Every IR engagement starts the same way. The alert fires. The analyst opens the case. And then — instead of investigating — they spend 45 minutes downloading tools, remembering which command-line flags KAPE needs for a targeted collection, setting up Velociraptor, and trying to find the evidence hashing script they wrote six months ago.
We built VanGuard to eliminate that 45-minute gap. It's open source, it's a single binary, it runs on Windows and Linux, and it works in air-gapped environments. We released it today.
What VanGuard does
VanGuard consolidates the full IR lifecycle — triage, hunting, memory forensics, disk collection, remote operations, and reporting — into one portable binary with built-in case management.
It is not a framework that requires configuration before it's useful. It is not a wrapper around other tools that you still need to install separately. You download the binary, run it, and the first menu gives you 28 pre-built investigation use cases — ransomware, BEC, lateral movement, credential theft, rootkit detection, data exfiltration — each with MITRE ATT&CK mapping and phased artifact collection. Select one and the collection runs.
Why we open-sourced it
VanGuard started as an internal tool. We built it because we were tired of the same 45-minute setup at the beginning of every engagement. Once it was reliable enough for our own investigations, we made the decision to release it publicly for three reasons.
First, most IR teams don't have the engineering time to build their own tooling. They use the same collection of separate tools we used — KAPE, Velociraptor, Hayabusa, Volatility — but they use them manually, without automation, without integrated case management, and without evidence integrity built in. VanGuard gives those teams a production-ready toolkit without the development investment.
Second, the DFIR community has a long tradition of open-source contribution. KAPE, Velociraptor, Volatility, Hayabusa, Chainsaw, Loki — the tools VanGuard integrates are all open source or free. Releasing VanGuard continues that pattern.
Third, we build IR training. The investigation methodology taught in the Practical IR course and the Practical Linux IR course is the same methodology VanGuard operationalises. Practitioners who learn the methodology in the course can deploy it immediately with VanGuard. Practitioners who discover VanGuard first and want to understand the investigation techniques behind the use cases have a direct path to the training.
The air-gap problem
Most DFIR tools assume network connectivity. VanGuard doesn't. Every feature works offline — Velociraptor server initialisation, artifact collection, Hayabusa analysis, memory capture and analysis, reporting. Online capabilities (update checks, rule downloads) are enhancements, not requirements.
This matters because the environments where IR is hardest — OT networks, classified systems, healthcare, financial services — are the ones most likely to be air-gapped or network-restricted. A tool that requires an internet connection to function is a tool you can't use on your hardest cases.
For air-gapped deployment: download VanGuard and the integrated tools on a connected system, copy to a USB drive, run from the USB on the target. Everything stays on the USB. No files are written to the host system unless you explicitly configure it.
Evidence integrity by default
Every artifact VanGuard collects is dual-hashed (MD5 + SHA256) and registered in the case database automatically. Chain of custody is append-only with HMAC-SHA256 tamper detection. This isn't optional or configurable — it's how VanGuard works. If you collect evidence with VanGuard, the integrity is already documented.
This matters for the cases that go to legal. An IR report that says "we collected the MFT" is weaker than one that says "we collected the MFT at 14:32:07 UTC, MD5 a3f2..., SHA256 b7c4..., chain of custody entries 1-4 show acquisition, transport, analysis, and reporting with HMAC verification passing at each step." VanGuard produces the second version automatically.
Get started
VanGuard is available now on GitHub:
github.com/ridgelinecyberdefence/vanguard
Download the binary for your platform from the Releases page. No installation, no dependencies, no account. Run it and you're investigating.
The VanGuard landing page has the full feature breakdown, getting started guide, and architecture overview.
If you want to learn the investigation methodology that VanGuard operationalises — the five-step reasoning chain, the evidence evaluation discipline, the investigation techniques for ransomware, BEC, insider threat, and APT — the Practical Incident Response course starts with two free modules. No account required.
What to do this week
- Download VanGuard from GitHub and run it against a test system. The Quick Triage module collects 20+ artifact categories in minutes with no configuration.
- Try the ransomware use case (UC-WIN-001) or the BEC use case (UC-WIN-002) on a lab machine. Each use case collects the specific artifacts relevant to that investigation type.
- If you use Velociraptor, try the Velociraptor Operations module — it handles server setup, client repack, and agent deployment from one interface.
- Star the repo if you find it useful. Open an issue if something breaks. Contribute if you want to add a use case or integration.
- Read the Practical IR free modules to understand the investigation methodology behind VanGuard's use cases.
Next week: Detection engineering in Sentinel — building your first custom analytics rule from a hunt finding.