Dosu Logo
Home
Documents
DaemonEye Project Overview
DaemonEye Project Overview
Type
External
Status
Published
Created
Apr 18, 2026
Updated
Apr 26, 2026
Updated by
Dosu Bot
Source
View

Mission Statement#

"We watch from the shadows — our eyes never close."
DaemonEye is a silent observability and hunt layer for sensitive, restricted, and air-gapped environments. It turns endpoints into stealth honeypots: passive by default, surgically traceable on demand, and cryptographically auditable. Telemetry never leaves customer control unless explicitly exported by an operator.
The core use-case — ShadowHunt — is built around silently tracing process lineages and network interactions when a heuristic triggers, allowing analysts to reconstruct attack paths without alerting adversaries. Every architectural decision serves this workflow: privilege separation, protobuf IPC, hash-chained audit ledger, SQL-based detection DSL, and the extensible collector-core SDK.
This is a complete Rust 2024 rewrite of a proven Python prototype, delivering enterprise-grade performance with audit-grade integrity while maintaining the security-first, offline-capable philosophy.
Design origin: ShadowHunt Concept

Core Mission#

Provide defenders in restricted, air-gapped, and compliance-sensitive environments with a quiet, controlled hunt and response capability that delivers:

  • Full process and network visibility across enclaves
  • Focused trace-by-lineage (not bulk telemetry dumps) triggered by heuristic detections
  • Forensic traceability with cryptographic integrity (Ed25519 signed, BLAKE3 hash-chained)
  • Human-controlled escalation without automated disruption
  • Cross-host trace stitching via shared trace IDs
  • Zero-egress telemetry model — customer sees all, shares nothing
    DaemonEye replaces external telemetry with internal trust: sovereign detection and forensics under the operator's control.

Key Value Propositions#

Stealth Observability#

  • Silent by default — rules and traces generate no host-visible artifacts
  • Focused tracing on process lineage upon trigger, not continuous bulk capture
  • Cross-host trace stitching without tipping off adversaries
  • Hypothesis sandbox for ad-hoc SQL queries against stored trace data

Audit-Grade Integrity#

  • Certificate Transparency-style Merkle tree with inclusion proofs suitable for compliance and forensics
  • BLAKE3 hashing for fast, cryptographically secure hash computation
  • Ed25519 signatures for all trace events and operator actions
  • Append-only audit ledger with monotonic sequence numbers

Offline-First Operation#

  • Full functionality without internet access, perfect for airgapped environments
  • Local rule caching ensures detection continues during network outages
  • Buffered alert delivery with a persistent queue for reliability
  • Bundle-based configuration and rule distribution system (signed bundles, sneaker-net updates)

Customer Sovereignty#

  • All telemetry owned and controlled by the customer
  • No automatic egress to external cloud services
  • mTLS using customer-owned certificates
  • Export only via explicitly configured, operator-initiated one-way sinks

Security-First Architecture#

  • Privilege separation with minimal attack surface
  • Automatic privilege drop after initialization
  • Zero unsafe code (unsafe_code = "forbid" at workspace level)
  • SQL injection prevention with AST validation

High Performance#

  • <5% CPU overhead while monitoring 10,000+ processes
  • Sub-second process enumeration for large systems
  • <100ms alert latency per detection rule

Operator-Centric Design#

  • Built for operators in contested environments
  • Privacy defaults: command args masked; RBAC for trace initiation
  • Comprehensive CLI with multiple output formats
  • Color support with NO_COLOR and TERM=dumb handling

Three-Component Architecture#

DaemonEye implements a three-component security architecture with strict privilege separation. The open-source Community tier contains the agent-side components; Business and Enterprise tiers add Security Center (SC), Proxy nodes (PX), GUI, federation, and kernel telemetry.

