⚠️ This page has been superseded.
The canonical DaemonEye Product Requirements Document moved on 2026-04-25 to a consolidated document covering the entire product suite (Community + Business + Enterprise tiers).
See: DaemonEye Product Requirements Document (v1.0)
The content below is preserved for historical reference. Do not update this page; make changes on the new PRD instead.
Historical content (preserved as of 2026-04-25)#
| Driver | Ken Melton |
|---|
| Approver | Ken Melton |
| Contributors | Krystal Melton |
| Informed | TBD |
| Objective | Deliver silent, sovereign observability for defenders in restricted or air-gapped environments — replacing traditional EDR/XDR tools with a stealth platform that operates entirely under the customer's control. |
| Due date | v1.0.0 target: 2026-10-09 |
| Key outcomes | Continuous local observability of processes and network activity. Zero-egress telemetry model (customer sees all, shares nothing). Signed audit chains with forensic fidelity. Scalable proxy tree architecture without cloud backend. Fully operational in air-gapped or restricted environments. |
| Status | Superseded |
Vision#
DaemonEye provides silent, sovereign observability for defenders in restricted or air-gapped environments. It enables organizations to watch from the shadows — tracing attacker behavior across systems without tipping off the adversary. Every endpoint becomes a stealth honeypot; every process chain a forensic record.
"We watch from the shadows, and our eyes never close."
| Principle | Description |
|---|
| No cloud, no leaks | All telemetry stays under customer control |
| Observe, don't disrupt | Human-in-the-loop tracing and containment |
| Audit, don't guess | Every action is signed and verifiable |
| Local-first architecture | Works entirely offline or within enclaves |
| Design origin: ShadowHunt Concept | |
Problem statement#
Traditional EDR/XDR tools depend on continuous connectivity, vendor-controlled cloud analytics, and active remediation logic. These traits make them unusable in classified, air-gapped, or compliance-restricted environments.
Organizations need a quiet, controlled hunt and response capability that delivers:
- Full process and network visibility across enclaves
- Forensic traceability with cryptographic integrity
- Human-controlled escalation without automated disruption
DaemonEye fills this gap by replacing external telemetry with internal trust — sovereign detection and forensics under the operator's control.
Target users and environments#
- Defense, intelligence, and research networks
- Critical infrastructure and industrial control systems
- Incident response teams in sovereign or isolated environments
- Red/blue exercises requiring covert visibility
Scope#
| Must have: | Local process and connection collection (PID, PPID, cmdline, hash, IP tuples). Rule engine for heuristic detections (SQL-based queries). TraceCommand: focused tracing on process lineage upon trigger. Signed audit ledger with per-event verification. Multi-proxy store-and-forward architecture for scale. Security Center web UI for alerts, traces, and forensic timeline. Export capability for signed forensic packages. mTLS-only connections using customer-owned certificates. Store-and-forward WAL design (agents never push to the internet). |
|---|
| Nice to have: | Federation across multiple Security Centers. Kernel-level telemetry (eBPF, ETW, EndpointSecurity). Behavioral analytics and drift correlation. Compliance mapping (NIST, ISO, CIS). STIX/TAXII threat intel exchange (offline sync). SSO/LDAP and advanced RBAC. |
| Not in scope: | Cloud-hosted analytics or vendor-managed telemetry. Automated remediation or active response (observe-only philosophy). Antivirus or signature-based malware detection. Outbound telemetry or data exfiltration to external services. |
Key differentiators#
| Domain | DaemonEye Advantage |
|---|
| Data Sovereignty | No outbound telemetry; all operations within customer enclave |
| Stealth Operation | Silent rules and trace commands undetectable to adversaries |
| Focused Forensics | Trace-by-lineage, not bulk telemetry dumps |
| Scalable Architecture | Fanout-style proxy tree (Agents -> Proxies -> Security Center) |
| Audit Integrity | Ed25519-signed logs with immutable ledger |
| Offline Operation | Fully functional in disconnected or classified environments |
Architecture overview#
Components#
| Component | Function |
|---|
| Agent (Procmond) | Captures process, file, and network metadata locally |
| Proxy Node (PX) | Store-and-forward buffer for agents; batches and compresses data to Security Center |
| Security Center (SC) | Central management and correlation point. Runs the rule engine, handles trace commands, and aggregates audit logs |
Communication model#
- mTLS-only connections using customer-owned certificates
- Store-and-forward WAL design: agents never push to the internet
- Cross-host tracing: SC links process chains across hosts using shared trace IDs
Non-functional requirements#
| Category | Target |
|---|
| Performance | <5% CPU utilization, <100 MB RAM per host |
| Latency | <1s event propagation within enclave |
| Scalability | 500 agents per proxy node; horizontal scaling supported |
| Security | mTLS, customer PKI, signed rule packs |
| Auditability | All operator actions signed and recorded |
| Availability | Offline survivability via WAL; resilient to link outages |
Licensing model#
DaemonEye offers two paid tiers and a community edition (non-commercial DIY build).
