CyberCLI
Start Free →

The roster · 24 free · 6 pro · 72 on the roadmap

Pick what you want to protect. Install. Done.

You don't have to know what Wazuh is to start. Pick the thing you're worried about — your laptops, your firewall, your DNS, your cloud — expand a card to see what to install, and run one command.

Legend: Free · OSS Pro · paid vendor Roadmap · coming

Pick by what you need to protect

Click any card to see what it does, where to get it, and the install command. Skip to the MITRE matrix below if you already know which tools you want.

Secure my laptops & servers

5 tools

What's running on each machine, what files changed, what processes started, what users logged in — the unfakeable signal of host compromise.

Wazuh
Free

The keystone of your stack. Wazuh agents sit on every laptop and server, watching files, processes, and system events. It's how you know if something on a machine just got compromised — and how you know what changed.

Install
curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh && sudo bash wazuh-install.sh -a
Open homepage Category: Host & Endpoint
auditd
Free

Linux's built-in audit recorder. Captures sudo commands, file access, process starts — the unfakeable log of what actually happened on a Linux box. Already installed on most servers; CyberCLI just turns the firehose into signals.

Install
sudo apt install auditd audispd-plugins
Open homepage Category: Host & Endpoint
osquery
Free

Query your endpoints with SQL. "Show me every host where Chrome is older than version 130" returns in seconds. Persistence checks, software inventory, process tree — answers questions an EDR can't.

Install
curl -fsSL https://pkg.osquery.io/deb/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/osquery.gpg && sudo apt install osquery
Open homepage Category: Host & Endpoint
Falco
Free

Runtime security for Linux and containers. Catches "someone just spawned a shell inside a running container" and "a process is reading /etc/shadow" in real time. CNCF-graduated, container-native.

Install
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco.gpg && sudo apt install falco
Open homepage Category: Host & Endpoint
ClamAV
Free

Free, open-source antivirus. Scans downloaded files, email attachments, and mounted storage against a continuously-updated signature database. Not magic, but it catches the boring stuff so you don't have to.

Install
sudo apt install clamav clamav-daemon && sudo freshclam
Open homepage Category: Host & Endpoint

Watch my firewall & network

6 tools

Every packet crossing your perimeter, plus the firewall, switch, and AP events that explain why.

pfSense
Free

The de-facto open-source firewall for SMB and homelab. FreeBSD-based, fully configurable via web UI, runs on anything from a Raspberry Pi to a 10G appliance.

Install
Download ISO from pfsense.org · install to bare-metal or VM · point your network at it
Open homepage Category: Firewall
OPNsense
Free

pfSense's actively-maintained fork with a faster release cadence. Drop-in equivalent — same filterlog format, same rule semantics. Pick whichever your team prefers.

Install
Download ISO from opnsense.org · install to bare-metal or VM
Open homepage Category: Firewall
Suricata
Free

Watches every packet crossing your network for known-bad signatures and protocol anomalies. The OSS equivalent of a commercial IDS appliance — runs on commodity hardware, no per-Mbps licensing.

Install
sudo add-apt-repository ppa:oisf/suricata-stable && sudo apt install suricata
Open homepage Category: Network & IDS
Zeek
Free

Turns raw network traffic into searchable structured logs — every DNS query, every TLS handshake, every HTTP request. Where Suricata says "this looks bad," Zeek lets you reconstruct exactly what happened.

Install
sudo apt install zeek
Open homepage Category: Network & IDS
CrowdSec
Free

Crowdsourced firewall. Reads logs from anything (web server, SSH, mail) and blocks attackers at the network edge based on a shared community blocklist of known bad IPs. Free to use, free to contribute.

Install
curl -s https://install.crowdsec.net | sudo sh && sudo apt install crowdsec
Open homepage Category: Network & IDS
UniFi
Pro

Ubiquiti's commercial network platform — UDM, UDM-Pro, Dream Machine, USG, UniFi Switches. CyberCLI pulls firewall events + admin audit + client activity from the controller API, and lights up Protect (camera) events as Pro tier matures.

