Dosu Logo
Home
Documents
DaemonEye Product Requirements Document
DaemonEye Product Requirements Document
Type
External
Status
Published
Created
Mar 8, 2026
Updated
Apr 3, 2026
Updated by
Dosu Bot

AI summary
DaemonEye is a stealth observability platform for defenders in restricted or air-gapped environments. It provides silent, sovereign observability without cloud connectivity, aiming to replace traditional EDR/XDR tools. Key features include full process and network visibility,
forensic traceability, and human-controlled escalation, all with a zero-egress telemetry model and a proxy tree architecture for scalability. It offers Business and Enterprise paid tiers, along with a free Community edition, emphasizing data sovereignty, stealth, and audit integrity.

1. Vision#

DaemonEye provides silent, sovereign observability for defenders in restricted or air-gapped environments. It enables organizations to **watch from the shadows—**tracing attacker behavior across systems without tipping off the adversary. Every endpoint becomes a stealth honeypot; every process chain a forensic record.

"We watch from the shadows, and our eyes never close."

Core Philosophy#

  • No cloud, no leaks: All telemetry stays under customer control.
  • Observe, don't disrupt: Human-in-the-loop tracing and containment.
  • Audit, don't guess: Every action is signed and verifiable.
  • Local-first architecture: Works entirely offline or within enclaves.

2. Problem Statement#

Traditional EDR/XDR tools depend on continuous connectivity, vendor-controlled cloud analytics, and active remediation logic. These traits make them unusable in classified, air-gapped, or
compliance-restricted environments.
Organizations need a **quiet, controlled hunt and response capability **that delivers:

  • Full process and network visibility across enclaves.
  • Forensic traceability with cryptographic integrity.
  • Human-controlled escalation without automated disruption.
    DaemonEye fills this gap by replacing external telemetry with internal trust --- sovereign detection and forensics under the operator's control.

3. Product Goals#

  1. Deliver continuous local observability of processes and network activity.
  2. Enable on-demand, stealth tracing of suspicious lineages.
  3. Maintain a zero-egress telemetry model (customer sees all, shares nothing).
  4. Scale through a proxy tree architecture, not a cloud backend.
  5. Preserve forensic fidelity with signed audit chains.
  6. Empower analysts to reconstruct attacker movement across hosts.
  7. Operate fully within air-gapped or restricted environments.

4. Target Users & Environments#

  • Defense, intelligence, and research networks.
  • Critical infrastructure and industrial control systems.
  • Incident response teams in sovereign or isolated environments.
  • Red/blue exercises requiring covert visibility.

5. Key Differentiators#

**Domain****DaemonEye Advantage**
**Data Sovereignty**No outbound telemetry; all operations within customer enclave.
**Stealth Operation**Silent rules and trace commands undetectable to adversaries.
**Focused Forensics**Trace-by-lineage, not bulk telemetry dumps.
**Scalable Architecture**Fanout-style proxy tree (Agents → Proxies → Security Center).
**Audit Integrity**Ed25519-signed logs with immutable ledger.
**Offline Operation**Fully functional in disconnected or classified environments.
## 6. Architecture Overview ### Components - **Agent (Procmond)** --- Captures process, file, and network metadata locally. - **Proxy Node (PX)** --- Store-and-forward buffer for agents; batches and compresses data to Security Center. - **Security Center (SC)** --- Central management and correlation point. Runs the rule engine, handles trace commands, and aggregates audit logs. ### Communication Model - **mTLS-only connections** using customer-owned certificates. - **Store-and-forward WAL design:** agents never push to the internet. - **Cross-host tracing:** SC links process chains across hosts using shared trace IDs. ## 7. Functional Requirements ### Core 1. Local process and connection collection (PID, PPID, cmdline, hash, IP tuples). 2. Rule engine for heuristic detections (SQL-based queries). 3. TraceCommand: focused tracing on process lineage upon trigger. 4. Signed audit ledger with per-event verification. 5. Multi-proxy store-and-forward architecture for scale. 6. Security Center web UI for alerts, traces, and forensic timeline. 7. Export capability for signed forensic packages. ### Advanced (Enterprise) 1. Federation across multiple Security Centers. 2. Kernel-level telemetry (eBPF, ETW, EndpointSecurity). 3. Behavioral analytics and drift correlation. 4. Compliance mapping (NIST, ISO, CIS). 5. STIX/TAXII threat intel exchange (offline sync). 6. SSO/LDAP and advanced RBAC. ## 8. Licensing Model DaemonEye offers **two paid tiers and a community edition **(non-commercial DIY build).
**Tier****Use Case****Features****Pricing (Baseline)**
**Business**Single Security Center, moderate fleetGUI, proxy tree, curated rule packs, connectors\~\$499/site (launch baseline) + brand buffer (+25%)
**Enterprise**Multi-site federation, regulated environmentsAll Business features + federation, kernel telemetry, compliance, SSO, SLA support\~\$8,000 baseline (+30% buffer) negotiable
**Community (Open Core)**Non-commercial DIYAgent, CLI rule engine, single nodeFree / Apache 2.0
### Notes - Community edition is not a paid tier; it serves ecosystem and visibility goals. - Licensing remains perpetual (no subscription required). Optional annual maintenance (updates/support) may be offered at \~25% of the base price. - Each tier enforces scale and feature boundaries (number of endpoints, federation, compliance modules). ## 9. MVP Deliverables 1. Linux agent with eBPF + /proc fallback collection. 2. Proxy node with WAL, compression, and replay. 3. Security Center backend + minimal UI. 4. TraceCommand and audit signing implementation. 5. Apache→bash→ssh cross-host trace demo. 6. Forensic export tool. 7. Documentation and test harness. ## 10. Non-Functional Requirements
**Category****Target**
**Performance**\<5% CPU utilization, \<100 MB RAM per host.
**Latency**\<1s event propagation within enclave.
**Scalability**500 agents per proxy node; horizontal scaling supported.
**Security**mTLS, customer PKI, signed rule packs.
**Auditability**All operator actions signed and recorded.
**Availability**Offline survivability via WAL; resilient to link outages.
## 11. Risks & Mitigations
**Risk****Mitigation**
Government or large buyers purchase Business tierEnforce scale & feature caps contractually; define clear upgrade triggers.
Brand unfamiliarityEarly-adopter discount in exchange for references; publish transparent design and audits.
Support overhead25% buffer baked into pricing; optional paid support add-on.
Customer data sensitivityZero-egress policy and cryptographic audit chain.
Feature creepStrict MVP roadmap, modular design.
## 12. Roadmap Snapshot **Phase 1 --- Shadow-Hunt MVP (Q1)**: Agent, Proxy, SC, tracing demo. **Phase 2 --- Business (Q2)**: GUI, proxy scaling, rule packs, connectors. **Phase 3 --- Enterprise (Q3-Q4)**: Kernel telemetry, federation, compliance modules. ## 13. Messaging & Positioning
**Tier****Message**
**Community**"Build your own observability. We give you the tools."
**Business**"Professional-grade monitoring you can actually run offline."
**Enterprise**"Sovereign observability for nations, defense, and critical infrastructure."
## 14. Summary DaemonEye is not an antivirus, a telemetry feed, or a cloud service. It is a **stealth observability platform** designed for defenders who can't rely on anyone else. Two paid tiers keep pricing simple and fair, while a community edition maintains transparency and trust. **Our promise:** You own the eyes, you control the data, and nothing leaves your walls.