Part of the DaemonEye suite of tools: Continuous monitoring. Immediate alerts.
"Auditd without the noise. Osquery without the bloat."
DaemonEye Architecture Note#
ProcMonD is the privileged process monitoring component of the DaemonEye package. DaemonEye consists of three components:
- ProcMonD (Collector): Runs with high privileges, focused solely on process monitoring, with a minimal attack surface and no direct network functionality.
- Orchestrator: Operates in user space with very few privileges, receives events from ProcMonD, handles all network communication and alert delivery to log sinks, and communicates with ProcMonD only via secure, memory-only IPC (e.g., Unix sockets).
- CLI: Local command-line interface that interacts with the orchestrator for querying data, exporting results, and tuning service configuration. This separation ensures robust security: ProcMonD remains isolated and hardened, while orchestration/network tasks are delegated to a low-privilege process, and all user interaction is handled via the orchestrator's CLI.
Free / Homelab#
**$0 --- Always Free
**For hackers, homelabbers, and operators who want clean visibility without SaaS strings.
- Full daemon (Rust core)
- SQL rule engine (DIY + community rules)
- Syslog, email, webhook alerts
- Tamper-evident logging
- Cross-platform (Linux, macOS, Windows)
- GitHub Sponsors tip jar if you dig it
For the lab. For your side projects. For free, forever.
Business#
**Flat License --- TBD/site
**For small teams and consultancies who need more polish and integrations. One-time fee, no subscription.
- Everything in Free
- Curated rule packs (malware TTPs, suspicious parent/child, process hollowing)
- Output connectors: Splunk HEC, Elastic, Kafka
- Container / K8s DaemonSet deployment
- Export to CEF, JSON, or STIX-lite
- Optional GUI frontend ($19 per seat)
- Signed installers (MSI/DMG, ready to deploy)
Professional-grade monitoring you can actually run offline.
Enterprise#
**Org License --- Let's Talk
**For SOCs, IR teams, and industrial/government environments where process visibility is non-negotiable. (Pricing starts in the low 4-figures, one-time license. Optional paid update packs.)
- Everything in Business
- eBPF integration for kernel-level visibility
- Central collector for fleet monitoring
- Advanced SIEM integration (full STIX/TAXII, compliance mappings)
- Hardened builds with SLSA provenance & Cosign signatures
- Optional commercial license for enterprises that can't ship Apache 2.0
- Quarterly Enterprise Rule Packs with threat intel updates
When compliance meets detection. Built for enclaves, critical infrastructure, and SOCs that need serious visibility.
Notes#
- No subscriptions. No license servers. No hidden telemetry.
- The free tier is fully functional—paid tiers add polish and scale.
- Pricing is a starting point—EvilBit Labs is not a sales shop; we keep it simple.
Feature Comparison#
| **Feature** | **Free/Homelab** | **Business** | **Enterprise** |
| **Core Monitoring** | Yes | Yes | Yes |
| **SQL Rule Engine** | Yes | Yes | Yes |
| **Basic Alerts** | Yes | Yes | Yes |
| **Cross-Platform** | Yes | Yes | Yes |
| **Curated Rule Packs** | No | Yes | Yes |
| **SIEM Connectors** | No | Yes | Yes |
| **Container Support** | No | Yes | Yes |
| **Export Formats** | Basic | CEF/STIX | Full STIX/TAXII |
| **GUI Frontend** | No | Optional | Yes |
| **Kernel Monitoring** | No | No | Yes |
| **Fleet Management** | No | No | Yes |
| **Compliance Mappings** | No | No | Yes |
| **Enterprise Support** | No | No | Yes |