| Tier | Use Case | Features | Pricing |
|---|
| Business | Single Security Center, moderate fleet | GUI, proxy tree, curated rule packs, connectors | Per-site license (TBD) |
| Enterprise | Multi-site federation, regulated environments | All Business + federation, kernel telemetry, compliance, SSO, SLA support | Custom pricing (TBD) |
| Community | Non-commercial DIY | Agent, CLI rule engine, single node | Free / Apache 2.0 |
- Community edition is not a paid tier; it serves ecosystem and visibility goals
- Licensing remains perpetual (no subscription required). Optional annual maintenance (updates/support) may be offered
- Each tier enforces scale and feature boundaries (number of endpoints, federation, compliance modules)
Risks and mitigations#
| Risk | Mitigation |
|---|
| Government or large buyers purchase Business tier | Enforce scale and feature caps contractually; define clear upgrade triggers |
| Brand unfamiliarity | Early-adopter discount in exchange for references; publish transparent design and audits |
| Support overhead | Buffer baked into pricing; optional paid support add-on |
| Customer data sensitivity | Zero-egress policy and cryptographic audit chain |
| Feature creep | Strict MVP roadmap, modular design |
Timeline#
| Phase | Description |
|---|
| Phase 1 — Shadow-Hunt MVP (Q1) | Agent, Proxy, Security Center, tracing demo |
| Phase 2 — Business (Q2) | GUI, proxy scaling, rule packs, connectors |
| Phase 3 — Enterprise (Q3-Q4) | Kernel telemetry, federation, compliance modules |
Milestones and deadlines#
| Milestone | Owner | Deadline | Status |
|---|
| Linux agent with process collection | Ken Melton | Q1 2026 | In Progress |
| Proxy node with WAL, compression, and replay | Ken Melton | Q1 2026 | Not Started |
| Security Center backend + minimal UI | Ken Melton | Q2 2026 | Not Started |
| TraceCommand and audit signing | Ken Melton | Q2 2026 | Not Started |
| Cross-host trace demo (Apache->bash->ssh) | Ken Melton | Q2 2026 | Not Started |
| Enterprise: kernel telemetry and federation | Ken Melton | Q3-Q4 2026 | Not Started |
| v1.0.0 release | Ken Melton | 2026-10-09 | Not Started |
Messaging and positioning#
| Tier | Message |
|---|
| Community | "Build your own observability. We give you the tools." |
| Business | "Professional-grade monitoring you can actually run offline." |
| Enterprise | "Sovereign observability for nations, defense, and critical infrastructure." |
DaemonEye is not an antivirus, a telemetry feed, or a cloud service. It is a stealth observability platform designed for defenders who can't rely on anyone else.
Our promise: You own the eyes, you control the data, and nothing leaves your walls.
