Arrive On Scene. Deploy in 60 Seconds. Investigate Immediately.
When an incident hits, you don't have time to install tools, resolve dependencies, or configure integrations. VanGuard is a single binary — copy it to a USB, run it on the compromised system, and you're triaging, hunting, and collecting evidence in under a minute. Air-gapped. Cross-platform. No installation. Built by the same team that writes the Ridgeline IR courses — learn the techniques there, deploy them here.
Built by the same team behind Ridgeline Cyber Defence · Apache 2.0 · Used in real engagements
Get VanGuard Updates + Training Perks
Toolkit updates, new use-case workflows, and early access to new Ridgeline IR modules. Delivered to your inbox.
Zero spam. Unsubscribe anytime.
The first 60 minutes of every incident are wasted on setup.
You arrive on scene. You need to collect artifacts, run triage, and hunt across endpoints — now. The tools exist (Velociraptor, Hayabusa, Chainsaw, Loki, YARA) and they're all free. But installing them, resolving dependencies, configuring integrations, and getting them working together on a compromised system with no internet access takes the one thing you don't have: time. VanGuard eliminates that setup entirely. One binary. Everything bundled. Operational in under 60 seconds.
Self-contained
Single binary. Every dependency bundled. No Python version conflicts, no package managers, no installation. Copy to USB, run the binary. The entire toolkit is operational in under 60 seconds.
Air-gapped ready
Designed offline-first. Tool downloads are cached locally. Velociraptor server runs on the local machine. Every capability works without network access. Online features are enhancements, not requirements.
Cross-platform
Windows and Linux from the same interface. Every module handles both operating systems. Triage a Windows workstation, then pivot to a Linux server without switching tools.
Professional TUI
Sidebar + content pane layout inspired by commercial tools. Works over SSH. Keyboard-driven for speed during incidents. Looks and feels professional — not a console script.
Case management built in
SQLite-backed case tracking with evidence chain of custody. Every collection, scan, and finding is registered to the case with analyst attribution. Export case data for reporting.
Open source
Apache 2.0 licensed. Free to use, modify, and distribute. Built by the same team behind the Ridgeline IR training courses. Community contributions welcome.
What VanGuard does
Nine modules covering the full IR workflow — from initial triage through threat hunting, evidence collection, and reporting.
Velociraptor Operations
Initialize, deploy, and manage Velociraptor from the TUI. Server init, agent deployment via WinRM/SSH/PsExec, offline collector creation, and collection import. The primary IR capability — fully automated from a single interface.
Quick Triage
Comprehensive Windows and Linux artifact collection using native OS commands. Processes, services, network connections, scheduled tasks, autorun entries, user accounts, and filesystem artifacts. Async progress display and automatic case evidence registration.
Threat Hunting
Hayabusa, Chainsaw, Loki, and YARA integrated into a unified hunting workflow. Plus live anomaly detection for LOLBins, C2 indicators, persistence mechanisms, and Linux-specific checks. All findings mapped to MITRE ATT&CK.
Memory Forensics
Memory acquisition and analysis. Capture running memory and analyse for process injection, credential material, network connections, and rootkit indicators.
Disk Collection
Forensic disk imaging and targeted file collection. Evidence preservation with chain of custody tracking built into the case management system.
Analysis & Reporting
Professional HTML reports with sorting, filtering, and MITRE ATT&CK mapping. Timeline reconstruction across multiple evidence sources. Export for stakeholder reporting.
Remote Operations
Deploy agents and run collections on remote endpoints via WinRM, SSH, and PsExec. Manage multi-host investigations from a single VanGuard instance without installing anything on the target.
Pre-built Use Cases
28 pre-built investigation workflows for common incident types — ransomware, BEC, credential theft, insider threat, lateral movement, and more. Each workflow chains the right modules in the right order.
Configuration
Case management CRUD, tool status display, GitHub-based tool downloads with progress bars, and analyst/organisation settings persistence. All configuration stored in YAML and SQLite.
Use as-is — no guarantees
VanGuard is provided as-is with no warranty or guarantee of fitness for any particular environment. Remote operations (WinRM, SSH, PsExec) depend on your network architecture, firewall rules, authentication methods, and endpoint configurations. Results will vary. Always test in a lab environment before deploying against production systems.
VanGuard is continuously updated. We actively incorporate impactful suggestions from the community — open an issue on GitHub if something doesn't work as expected or if you have an idea for improvement.
We recommend using VanGuard alongside the Practical IR course, which guides you through building a persistent lab environment where you can test VanGuard's capabilities safely before taking both the skills and the toolkit into real engagements.
User Guide
From download to first investigation in under 10 minutes.
Download the binary
Download the latest release for your platform from GitHub Releases. VanGuard is a single executable — no installer, no dependencies. On Windows: vanguard.exe. On Linux: vanguard.
Copy to USB (optional)
For air-gapped or on-scene deployment, copy the binary to a USB drive. VanGuard creates its working directory alongside the binary — everything stays on the USB. No files are written to the host system unless you explicitly configure it.
Run and configure
Run the binary. On first launch, VanGuard creates a default configuration file and prompts you to set your analyst name and organisation. Then use the Configuration module to download the integrated tools (Velociraptor, Hayabusa, Chainsaw, Loki, YARA). On connected systems this happens automatically with progress bars. For air-gapped systems, pre-download the tools on a connected machine first.
Create a case
Open the Configuration module and create a new case. Every evidence collection, scan result, and finding is registered to this case with analyst attribution and timestamps. The case database (SQLite) travels with the USB drive.
Start your investigation
Choose your starting module based on the incident type. For most incidents, the workflow is: Quick Triage (collect baseline artifacts) → Threat Hunting (scan for indicators and anomalies) → Velociraptor (deploy for deeper collection if needed). The pre-built Use Cases module automates this sequencing for common incident types.
Deploy to remote endpoints
If the investigation spans multiple hosts, use the Remote Operations or Velociraptor modules to deploy agents and run collections remotely. VanGuard manages the deployment via WinRM (Windows), SSH (Linux), or PsExec (Windows) — no agent pre-installation required on the target.
Generate reports
The Analysis & Reporting module produces professional HTML reports from your case data. Timeline reconstruction, finding summaries, and MITRE ATT&CK mapping — ready for stakeholder handoff.
VanGuard is the practice environment. Ridgeline training is the methodology.
The investigation techniques you learn in the course are the same techniques VanGuard operationalises. Learn the methodology → build your lab → practise with VanGuard → deploy with confidence on real incidents.
Practical Incident Response
End-to-end investigation methodology across Windows and M365. The five-step reasoning chain that VanGuard's workflow is built around. Covers evidence acquisition, analysis, and reporting with the same tools VanGuard bundles.
Practical Linux IR
Linux-specific investigation methodology — /var/log, systemd journals, auditd, containers. The Linux side of VanGuard's cross-platform triage and hunting capabilities.
Applied Memory Forensics
Memory acquisition, analysis, and reporting with Volatility 3. The methodology behind VanGuard's memory forensics module — process injection, credential extraction, rootkit detection.
Ready to Master the Full Methodology Behind VanGuard?
VanGuard gives you the tools. Ridgeline training gives you the repeatable investigation methodology used by professional IR teams. Every course starts with free modules — no account required.
The next time you arrive on scene, you'll be investigating in 60 seconds.
Download VanGuard. Copy it to a USB. The next incident, you're triaging while everyone else is still installing tools. Open source. Free. Built by practitioners who use it in real engagements.