1. procmond (Privileged Process Collector)#

  • Purpose: Minimal privileged component for secure process data collection
  • Security: Runs with elevated privileges, drops them immediately after initialization
  • Network: No network access whatsoever
  • Database: Write-only access to audit ledger
  • Features: Process enumeration, executable hashing, Certificate Transparency-style audit ledger

2. daemoneye-agent (Detection Orchestrator)#

  • Purpose: User-space detection rule execution, alert management, and trace coordination
  • Security: Minimal privileges, outbound-only network connections
  • Database: Read/write access to event store
  • Features:
    • SQL-based detection engine with AST validation
    • Multi-channel alerting with reliability guarantees
    • Embedded EventBus broker for collector coordination
    • RPC service for collector lifecycle management (start/stop/restart/health checks)
    • Multi-collector task distribution and result aggregation
    • Correlation tracking for distributed operations
    • TraceCommand execution for focused lineage tracing

3. daemoneye-cli (Operator Interface)#

  • Purpose: Command-line interface for queries, management, and diagnostics
  • Security: No network access, read-only database operations
  • Features: JSON/table output, color handling, shell completions, system health monitoring

4. daemoneye-lib (Shared Core)#

  • Purpose: Common functionality shared across all components
  • Modules: config, models, storage, detection, alerting, crypto, telemetry
  • Security: Trait-based abstractions with security boundaries

5. collector-core (Collector SDK)#

  • Purpose: SDK providing all shared operational infrastructure for collectors (IPC, capability negotiation, health monitoring, shutdown coordination, event bus integration)
  • Languages: Rust SDK today; Go SDK planned for platform-optimal collectors (see ADR-0003)
  • Contract: Protobuf IPC (ipc.proto, eventbus.proto) — language-neutral boundary

Full Deployment (Business/Enterprise tiers)#

ComponentTierFunction
Proxy Node (PX)Business+Store-and-forward buffer; WAL, batching, compression, flow control, QoS, command routing
Security Center (SC)Business+Fleet registry, rule execution, correlation, UI, audit ledger, export configuration
Kernel CollectorsEnterpriseeBPF (Linux), ETW (Windows), EndpointSecurity (macOS)
FederationEnterpriseMulti-site hierarchical aggregation and query distribution
Communication model: Events flow up (AG→PX→SC). Control messages (TraceCommand) flow down (SC→PX→AG). All mTLS authenticated using customer-owned PKI.

Target Users#

Primary Users#

  • SOC Analysts: Monitoring fleet infrastructure, reconstructing attack paths via lineage graphs
  • Security Operations & Incident Response Teams: Investigating compromised systems with focused tracing
  • System Reliability Engineers: Requiring low-overhead monitoring in sensitive environments
  • Blue Team Security Engineers: Integrating with existing security infrastructure
  • Red/Blue Exercise Teams: Requiring covert visibility during exercises

Organizational Context#

  • Small Teams: Community tier for standalone process monitoring
  • Consultancies: Business tier for client management and reporting
  • Enterprises: Enterprise tier for large-scale, federated deployments
  • Government/Military/Intelligence: Air-gapped environments with strict compliance requirements
  • Critical Infrastructure: Industrial control systems, research networks

Key Features#

Threat Detection Capabilities#

Process Behavior Analysis#

  • Detect process hollowing and executable integrity violations
  • Identify suspicious parent-child relationships (e.g., Apache → bash → ssh)
  • Monitor process lifecycle events in real-time
  • Track process memory usage and CPU consumption patterns

Anomaly Detection#

  • Identify unusual resource consumption patterns
  • Detect suspicious process name duplications
  • Monitor for process injection techniques
  • Track unusual network activity patterns

SQL-Based Detection Engine#

  • Flexible rule creation using a custom SQL-like DSL
  • Sandboxed execution with resource limits
  • AST validation to prevent injection attacks
  • Comprehensive library of built-in detection rules

Focused Tracing (ShadowHunt workflow)#

  • TraceCommand targets specific PID and descendants
  • Configurable capture depth, duration, and event types
  • Cross-host trace fan-out via shared trace_id
  • All trace events cryptographically signed and stored to audit ledger
  • Privacy-masked by default; operator must justify revealing command args

System Integration#

Cross-Platform Support#

  • Linux: Native process enumeration with eBPF integration (Enterprise tier)
  • macOS: EndpointSecurity framework integration (Enterprise tier)
  • Windows: ETW integration and Windows API access (Enterprise tier)
  • Container Support: Kubernetes DaemonSet deployment

