What is Velociraptor?

An advanced opensource endpoint monitoring and DFIR tool.

Query your devices

Using a flexible and powerful query language. No need to modify code or deploy new endpoint software to collect new information.

Centrally collect

Collect ongoing monitoring telemetry like event logs, file modification and process execution logs.

Trigger actions

When certain conditions occur, trigger automated response actions, such as email escalations, machine lockout automating evidence acquisition.


Automatically collect the most important information using Artifacts.

Endpoint monitoring

Easily monitor your end points for high value events.

Interactively investigate an endpoint

interactively examine end points remotely and collect detailed state information for incident response or digital forensics (DFIR).

Velociraptor Artifacts

Artifacts allow you to implement new functionality looking for the specific emerging threats that you encounter - all without needing to rebuild or redeploy new software.

Flexible and Fast

Rapidly hunt for new specific threats across all your endpoints! Simply add a new artifact or modify an existing one and immediately hunt for it across your entire infrastructure.

At a click of a button you can create a new custom artifact specifically tailored to your own enterprise. You can then immediately hunt for it across the entire fleet and know within minutes if any of your endpoints are compromised.

Multi-platform and easy to deploy.

apple centos ubuntu windows linux

The same tool is deployed across all your enterprise platforms. From desktops (OSX/Linux/Windows) to cloud assets, all your endpoints are accessible from the same GUI.

Velociraptor is distributed as a single, statically linked binary tested to work on even very old versions of your OS.

Velociraptor is extremely fast and resource efficient. Most medium deployments (5-10k clients) can be served by a single mid-sized server.

Free and Opensource software

Velociraptor is released under the Apache License. This means you can use it, modify it and deploy it without restrictions.

Velociraptor is also commercially supported if you prefer! Velociraptor is supported by Velocidex Innovations Inc. We can help you deploy it, manage it and can implement custom features for your specific needs.

Features and Highlights

The following list is a summary of some of the most significant features. As Velociraptor gains more features, this list will be expanded.

  • Find files on endpoints using glob expressions, file metadata and even Yara signatures.
  • Search through registry using glob expressions, metadata and even Yara signatures.
  • Apply Yara signatures to process memory.
  • Acquire process memory based on various conditions for further examination by Windbg.
  • Upload entire files from endpoints automatically and on demand.
  • Raw NTFS parsing for access to locked files like the pagefile and registry hives.
  • Full WMI support - Artifacts can express WMI queries and combine these with other queries (e.g. download files mentioned in the WMI results).
  • Velociraptor supports streaming event queries - data can be collected automatically from endpoints and stored on the server. For example all these may be streamed to the server:
    • Process execution logs.
    • High value events parsed from the event logs.
    • DNS Queries and answers
  • Escalations can be automatically actioned server side upon collection of client events.
  • Interactive shell is available for those unexpected times when you need to get hands on!
  • Advanced GUI making many tasks easy. GUI supports SSL and SSO for strong identity management.
  • Server side VQL allows for automating the server using VQL - launch further collection automatically when certain conditions are detected.
  • Client supports throttling - you can run very intensive operations on the client at a controlled rate to limit impact on endpoint performance.
  • A python API allows for full control of the server from python including post processing acquired data.