calibration
Virtual device replicas track drift between expected and observed behaviour with per-parameter deltas and alert thresholds.
Federated Learning Convergence
Train global detection models across distributed agents without centralising sensitive data. Multi-round averaging converges to accuracy thresholds automatically.
ML Triage Assist
Per-alert feature vectors feed into a lightweight triage model that surfaces the 5 % of incidents most likely to be real.
Response & Remediation
Controlled action with a full paper trail.
Every response path is approval-gated, audited, and reversible. Speed when you need it; accountability when you're asked for it.
Approval-Gated Requests
Isolation, quarantine, process termination, and remediation all require explicit approval with analyst + approver identities recorded.
Playbook Engine
Define response workflows in a declarative DSL. Conditional steps, timeouts, and rollback handlers are first-class language primitives.
Live Response Shell
On-demand triage commands stream back to the console over an authenticated session with full keystroke audit logging.
Host Quarantine
Network isolation with a deny-all firewall profile that preserves the analyst's own back-channel. Reversible with a single approved action.
Remediation Scripts
Library of vetted remediation scripts for common attack artefacts — persistence cleanup, credential rotation, registry restore.
Full Response Audit
Every approval, execution, and outcome is written to a tamper-evident audit chain for incident post-mortems and compliance evidence.
Fleet Operations
Run a fleet. Don't babysit it.
Agents enrol, phone home, update themselves, and rotate keys — all under policy. You watch the dashboards, not the cron jobs.
Zero-Touch Enrolment
One-time tokens bootstrap agents cryptographically. Post-enrolment, mutual TLS is issued automatically and rotated on schedule.
Rolling Auto-Update
SHA-256 verified binary releases with staged rollout groups, automatic rollback on health-check failure, and per-agent visibility.
Heartbeat & Liveness
Configurable freshness windows, degraded-state flagging, and per-agent last-seen tracking — with alerting when a cohort goes dark.
Policy Distribution
Versioned policy bundles reach every agent under a deterministic rollout. Rollback is a single click.
Event Spool
Encrypted local spool buffers events during control-plane outages and replays them in order on reconnect — no data loss, no silent drops.
Offline / Air-Gap Mode
Operate with manually-synchronised update bundles and offline policy packages. No outbound internet required.
Governance & Trust
Auditable by design.
Everything sensitive is recorded. Everything recorded is signed. Everything signed is verifiable years later.
RBAC with Session Rotation
Role-based access for admin, analyst, responder, and viewer personas. Session tokens rotate automatically with configurable TTLs.
OIDC & SCIM
Native OIDC login flow and SCIM user/group provisioning keep Wardex aligned with your identity provider.
Tamper-Evident Audit Chain
Hash-chained audit records mean any retroactive modification becomes mathematically detectable.
Compliance Templates
Pre-built report templates for SOC 2, ISO 27001, PCI DSS, and HIPAA with evidence aggregation across timeframes.
Data Retention Controls
Per-tenant retention policies with automatic purge, legal-hold overrides, and reversible soft-delete for investigations.
Multi-Tenant Isolation
Tenant scoping at the data-model level prevents cross-tenant bleed in MSSP deployments. Per-tenant keys, per-tenant quotas.
Integrations & Extensibility
Plug in. Scale out. Extend.
Wardex talks to the tools your team already uses — and stays extensible for the ones that haven't been invented yet.
SIEM Forwarding
OCSF, CEF, ECS, and raw JSON output to Splunk, Elastic, Sentinel, Chronicle, and any syslog-compatible receiver.
ClickHouse Archive
Cold storage and long-range analytics on ClickHouse with schema migration hooks and tenant partitioning.
WASM Extensions
Write custom detectors and response handlers in any language that compiles to WebAssembly. Sandboxed execution with explicit capability grants.
Python & TypeScript SDKs
Officially maintained client SDKs with 60+ methods. Perfect for CI automation, runbook scripting, and bespoke dashboards.
OpenAPI Contract
Versioned OpenAPI spec tracked in-repo. Every API change is reviewed; no surprise breakage for downstream consumers.
Cloud Inventory Collectors
AWS, GCP, and Azure asset inventory ingestion keeps your infrastructure in the same pane of glass as your endpoints.
Ready to see it running?
Evaluate Wardex in your own environment. Full source is available for inspection and non-production use under BSL 1.1.