🔒SecurityRepoIndex

Velociraptor

Endpoint visibility and DFIR at scale using VQL — query live hosts and hunt across a fleet in one language

4.6/ 54,070 GitHub starsGoAGPL-3.0

⚡ TL;DR

What
Endpoint visibility and DFIR at scale using VQL — query live hosts and hunt across a fleet in one language
Who
DFIR responders, Threat hunters, SOC analysts, Incident responders
Catch
VQL has a real learning curve before you're productive
Verdict
⭐⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

When incident response hits, you need to ask every endpoint the same question fast: \'who ran this binary?\', \'what\'s listening on 4444?\', \'show me the PowerShell history.\' Velociraptor lets you query thousands of endpoints with VQL — a SQL-like language for endpoints — instead of pushing a one-off script and praying.

🔧 How It Works

A Velociraptor server coordinates a fleet of lightweight agents. You write a VQL query (e.g. query the Windows registry, NTFS $MFT, process list, or network connections) and either run it on a single live endpoint (\'Interactive Shell\') or as a hunt across the whole fleet. Results flow back into the server for triage, collection and artifact export. It also does continuous monitoring and can collect forensic artifacts (like a triage zip) on demand.

🚀 Installation & Quick Start

Installation

download from velocidex.com

Quick Start

  1. Download the binary: go to the releases page and grab velociraptor
  2. Generate config and start the server: velociraptor config generate -i && velociraptor --config server.config.yaml frontend
  3. Enroll an agent with the generated client config
  4. Open the GUI, go to 'VQL Drilldown' and run a query like: SELECT * FROM pslist() WHERE Name =~ 'powershell'
  5. Launch a hunt: Hunt Manager -> New Hunt -> choose an artifact (e.g. Windows.System.PowerShell.Transcripts)

✅ Pros

  • Insanely fast fleet queries — ask 5,000 endpoints one question in seconds
  • Single agent does IR, hunting and monitoring
  • Open source and agent is lightweight
  • VQL is powerful once learned; reusable across hunts

❌ Cons

  • VQL has a real learning curve before you're productive
  • Deployment = agent rollout, which is its own project
  • Not a SIEM — it's a querying/hunting tool, pair it with logging
  • Server scaling needs attention at very large fleets

💬 Practitioner Verdict

"Velociraptor is the tool I reach for the moment an IR queue opens. The ability to ask every endpoint the same question in VQL is a step-change over pushing scripts. Learn VQL and you\'ll wonder how you did incident response before it."
Emmanuel, Security Reviewer

📊 Specifications

Language
Go
License
AGPL-3.0
Platform
Linux, macOS, Windows
Kill Chain
Detection / Response / IR
MITRE ATT&CK
T1003, T1059, T1070

💰 Pricing Reality

Free and open source (AGPL-3.0). Rapid7 (which acquired the company behind it) offers commercial support. The tool itself is unencumbered.

👥 Community Health

Stars4,070
Forks630
Contributors121
Health Score9.1/10

🏷️ Tags

DFIROpen SourceFreeEndpoint Security

🔗 Similar Tools