Velociraptor
Endpoint visibility and DFIR at scale using VQL — query live hosts and hunt across a fleet in one language
⚡ TL;DR
🎯 The Problem It Solves
When incident response hits, you need to ask every endpoint the same question fast: \'who ran this binary?\', \'what\'s listening on 4444?\', \'show me the PowerShell history.\' Velociraptor lets you query thousands of endpoints with VQL — a SQL-like language for endpoints — instead of pushing a one-off script and praying.
🔧 How It Works
A Velociraptor server coordinates a fleet of lightweight agents. You write a VQL query (e.g. query the Windows registry, NTFS $MFT, process list, or network connections) and either run it on a single live endpoint (\'Interactive Shell\') or as a hunt across the whole fleet. Results flow back into the server for triage, collection and artifact export. It also does continuous monitoring and can collect forensic artifacts (like a triage zip) on demand.
🚀 Installation & Quick Start
Installation
download from velocidex.comQuick Start
- Download the binary: go to the releases page and grab velociraptor
- Generate config and start the server: velociraptor config generate -i && velociraptor --config server.config.yaml frontend
- Enroll an agent with the generated client config
- Open the GUI, go to 'VQL Drilldown' and run a query like: SELECT * FROM pslist() WHERE Name =~ 'powershell'
- Launch a hunt: Hunt Manager -> New Hunt -> choose an artifact (e.g. Windows.System.PowerShell.Transcripts)
✅ Pros
- •Insanely fast fleet queries — ask 5,000 endpoints one question in seconds
- •Single agent does IR, hunting and monitoring
- •Open source and agent is lightweight
- •VQL is powerful once learned; reusable across hunts
❌ Cons
- •VQL has a real learning curve before you're productive
- •Deployment = agent rollout, which is its own project
- •Not a SIEM — it's a querying/hunting tool, pair it with logging
- •Server scaling needs attention at very large fleets
💬 Practitioner Verdict
"Velociraptor is the tool I reach for the moment an IR queue opens. The ability to ask every endpoint the same question in VQL is a step-change over pushing scripts. Learn VQL and you\'ll wonder how you did incident response before it."
📊 Specifications
- Language
- Go
- License
- AGPL-3.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Detection / Response / IR
- MITRE ATT&CK
- T1003, T1059, T1070
💰 Pricing Reality
Free and open source (AGPL-3.0). Rapid7 (which acquired the company behind it) offers commercial support. The tool itself is unencumbered.