Dosu Logo
Home
Documents
Feature Tiers
Feature Tiers
Type
External
Status
Published
Created
Mar 8, 2026
Updated
Apr 3, 2026
Updated by
Dosu Bot

DaemonEye offers three distinct tiers, each carefully crafted to address diverse organizational requirements and deployment sizes. While all tiers share a foundational, security-first architecture, they progressively introduce more sophisticated capabilities.

Core Tier (Open Source)#

License: Apache 2.0
Target: Individual users, small teams, proof-of-concept deployments

Core Components#

  • procmond: Privileged process collector with minimal attack surface
  • daemoneye-agent: User-space detection orchestrator with SQL-based rules
  • daemoneye-cli: Command-line interface for queries and management
  • daemoneye-lib: Shared library with common functionality

Key Features#

  • Cross-Platform Compatibility: Supports Linux, macOS, and Windows for broad accessibility.
  • Process Monitoring: Provides comprehensive cross-platform process enumeration and monitoring capabilities.
  • SQL Detection Engine: Enables flexible rule creation through the use of standard SQL queries.
  • Multi-Channel Alerting: Offers diverse alerting options including stdout, syslog, webhook, email, and file output.
  • Audit Logging: Implements a Certificate Transparency-style Merkle tree with inclusion proofs for robust audit trails.
  • Offline Operation: Ensures full functionality even without internet connectivity.
  • CLI Interface: Features extensive command-line tools for simplified management.
  • Configuration Management: Utilizes a hierarchical system for streamlined configuration.

Performance Characteristics#

  • CPU Usage: <5% sustained during continuous monitoring
  • Memory Usage: <100MB resident under normal operation
  • Process Enumeration: <5 seconds for 10,000+ processes
  • Database Operations: >1,000 records/second write rate
  • Alert Latency: <100ms per detection rule execution

Use Cases#

  • Individual security researchers and analysts
  • Small development teams requiring process monitoring
  • Proof-of-concept security deployments
  • Educational and training environments
  • Airgapped or offline environments

Business Tier (Commercial)#

License: $199/site (one-time)
Target: Small to medium teams, consultancies, managed security services

All Core Tier Features Plus#

Security Center Server#

  • Centralized Management: Single point of control for multiple agents
  • Agent Registration: Secure mTLS-based agent authentication
  • Data Aggregation: Centralized collection of alerts and process data
  • Configuration Distribution: Centralized rule management and deployment
  • Integration Hub: Single point for external SIEM integrations

Web GUI Frontend#

  • Fleet Dashboard: Real-time view of all connected agents
  • Alert Management: Filtering, sorting, and export of alerts
  • Rule Management: Visual rule editor and deployment interface
  • System Health: Agent connectivity and performance metrics
  • Data Visualization: Charts and graphs for security analytics

Enhanced Output Connectors#

  • Splunk HEC: Native Splunk HTTP Event Collector integration
  • Elasticsearch: Bulk indexing with index pattern management
  • Kafka: High-throughput message streaming
  • CEF Format: Common Event Format for SIEM compatibility
  • STIX 2.1: Structured Threat Information eXpression export

Curated Rule Packs#

  • Malware TTPs: Common malware tactics, techniques, and procedures
  • MITRE ATT&CK: Framework-based detection rules
  • Industry Standards: CIS, NIST, and other compliance frameworks
  • Cryptographic Signatures: Ed25519-signed rule packs for integrity
  • Auto-Update: Automatic rule pack distribution and updates

Container & Kubernetes Support#

  • Docker Images: Pre-built container images for all components
  • Kubernetes Manifests: DaemonSet and deployment configurations
  • Helm Charts: Package management for Kubernetes deployments
  • Service Mesh: Istio and Linkerd integration support

Deployment Patterns#

  • Direct Agent-to-SIEM: Agents send directly to configured SIEM systems
  • Centralized Proxy: All agents route through Security Center
  • Hybrid Mode: Agents send to both Security Center and direct SIEM (recommended)

Performance Characteristics#

  • Agents per Security Center: 1,000+ agents
  • Alert Throughput: 10,000+ alerts per minute
  • Data Retention: Configurable retention policies
  • Query Performance: Sub-second queries across agent fleet

Use Cases#

  • Security consultancies managing multiple clients
  • Managed Security Service Providers (MSSPs)
  • Small to medium enterprises with distributed infrastructure
  • Organizations requiring centralized security management
  • Teams needing enhanced SIEM integration

Enterprise Tier (Commercial)#

License: $199/site (one-time)
Target: Large enterprises, government agencies, critical infrastructure

All Business Tier Features Plus#

Kernel-Level Monitoring#

  • Linux eBPF: Real-time syscall monitoring and process tracking
  • Windows ETW: Event Tracing for Windows integration
  • macOS EndpointSecurity: Native security framework integration
  • Container Awareness: Kubernetes and Docker container monitoring
  • Network Correlation: Process-to-network activity correlation