Install
Already deployed Ubiquiti gear? Generate an API key in your UniFi controller → `cybercli onboard unifi`
Open homepage Category: Network gear

Monitor my DNS

2 tools

Block malware + tracker domains for everyone on the network, and search the query log when an IOC drops.

AdGuard Home
Free

Self-hosted DNS sinkhole. Blocks tracker and malware domains for everyone on your network, and gives you the query log — invaluable for IOC hunting when someone says "is this domain bad?"

Install
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
Open homepage Category: DNS
Pi-hole
Free

The original DNS-level ad/tracker blocker. Lightweight, Raspberry-Pi friendly, web UI included. Same hunting signal as AdGuard — pick whichever you've already deployed.

Install
curl -sSL https://install.pi-hole.net | bash
Open homepage Category: DNS

Protect my web servers

6 tools

Catch L7 attacks at the edge — probes, scanners, credential-stuffing, OWASP-Top-10 injection.

nginx
Free

The most-deployed open-source web server / reverse proxy in the world. Access + error logs feed Layer-7 anomaly detection (probes, scanners, credential-stuffing attempts).

Install
sudo apt install nginx
Open homepage Category: Web edge & WAF
Apache
Free

The classic LAMP web server. Still everywhere — especially behind cPanel hosting. Combined-log-format ingest with virtual-host discrimination so multi-tenant servers don't blur.

Install
sudo apt install apache2
Open homepage Category: Web edge & WAF
Caddy
Free

Modern Go web server with automatic HTTPS. Emits structured JSON access logs that are dramatically easier to parse than combined-log-format. Default-secure config.

Install
sudo apt install caddy
Open homepage Category: Web edge & WAF
Traefik
Free

Docker-native reverse proxy / edge router. The default in containerized SMB stacks (compose, Swarm, k3s). Routes by labels, auto-renews TLS.

Install
docker run -d --name traefik -p 80:80 -p 443:443 -v /var/run/docker.sock:/var/run/docker.sock traefik:v3
Open homepage Category: Web edge & WAF
HAProxy
Free

Industrial-grade load balancer / reverse proxy. Where deployed, it's the chokepoint for every HTTP and TCP connection — high-value telemetry source.

Install
sudo apt install haproxy
Open homepage Category: Web edge & WAF
Coraza WAF
Free

Open-source web application firewall — the modern successor to ModSecurity. Runs the OWASP Core Rule Set inline at your edge to block SQL injection, XSS, and the OWASP Top 10.

Install
Embed in Caddy/Traefik/HAProxy via the coraza-spoa or caddy-coraza plugin — see coraza.io docs
Open homepage Category: Web edge & WAF

Secure remote access

2 tools

Modern VPN tunnels with session telemetry so credential abuse on remote access surfaces in the case lifecycle.

WireGuard
Free

Modern kernel-space VPN. Tiny attack surface, fast handshake, journald-logged session events — the security stack's preferred remote-access tool.

Install
sudo apt install wireguard wireguard-tools
Open homepage Category: VPN & remote access
OpenVPN
Free

The classic OSS VPN — still the #1 remote-access vector for SMBs. Connection + authentication events are critical for credential-stuffing detection on the perimeter.

Install
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh && sudo bash openvpn-install.sh
Open homepage Category: VPN & remote access

Catch intruders before they pivot

2 tools

Tripwires and honeypots that produce zero false positives by design — any hit is a high-confidence intruder.

OpenCanary
Free

A tripwire daemon. Fakes services (SSH, HTTP, MySQL) that should never get touched on your network — any connection attempt is high-confidence intruder, with zero false positives.

Install
sudo apt install python3-virtualenv && python3 -m venv canary && canary/bin/pip install opencanary && canary/bin/opencanaryd --copyconfig
Open homepage Category: Deception
Cowrie
Free

Interactive SSH/Telnet honeypot. Records full attacker sessions — every credential they try, every command they run. Combine with OpenCanary for layered deception.

