All services
Iris · Host Agent

Attackers hide between log lines.
At the process level. Where your SIEM can't see.

Traditional security tools see network edges and application logs. Iris sits on the host itself. It watches process execution, file changes, network events and log patterns — and uses AI triage to decide what actually matters before escalating to Horus.

See Iris in the demo Self-host free
Without host visibility
A process spawns a reverse shell. Your network scanner doesn't see it. Your SIEM's log rules miss the parent-child relationship. Nobody alerts.
A config file gets modified at 03:00 UTC by a process that shouldn't touch it. Nobody sees it until a service breaks days later.
EDR would catch all of this, but costs more per seat than your entire security budget. So hosts run blind.
With Iris
4MB Rust daemon. Single binary, zero dependencies, <0.5% CPU on idle. Installs in 40 seconds. Watches 4 monitors simultaneously from inside the host.
AI triage runs locally on each batch. Only events that pass the relevance threshold get queued to Horus. Noise filtered at the source, not at the SIEM.
Offline queue with backpressure. If the server is unreachable, events queue to local disk and retry with backoff. No data loss. No OOM.
How it works

Install. Watch. Triage. Queue.

Iris is a single Rust binary. It runs four monitors in parallel threads and uses AI triage to decide what's worth sending to Horus.

01 / INSTALL

Single binary, 40 seconds

One install script. Registers as a systemd service. 4MB binary, zero dependencies. Works on Ubuntu 20+, Debian 11+. Stops and restarts existing service on upgrade automatically.

02 / MONITOR

4 monitors running in parallel

Process monitor (spawns + exits). File watcher (critical config paths). Network events (connections + listens). Log scraper (journald + auditd patterns). Each runs in its own thread.

03 / TRIAGE + SHIP

AI scores, queue ships

Batches of events scored by AI triage model. Only relevant events queued. Bounded queue prevents OOM. Backpressure and retry with exponential backoff. Events correlated in Horus pipeline.

Iris daemon · live event stream
iris · host-agent · 10.0.1.15 · v0.4.1

monitors armed · proc / file / net / log

queue: 0 pending · server: reachable


→ [proc] python3 spawned by bash (pid 3821)

  parent: /bin/bash · user: www-data · unusual


→ [file] /etc/cron.d/cleanup modified

  writer: pid 3821 (python3) · 03:14:22 UTC


→ [net] outbound :4444 established

  proc: python3 pid 3821 · dest: 185.220.101.x


→ AI triage: HIGH relevance · batch queued

→ shipped to Horus · incident created

Full capability set

Everything Iris does.

Four monitors, AI triage, offline resilience and deep Horus integration.

Rust daemon

Single Binary

4MB Rust binary. Zero dependencies. <0.5% CPU idle. Registers as systemd service on install. Bounded offline queue prevents OOM. Single install script.

  • Ubuntu 20+ / Debian 11+
  • <0.5% CPU on idle
  • 40-second install
  • Auto-restarts on upgrade
Monitor 1

Process Monitor

Watches process spawns and exits. Captures parent-child relationships, user context, and binary path. Detects unusual spawners (web server → shell → python).

  • Spawn + exit events
  • Parent-child chain
  • User + binary context
Monitor 2

File Watcher

Watches critical config paths: /etc, /var/spool/cron, SSH keys, sudoers. Captures who wrote what and when. Detects unauthorized modifications.

  • Critical config paths
  • Writer PID + timestamp
  • Configurable watch list
Monitor 3

Network Events

Tracks outbound connections and new listeners. Ties connections back to the originating process. Detects unexpected C2 callbacks, port binds and lateral movement.

  • Outbound connections + dest
  • New listeners on all interfaces
  • Process-to-connection linkage
Monitor 4

Log Scraper

Tails journald and auditd logs. Pattern-matches against known attack signatures: sudo escalations, failed auth bursts, kernel module loads.

  • journald + auditd
  • Pattern-matched signatures
  • Auth and escalation events
AI

AI Triage

Batches of events scored by AI triage model. Only relevant events queued and shipped to Horus. Noise filtered at the source. Token-economic: cheap periodic triage, not per-event LLM calls.

  • Batch scoring (not per-event)
  • Relevance threshold configurable
  • Token-economic design
Resilience

Offline Queue + Backpressure

If the Horus server is unreachable, events queue to local disk with a configurable maximum size. Retry with exponential backoff. Bounded queue prevents OOM even on disk-constrained hosts. No data loss. No duplicate delivery.

  • Bounded queue (configurable max)
  • Retry with exponential backoff
  • No OOM on disk-constrained hosts
  • No duplicate delivery

Host visibility,
at minimal cost.

4MB binary. 40-second install. MIT licensed. See Iris running in the live demo.

Open live demo → Self-host free