Multi-Channel Alerting#

  • Local Outputs: stdout, syslog, file output
  • Network Outputs: webhooks, email, Kafka
  • SIEM Integration: Splunk HEC, Elasticsearch, CEF format
  • Enterprise Integration: STIX/TAXII feeds, federated Security Centers

Certificate Transparency Audit Logging#

  • Cryptographic integrity for forensic analysis
  • Certificate Transparency-style Merkle tree with rs-merkle
  • Ed25519 digital signatures and inclusion proofs
  • Millisecond-precision timestamps

Resource-Bounded Operation#

  • Graceful degradation under load
  • Memory pressure detection and response
  • CPU throttling under high load conditions
  • Circuit breaker patterns for external dependencies

Technology Stack#

Core Technologies#

  • Language: Rust 2024 Edition (MSRV: 1.91+)
  • Safety: unsafe_code = "forbid" at the workspace level with comprehensive linting
  • Quality: warnings = "deny" with a zero-warnings policy enforced by CI
  • Async Runtime: Tokio with a full feature set for I/O and task management
  • Collection Framework: collector-core SDK for extensible event source management

Database Layer#

  • Core: redb (pure Rust embedded database) for optimal performance and security
  • Features: Concurrent access, ACID transactions, zero-copy deserialization
  • Configuration: Separate event store and audit ledger with different durability settings
  • Business/Enterprise: PostgreSQL for centralized data aggregation

CLI Framework#

  • clap v4: Derive macros with shell completions (bash, zsh, fish, PowerShell)
  • Terminal: Automatic color detection, NO_COLOR and TERM=dumb support
  • Output: JSON and human-readable formats with configurable formatting

Configuration Management#

  • Hierarchical loading: Embedded defaults → System files → User files → Environment → CLI flags
  • Formats: YAML, JSON, TOML support via figment
  • Validation: Comprehensive validation with detailed error messages

Error Handling#

  • Libraries: thiserror for structured error types
  • Applications: anyhow for error context and chains
  • Pattern: Graceful degradation with detailed error context

Logging & Observability#

  • Structured Logging: tracing ecosystem with JSON output
  • Metrics: Optional Prometheus integration
  • Performance: Built-in performance monitoring and resource tracking

Performance Requirements#

System Performance#

  • CPU Usage: <5% sustained during continuous monitoring
  • Memory Usage: <100MB resident under normal operation
  • Process Enumeration: <5 seconds for 10,000+ processes
  • Database Operations: >1,000 records/second write rate
  • Alert Latency: <100ms per detection rule execution

Scalability#

  • Single Agent: Monitor 10,000+ processes with minimal overhead
  • Fleet Management: Support for 1,000+ agents per Security Center
  • Regional Centers: Aggregate data from multiple regional deployments
  • Enterprise Federation: Hierarchical data aggregation and query distribution

Security Principles#

Principle of Least Privilege#

  • Only procmond runs with elevated privileges when necessary
  • Immediate privilege drop after initialization
  • Detection and alerting run in the user space
  • Component-specific database access patterns

Defense in Depth#

  • Multiple layers of security controls
  • Input validation at all boundaries
  • Sandboxed rule execution
  • Cryptographic integrity verification

Zero Trust Architecture#

  • Mutual TLS authentication between components
  • Certificate-based agent registration
  • No implicit trust relationships
  • Continuous verification and validation

License Model#

Dual-License Strategy#

  • Core Components: Apache 2.0 licensed (procmond, daemoneye-agent, daemoneye-cli, daemoneye-lib, collector-core)
  • Business Tier Features: Per-site license (Security Center, GUI, enhanced connectors, curated rules)
  • Enterprise Tier Features: Custom pricing (kernel monitoring, federation, STIX/TAXII integration)

Feature Gating#

  • Compile-time feature gates for tier-specific functionality
  • Runtime license validation with cryptographic signatures
  • Graceful degradation when the license is invalid or expired
  • Site restriction validation for license compliance

DaemonEye is not an antivirus, a telemetry feed, or a cloud service. It is a stealth observability platform designed for defenders who can't rely on anyone else. You own the eyes, you control the data, and nothing leaves your walls.

DaemonEye Project Overview | Dosu