Install
git clone https://github.com/cowrie/cowrie && cd cowrie && python3 -m venv cowrie-env && source cowrie-env/bin/activate && pip install -r requirements.txt
Open homepage Category: Deception

Find vulnerabilities before attackers do

1 tool

Scan containers, IaC, and filesystems against the CVE feed; turn the output into prioritized signals.

Trivy
Free

Scans containers, filesystems, and infrastructure-as-code for known vulnerabilities and misconfigurations. CI-friendly defaults, generates SBOMs, makes patch-priority decisions easy.

Install
sudo apt install trivy   # or: brew install trivy
Open homepage Category: Vulnerability scanner

Watch the hypervisor

1 tool

VM lifecycle events from your virtualization platform — who spawned what, who exfilled which disk image.

Proxmox VE
Free

Open-source virtualization platform — the post-Broadcom-VMware migration target for SMBs. Cluster-wide audit events from the API give you VM lifecycle visibility.

Install
Download ISO from proxmox.com · install to bare-metal · `cybercli onboard proxmox`
Open homepage Category: Hypervisor

Cover cloud identity & email · Pro

3 tools

The credential-access perimeter for orgs running on Microsoft, Google, or Okta — the layer your OSS stack physically can't see.

Microsoft 365
Pro

The default identity perimeter for most SMBs. Pulls Entra ID sign-in events, audit log, risky-user signals, mailbox audit — everything Microsoft already tracks, just routed into your sovereign SOC instead of Microsoft's.

Install
Already on M365? Create an Entra app registration with Reports.Read.All → `cybercli onboard m365`
Open homepage Category: Cloud Identity & Email
Google Workspace
Pro

The Google-shop equivalent of the M365 lane. Admin SDK Reports API delivers login, drive, mobile, and token activity into your CyberCLI case lifecycle.

Install
Already on Workspace? Create a service account with admin.reports.audit.readonly → `cybercli onboard workspace`
Open homepage Category: Cloud Identity & Email
Okta
Pro

Dedicated identity provider. Okta's SystemLog API delivers every authentication, MFA challenge, group change, and admin action — the credential-access keystone for orgs that don't centralize on M365 or Workspace.

Install
Already on Okta? Generate an API token with Read-only Admin → `cybercli onboard okta`
Open homepage Category: Cloud Identity & Email

Cloud-native EDR for endpoints · Pro

2 tools

If you already pay for Falcon or SentinelOne, route their detection stream into the same case lifecycle as everything else.

CrowdStrike
Pro

The cloud-EDR you don't have to run. Falcon's Event Streams API delivers detection telemetry without you owning the data plane — your sovereignty is intact at the SOC layer.

Install
Already on Falcon? Generate Event Streams API credentials → `cybercli onboard crowdstrike`
Open homepage Category: Cloud EDR
SentinelOne
Pro

The other big SMB cloud-EDR option. Singularity Activity API delivers autonomous-response telemetry into the same case lifecycle as your OSS connectors.

Install
Already on SentinelOne? Generate API token with Viewer scope → `cybercli onboard sentinelone`
Open homepage Category: Cloud EDR

MITRE ATT&CK coverage

Free gives host + network visibility across 14 of 14 MITRE tactics. Pro adds the cloud-identity + commercial-EDR + UniFi-network substrate that closes the rest — most notably Credential Access.