Federated Security Centers#

  • Hierarchical Architecture: Regional and Primary Security Centers
  • Distributed Queries: Cross-center query execution and aggregation
  • Data Replication: Automatic data synchronization between centers
  • Failover Support: Automatic failover and load balancing
  • Geographic Distribution: Multi-region deployment support

Advanced Threat Intelligence#

  • STIX/TAXII Integration: Automated threat intelligence ingestion
  • Indicator Conversion: STIX indicators to detection rules
  • Threat Feed Management: Multiple threat intelligence sources
  • IOC Matching: Indicator of Compromise correlation
  • Threat Hunting: Advanced query capabilities for threat hunting

Enterprise Analytics#

  • Distributed Analytics: Cross-fleet security analytics
  • Machine Learning: Anomaly detection and behavioral analysis
  • Risk Scoring: Dynamic risk assessment and prioritization
  • Compliance Reporting: Automated compliance and audit reporting
  • Custom Dashboards: Configurable security dashboards

Advanced Security Features#

  • Zero Trust Architecture: Comprehensive zero trust implementation
  • Identity Integration: Active Directory and LDAP integration
  • Role-Based Access Control: Granular permission management
  • Audit Trail: Comprehensive audit logging and compliance
  • Data Encryption: End-to-end encryption for all data flows

High Availability & Scalability#

  • Clustering: Multi-node Security Center clusters
  • Load Balancing: Automatic load distribution
  • Disaster Recovery: Backup and recovery procedures
  • Horizontal Scaling: Scale-out architecture support
  • Performance Optimization: Advanced caching and optimization

Performance Characteristics#

  • Agents per Federation: 10,000+ agents
  • Regional Centers: 100+ regional centers per federation
  • Query Latency: <100ms for distributed queries
  • Data Volume: Petabyte-scale data processing
  • Uptime: 99.99% availability SLA

Use Cases#

  • Large enterprises with global infrastructure
  • Government agencies and critical infrastructure
  • Financial services and healthcare organizations
  • Organizations requiring compliance (SOX, HIPAA, PCI-DSS)
  • Multi-tenant service providers

Feature Comparison Matrix#

FeatureCoreBusinessEnterprise
Process MonitoringYesYesYes
SQL Detection EngineYesYesYes
Multi-Channel AlertingYesYesYes
Audit LoggingYesYesYes
Offline OperationYesYesYes
CLI InterfaceYesYesYes
Security CenterNoYesYes
Web GUINoYesYes
Enhanced ConnectorsNoYesYes
Curated Rule PacksNoYesYes
Container SupportNoYesYes
Kernel MonitoringNoNoYes
FederationNoNoYes
STIX/TAXIINoNoYes
Advanced AnalyticsNoNoYes
Zero TrustNoNoYes
High AvailabilityNoNoYes
## Licensing Architecture ### Dual-License Strategy The DaemonEye project maintains a dual-license approach to balance open source accessibility with commercial sustainability: - **Core Components**: Apache 2.0 licensed (procmond, daemoneye-agent, daemoneye-cli, daemoneye-lib) - **Business Tier Features**: \$199/site one-time license (Security Center, GUI, enhanced connectors, curated rules) - **Enterprise Tier Features**: Custom pricing (kernel monitoring, federation, STIX/TAXII integration) ### Feature Gating Implementation ```rust // Compile-time feature gates #[cfg(feature = "business-tier")] pub mod security_center;

#[cfg(feature = "business-tier")]
pub mod enhanced_connectors;

#[cfg(feature = "enterprise-tier")]
pub mod kernel_monitoring;

#[cfg(feature = "enterprise-tier")]
pub mod federation;

### Runtime License Validation
- **Cryptographic Signatures**: Ed25519 signatures for license validation
- **Site Restrictions**: Hostname/domain matching for license compliance
- **Feature Activation**: Runtime feature activation based on license
- **Graceful Degradation**: Fallback to lower tier when license is invalid
### License Distribution
- **Core Tier**: GitHub releases with Apache 2.0 license
- **Business Tier**: Separate distribution channel with license keys
- **Enterprise Tier**: Enterprise distribution with support and SLA
- **Hybrid Builds**: Single binary with runtime feature activation
## Migration Path
### Core to Business
- Install Security Center server
- Configure agent uplink connections
- Deploy curated rule packs
- Set up enhanced connectors
### Business to Enterprise
- Enable kernel-level monitoring
- Deploy federated Security Centers
- Integrate STIX/TAXII feeds
- Configure advanced analytics
### Backward Compatibility
- All tiers maintain API compatibility
- Configuration migration tools provided
- Data export/import capabilities
- Gradual feature activation
*Choose the tier that best fits your organization's needs, with the flexibility to upgrade as requirements grow and evolve.*