Inner Warden: an autonomous eBPF security agent that fights back
Most security tools only send alerts. Then someone has to wake up, read logs, and react.
Inner Warden does it differently. It detects, decides, and blocks threats in real time, locally on your server, with a tiny footprint of around 29MB.
What it does
- 40+ eBPF kernel hooks (tracepoints, kprobes, LSM, XDP)
- Behavioral DNA tracking for processes and attackers
- On device anomaly detection with a small autoencoder
- Cross layer correlation between kernel, userspace, and network
- Wire speed blocking through XDP
- Automatic honeypot, JA3/JA4 fingerprinting, Sigma and YARA rules
- Mesh network between nodes, so when one detects, all the others block
- Dry run mode is the default, so it is safe to test
Who is it for
- Self hosters and homelab people
- Anyone running a Linux server exposed to the internet
- Developers running AI agents (LangChain, CrewAI, OpenAI tools, and similar)
- SREs and sysadmins who want autonomous response instead of 3am alerts
Live demo
You can watch a real server getting attacked right now here:
https://www.innerwarden.com/live
There are scripts on the page if you want to try the attacks yourself.
One command install
curl -fsSL https://innerwarden.com/install | sudo bash
It starts in dry run mode, so nothing is blocked until you decide.
Links
- GitHub: https://github.com/InnerWarden/innerwarden
- Website: https://www.innerwarden.com
- Live attack demo: https://www.innerwarden.com/live
The project is under active development (currently v0.13.1) and I am looking for contributors, specially people with experience in:
- Low level Rust and eBPF
- Detection engineering and red teaming
- Testing and real world scenarios
If you like Rust, eBPF, cybersecurity, or self hosted infrastructure, I would really love your feedback. Try it, break it, open issues. Every bug report helps a lot.
Thanks for reading.
Top comments (0)