Connector Category Tier Recon ResDev Access Exec Persist PrivEsc Evade Creds Discov Lateral Collect C2 Exfil Impact
Free · OSS · 24 connectors
Wazuh Host & Endpoint Free
auditd Host & Endpoint Free
osquery Host & Endpoint Free
Falco Host & Endpoint Free
ClamAV Host & Endpoint Free
Suricata Network & IDS Free
Zeek Network & IDS Free
CrowdSec Network & IDS Free
pfSense Firewall Free
OPNsense Firewall Free
AdGuard Home DNS Free
Pi-hole DNS Free
nginx Web edge & WAF Free
Apache Web edge & WAF Free
Caddy Web edge & WAF Free
Traefik Web edge & WAF Free
HAProxy Web edge & WAF Free
Coraza WAF Web edge & WAF Free
WireGuard VPN & remote access Free
OpenVPN VPN & remote access Free
OpenCanary Deception Free
Cowrie Deception Free
Trivy Vulnerability scanner Free
Proxmox VE Hypervisor Free
↑ Upgrade to Pro · 6 cloud-identity + EDR + network-gear connectors
UniFi Network gear Pro
Microsoft 365 Cloud Identity & Email Pro
Google Workspace Cloud Identity & Email Pro
Okta Cloud Identity & Email Pro
CrowdStrike Cloud EDR Pro
SentinelOne Cloud EDR Pro

MITRE ATT&CK Enterprise v17 · capability mode (not telemetry mode) · single source: src/cybercli/coverage/mitre.py

Roadmap · 72 more in the queue

The connectors we're planning across 14 categories — physical security (cameras, alarms), MSP toolchain (RMM, PSA), backup, MDM, commercial network edge, SaaS storage, compliance, cloud security, additional EDR/XDR, SIEM, identity, vulnerability management, and email. Proposed tier per item; tell us what to ship first.

Cameras & Video Surveillance

Coming soon · 5

Bring physical-security feeds into the same SOC as your cyber telemetry. Person/vehicle/loitering events flow into the same case lifecycle as firewall alerts.

  • Free
    Frigate NVR · Open-source NVR with on-device object detection. The natural first physical-security connector.
  • Pro
    UniFi Protect · Already deployed UniFi gear? Pull person/vehicle events from the Protect API — same Pro license as the network lane.
  • Pro
    Synology Surveillance Station · Common SMB NVR. Camera event + motion API ingest.
  • Pro
    Blue Iris · Windows NVR with broad camera-vendor support. Webhook-out for events.
  • Pro
    Reolink / Axis / Hikvision · Per-vendor camera APIs. Direct ingest where no NVR sits in front.

Alarm Panels & Physical Sensors

Coming soon · 4

Door, window, motion, glass-break — make the physical-intrusion signal cross-correlate with the cyber-intrusion signal in one operator console.

  • Free
    Home Assistant security · Universal smart-home broker. One bridge to Z-Wave / Zigbee / Matter door + motion sensors.
  • Free
    Konnected · Retrofits hardwired alarm panels (Honeywell, DSC, 2GIG) onto IP without ripping wire.
  • Pro
    Ring / SimpliSafe · Cloud-based residential alarm — webhook ingest of door/window/intrusion events.
  • Business
    Bosch / DSC / Honeywell IP · Commercial alarm panels with IP receivers. Contact-ID over network ingest.

RMM / PSA / Ticketing

Coming soon · 7

The MSP toolchain. If you manage customers' endpoints with RMM and tickets with PSA, security signals belong in the same workflow your techs already live in.

  • Business
    NinjaOne · Modern RMM popular with sub-200-endpoint MSPs. Two-way: ingest device events, push CyberCLI alerts as tickets.
  • Business
    ConnectWise Manage / Automate · The legacy MSP heavyweight. Ticket sync + asset reconciliation.
  • Business
    Datto RMM / Autotask · Kaseya-owned RMM + PSA stack. Common in larger MSPs.
  • Business
    Kaseya VSA · Enterprise-class RMM. Asset + agent telemetry ingest.
  • Business
    HaloPSA · The clean modern PSA. Ticket creation + correlation against CyberCLI cases.
  • Pro
    Atera · All-in-one RMM+PSA popular with small MSPs.
  • Pro
    Syncro · RMM + PSA + invoicing for break-fix and managed shops.

