
Open-source endpoint detection for Windows, Linux, and macOS.
Native telemetry → Sigma / YARA / IOC detection → SIEM-ready alerts. Written in Rust.
Website · Docs · Download · SIEM demos

Rustinel ships as a single binary with bundled demo rules. Install it, trigger a test command, and read the alert.
Linux
curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --run
Windows — from an elevated PowerShell:
Invoke-WebRequest https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 -OutFile install-rustinel.ps1
powershell -ExecutionPolicy Bypass -File .\install-rustinel.ps1 -Run
macOS (experimental) — install the same way (drop --run), then grant Full Disk Access to your terminal app before the first start: Endpoint Security needs a one-time macOS approval, so the agent exits with NotPermitted and opens the right Settings pane until you grant it. Full walkthrough in Getting Started.
With the agent running, fire the bundled demo rule — same command on every platform:
whoami
Your alert lands in logs/alerts.json.<date> as ECS NDJSON — ready to ship straight to a SIEM.
Prefer to read before you run? Download the install script and inspect it, or grab a binary from the latest release. The installer only pulls published release binaries. macOS support is experimental and needs root plus user approval for the signed Endpoint Security client; see Getting Started.
A transparent endpoint detection engine you can read, run, test, and extend — no black box.
/dev/bpf on macOS, normalized into one shared event model.| Platform | Sensor | Telemetry | Status |
|---|---|---|---|
| Windows 10/11, Server 2016+ | ETW | Process, image load, network, file, registry, DNS, PowerShell, WMI, service, task | Stable |
| Linux 5.8+ (BTF) | eBPF | Process, network, file, DNS | Stable |
| macOS 11+ | Endpoint Security + /dev/bpf |
Process, file, network, DNS | Experimental |
Windows coverage is the broadest today; Linux and macOS focus on process, network, file, and DNS. macOS remains experimental while signed and notarized release packaging is validated across supported versions. Full notes are in the platform docs.
ETW (Windows) · eBPF (Linux) · ESF + /dev/bpf (macOS)
│
Normalized event model
│
┌───────────────┼───────────────┐
Sigma YARA IOC
behavior files + hashes, IPs,
rules memory domains, paths
└───────────────┼───────────────┘
│
ECS NDJSON alerts
│
Optional active response
See the detection docs for rule authoring, YARA memory scanning, and IOC formats.
The bundled rules just prove the pipeline works. For real coverage, load curated content from rustinel-rules — the official, versioned, CI-tested detection repository.
rustinel → the engine that collects telemetry and evaluates rules
rustinel-rules → the Sigma / YARA / IOC packs it loads (no conversion step)
Each pack materializes into folders you point config.toml straight at. Browse the pack catalog to get started.
Use it for detection engineering, rule development and testing, blue-team labs, cross-platform detection research, and SIEM pipeline validation.
It is not a drop-in replacement for a mature commercial EDR. Rustinel does not provide kernel-level self-protection, pre-execution blocking, or anti-tamper guarantees, and a sufficiently privileged attacker may interfere with user-mode telemetry. It is a transparent detection engine — not a managed response platform.
cargo build --release
sudo ./target/release/rustinel run
macOS requires the app-like signed bundle described in Getting Started.
Website · Docs home · Getting Started · Configuration · Detection · Architecture · Operations · Troubleshooting · FAQ · Detection rules · Roadmap
Testing, feedback, and detection ideas are all welcome — see CONTRIBUTING.md.
$ claude mcp add rustinel \
-- python -m otcore.mcp_server <graph>