Innerwarden
Autonomous security agent for Linux. Ring -2 to Ring 3 visibility: 38 eBPF hooks, 48 detectors, 23 cross-layer correlation rules, behavioral DNA fingerprinting, JA3/JA4 TLS, YARA+Sigma, baseline anomaly detection, playbook engine. Rust, BUSL-1.1.
Install / Use
/learn @InnerWarden/InnerwardenREADME
Inner Warden
-green){kind=icon}
Inner Warden is an autonomous security agent for Linux and macOS. Full-stack visibility from Ring -2 (firmware) to Ring 3 (userspace). 38 eBPF kernel hooks. 48 detectors. 20 collectors. 23 cross-layer correlation rules. Behavioral DNA attacker fingerprinting. Baseline anomaly detection. JA3/JA4 TLS fingerprinting. YARA + Sigma rule engines. Automated playbook response. Monthly threat reports. AI agent protection (Agent Guard). Mesh collaborative defense. No cloud. No dependencies. Just two Rust daemons and a CLI.
curl -fsSL https://innerwarden.com/install | sudo bash
Installs in 10 seconds. Starts in observe-only mode. You decide when to go live.
Who this is for
Inner Warden is built for system administrators, DevOps engineers, and security professionals who manage Linux or macOS servers and want host-level threat detection and response.
You should be comfortable with:
- Managing firewall rules (ufw, iptables, nftables, or pf)
- Reading system logs and understanding security events
- Configuring services via TOML files and systemd/launchd
- Evaluating whether automated responses are appropriate for your environment
This is not a plug-and-play consumer security product. Misconfigured response skills can lock out legitimate users or disrupt services. If you are unfamiliar with Linux system administration, start with the observe-only mode and study the logs before enabling any response capabilities.
<p align="center"> <a href="https://innerwarden.com/live"> <img src="docs/images/live-attack.png" alt="Live threat feed" width="820"> </a> <br> <sub><a href="https://innerwarden.com/live"><strong>Test the tool in real time</strong></a> · <a href="https://vimeo.com/1175992244">Watch the explainer video</a></sub> </p>https://github.com/user-attachments/assets/b55967a6-a2d0-4158-9007-05e689d5bf0c
https://github.com/user-attachments/assets/6ea1e124-52c2-48fe-8600-4b2f3d670116
<p align="center"> <img src="docs/images/dashboard-sensors.png" alt="Dashboard: sensor HUD with eBPF activity, threat gauge, and detector charts" width="820"> </p> <p align="center"> <img src="docs/images/dashboard-threats.png" alt="Dashboard: real-time threat overview" width="820"> </p> <p align="center"> <img src="docs/images/dashboard-investigate.png" alt="Dashboard: IP investigation view" width="820"> </p>Architecture
┌─────────────────────────────────────────────────────────────┐
┌─────────────────────────────────────────────────────────────┐
│ KERNEL │
│ │
│ ┌──────────────┐ ┌──────────┐ ┌───────┐ ┌───────────┐ │
│ │23 tracepoints │ │3 kprobes │ │ 3 LSM │ │ XDP │ │
│ │ execve, │ │ creds, │ │ kill │ │ wire-speed│ │
│ │ connect, │ │ MSR, │ │ chain │ │ IP drop │ │
│ │ openat, ... │ │ ACPI │ │ 8 pat │ │ 10M+ pps │ │
│ └──────┬───────┘ └────┬─────┘ └───┬───┘ └─────┬─────┘ │
│ │ │ │ │ │
│ └───────┬───────┘ │ │ │
│ ▼ │ │ │
│ ┌─────────────┐ │ │ │
│ │ Ring Buffer │ │ │ │
│ │ (1MB epoll) │ │ │ │
│ └──────┬──────┘ │ │ │
└─────────────────┼────────────────────┼────────────┼─────────┘
│ │ │
▼ │ │
┌──────────────────────────────────────────────────────────┐ │ │
│ SENSOR │ │ │
│ │ │ │
│ ┌─────────┐ ┌─────────┐ ┌────────┐ ┌─────────────────┐ │ │ │
│ │auth.log │ │journald │ │ Docker │ │ eBPF collector │◄┘ │ │
│ └────┬────┘ └────┬────┘ └───┬────┘ └────────┬────────┘ │ │ │
│ └───────────┴──────────┴───────────────┘ │ │ │
│ │ │ │ │
│ ┌─────▼──────┐ │ │ │
│ │48 detectors│ │ │ │
│ │ stateful │ │ │ │
│ └─────┬──────┘ │ │ │
│ │ │ │ │
│ ┌───────────▼───────────┐ │ │ │
│ │ events + incidents │ │ │ │
│ │ (JSONL) │ │ │ │
│ └───────────┬───────────┘ │ │ │
└──────────────────────────┼────────────────────────────────┘ │ │
│ │ │
┌──────────────────────────┼─────────────────────────────────────┼────────────┼──┐
│ AGENT │ │ │ │
│ ▼ │ │ │
│ ┌──────────────────┐ │ │ │
│ │ Algorithm Gate │ skip low-sev, private IP │ │ │
│ └────────┬─────────┘ │ │ │
│ ▼ │ │ │
│ ┌────────────────────┐ │ │ │
│ │ Enrich: AbuseIPDB, │ │ │ │
│ │ GeoIP, CrowdSec │ │ │ │
│ └────────┬──────────┘ │ │ │
│ ▼ │ │ │
│ ┌─────────────────┐ │ │ │
│ │ AI Triage (opt) │ 12 providers, 0.0-1.0 score │ │ │
│ └────────┬────────┘ │ │ │
│ ▼ │ │ │
│ ┌─────────────────┐ ┌──────────────┐ │ │ │
│ │ Skill Executor │────►│ LSM enforce │◄─────────┘ │ │
│ │ 12 skills + │ │ XDP block │◄──────────────────────┘ │
│ │ │ └──────────────┘ │
│ │ block_ip (5) │ ┌──────────────┐ ┌──────────────┐ │
│ │ kill_chain_resp │────►│ Cloudflare │ │ Mesh Network │ │
│ │ suspend_sudo │ │ AbuseIPDB │ │ broadcast to │ │
│ │ kill_process │ └──────────────┘ │ peer nodes │ │
│ │ honeypot │ └──────────────┘ │
│ └────────┬────────┘ │
│ │ │
│ ┌────────────┼────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Telegram │ │ Slack │ │ Webhook │ │
│ │ bot │ │ │ │ (any) │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │
Related Skills
healthcheck
340.5kHost security hardening and risk-tolerance configuration for OpenClaw deployments
himalaya
340.5kCLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
node-connect
340.5kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
340.5kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