Backup & Disaster Recovery

Coming soon · 5

Backups are an attacker's last target before they detonate — backup-job failures and unauthorized backup deletions are the highest-signal events in an incident.

  • Pro
    Veeam Backup & Replication · The enterprise backup standard. Job + repository + immutability events.
  • Pro
    Acronis Cyber Protect · Combined backup + endpoint security. Webhook + API ingest of job + threat events.
  • Free
    Synology Active Backup · Common SMB backup target. Snapshot + replication + immutable-lock event ingest.
  • Free
    Restic / Borg / Kopia · OSS backup tools. Job-success + repository-tamper telemetry.
  • Business
    Azure Backup / AWS Backup · Cloud-native backup orchestrators. Vault events + restore-test outcomes.

MDM & Device Management

Coming soon · 5

Mobile + laptop fleet posture: encryption status, jailbreak/root, missing patches, compliance drift — the things your EDR doesn't tell you because the device isn't reporting in.

  • Pro
    Microsoft Intune · The M365 device-management lane. Compliance + enrollment + remote-action events.
  • Pro
    Jamf · Mac-first MDM. The de-facto choice for Apple-heavy orgs.
  • Pro
    Kandji · Modern Mac MDM with strong compliance + automation primitives.
  • Pro
    Mosyle · Mac/iOS MDM popular with education + SMB.
  • Business
    ManageEngine MDM · Cross-platform MDM. Common in mid-market.

Network & Security Edge (commercial)

Coming soon · 8

The commercial firewall, SD-WAN, and ZTNA vendors your customers actually run. Free tier covers pfSense/OPNsense; this is the paid-vendor lane for everything else.

  • Pro
    Fortinet FortiGate · The dominant commercial firewall in mid-market. FortiGate syslog + FortiAnalyzer API ingest.
  • Pro
    Cisco Meraki · Cloud-managed Cisco network. MX firewall + MR wireless + MS switch event ingest.
  • Business
    Palo Alto Networks NGFW · The enterprise NGFW. PAN-OS API + Cortex Data Lake ingest.
  • Pro
    SonicWall · Common SMB firewall vendor. Syslog + Capture Security Center event ingest.
  • Pro
    Sophos Firewall · Sophos Central API for firewall + endpoint correlation.
  • Pro
    Tailscale audit · The modern mesh VPN. Audit log API + tailnet ACL change ingest.
  • Pro
    Cloudflare Zero Trust · Cloudflare Access / Tunnel / Gateway logs. The ZTNA lane for cloud-native orgs.
  • Business
    Zscaler · ZIA + ZPA logs. The enterprise SASE option.

SaaS & Cloud Storage

Coming soon · 5

Where your data actually lives in 2026. S3 buckets, Drive folders, Dropbox shares — high-value targets you currently can't see into.

  • Pro
    AWS S3 CloudTrail · Object-level access events. Detect unauthorized GetObject / mass-download / public-bucket drift.
  • Pro
    Box · Enterprise file collaboration. Events API for file access + sharing + admin activity.
  • Pro
    Dropbox Business · Team + business plan event log + Tasks API ingest.
  • Pro
    Google Drive · Drive activity events surfaced from Workspace audit (already on Workspace? this comes for free).
  • Pro
    OneDrive for Business · M365 SharePoint + OneDrive file activity (already on M365? this comes for free).

Compliance & GRC

Coming soon · 5

Your auditor doesn't speak CYCON. Map the same evidence chain to SOC 2 / HIPAA / PCI / ISO controls automatically.

  • Business
    Vanta · SOC 2 / ISO 27001 automation. API for control evidence + finding sync.
  • Business
    Drata · Same category as Vanta. Compliance posture sync + evidence automation.
  • Business
    Hyperproof · Multi-framework GRC. Audit-ready evidence + cross-framework control mapping.
  • Business
    Sprinto · Compliance automation. Direct push of CyberCLI control evidence into Sprinto's framework.
  • Free
    OpenComply · Open-source compliance scanning. CIS / NIST / PCI checks against your live infra.

Cloud Security & CSPM

Coming soon · 5

Cover the cloud accounts that don't fit M365/Workspace — AWS, GCP, Azure infra, plus the CSPM vendors that already watch them.

  • Pro
    AWS GuardDuty · AWS-native threat detection. Finding stream into CyberCLI cases.
  • Pro
    Microsoft Defender for Cloud · Azure-native CSPM + workload protection alerts.
  • Pro
    GCP Security Command Center · Google Cloud's centralized finding stream.
  • Business
    Wiz · Agentless multi-cloud CSPM. Inventory + finding sync via Wiz API.
  • Business
    Lacework / Orca / Snyk · Other CSPM + DevSecOps platforms common in growing SMBs.

Enterprise EDR / XDR (additional)

Coming soon · 4

Beyond CrowdStrike + SentinelOne, the other commercial endpoint platforms our buyers already run.

  • Pro
    Microsoft Defender for Endpoint · M365 E5's bundled EDR. ATP API for alerts + machine timeline.
  • Pro
    Sophos Intercept X · Sophos Central API for endpoint detection events.
  • Business
    VMware Carbon Black · Carbon Black Cloud feed. Still common in mid-market.
  • Business
    Cybereason / Trellix / Cylance · The remaining major commercial EDRs we'll add by demand.

SIEM & Observability

Coming soon · 5

Some shops keep their existing SIEM and want CyberCLI as the agentic SOC layer on top. Don't make them rip and replace.

  • Business
    Splunk · HEC ingest + search-API outbound. Sit alongside, don't compete.
  • Pro
    Elastic Stack · Elasticsearch ingest + Kibana cross-link for incidents.
  • Business
    Sumo Logic · SaaS SIEM ingest + alert forwarding.
  • Business
    Datadog Security · If you already log to Datadog, route security signals into CyberCLI cases.
  • Business
    Cribl Stream · Vendor-agnostic data fabric. Inline route + reshape for ingest.

Identity & Auth (additional)

Coming soon · 5

Beyond Okta / M365 / Workspace — the password managers, MFA, and OSS IdPs SMBs actually deploy.

  • Pro
    Duo Security · Cisco's MFA. Admin API for auth + factor events.
  • Pro
    1Password Business · Events API for sign-in + item-access activity.
  • Pro
    Bitwarden Business · OSS-rooted password manager. Event-log API ingest.
  • Free
    Authentik / Keycloak · Self-hosted OIDC/SAML IdPs. Free-tier alternative to commercial IdP.
  • Pro
    YubiKey / WebAuthn · Hardware-key issuance + usage telemetry from your IdP of choice.

Vulnerability Management

Coming soon · 5

Beyond Trivy for containers — the network + asset scanners that drive your patch program.

  • Pro
    Tenable Nessus · Industry-standard vulnerability scanner. Tenable.io API for finding sync.
  • Business
    Qualys VMDR · Cloud-based asset + vulnerability platform.
  • Business
    Rapid7 InsightVM · Real-time vulnerability + risk scoring API.
  • Free
    OpenVAS / Greenbone · OSS vulnerability scanner. Free-tier alternative to Nessus.
  • Free
    Nuclei · Template-driven scanner. Great for continuous external-surface monitoring.

Email Security

Coming soon · 4

Phishing is still the #1 initial-access vector. Pull verdicts from the gateway that fronts your mail.

  • Business
    Proofpoint · Enterprise email gateway. Threat detection feed for ingest.
  • Business
    Mimecast · Secure email gateway with API for finding sync.
  • Pro
    Microsoft Defender for Office 365 · MDO for the M365 shop. Threat protection alerts.
  • Pro
    Vade Secure · M365/Google add-on AI email security.

Roadmap items are intentional scope, not commitments to dates. We ship breadth first, then depth on the connectors design partners actually run.