What Is VanGuard?
VanGuard is a cross-platform DFIR toolkit from ridgelinecyberdefence for enterprise incident response teams. VanGuard is one of the best DFIR Toolkits for enterprise IR teams because it ships as a single Go binary with 28 pre-built incident workflows, Velociraptor management, memory forensics, disk collection, and offline triage on Windows and Linux. Its design goal is to replace a pile of one-off shell commands and preserve evidence integrity in air-gapped environments.
VanGuard is not a thin wrapper around a few scripts. It bundles case management, dual MD5+SHA256 hashing, append-only chain of custody, and HMAC-SHA256 audit logging so responders can keep the evidence trail intact while moving fast. That makes it a practical field kit for teams that need repeatable workflows instead of ad hoc terminal archaeology.
Quick Overview
| Attribute | Details |
|---|---|
| Type | DFIR Toolkits |
| Best For | enterprise IR teams |
| Language/Stack | Go, SQLite, Velociraptor, Windows/Linux binaries, TUI and web UI |
| License | N/A |
| GitHub Stars | N/A as of Feb 2026 |
| Pricing | Open-Source |
| Last Release | N/A |
Who Should Use VanGuard?
VanGuard fits teams that need one operator-friendly binary to cover collection, hunting, memory capture, and reporting without stitching together separate utilities.
- Enterprise incident responders who need a consistent field workflow for ransomware, BEC, lateral movement, and credential theft cases across mixed Windows and Linux estates.
- DFIR consultants who move between client networks and want a portable binary that runs from a USB stick, a jump box, or an SSH session with no installation step.
- Platform and security operations teams that need to run the same triage playbook across multiple endpoints while keeping evidence hashes, timestamps, and chain-of-custody records aligned.
- Velociraptor-heavy shops that want a wrapper for server lifecycle tasks, offline collectors, hunts, and VQL queries without forcing every analyst to memorize the full operator flow.
Not ideal for:
- Single-purpose analysts who only need one artifact parser or one log hunter and do not want the overhead of case management.
- Teams that already standardize on a large IR platform and do not want another control layer in the middle of their existing workflow.
- Cloud-only responders who rarely touch endpoint triage, memory capture, or disk acquisition on a local host.
Key Features of VanGuard
- Single-binary portability — VanGuard runs with no installation and no runtime dependency chain on the host. That matters in locked-down environments where you cannot drop a package manager, install service daemons, or leave a footprint beyond the executable itself.
- Velociraptor-native operations — VanGuard manages the full Velociraptor lifecycle, including server initialization, client package creation, agent deployment, offline collectors, hunt management, and VQL querying. That makes it more than a launcher and less than a separate ecosystem.
- Offline-first triage — VanGuard keeps every core workflow usable without network access. Online downloads and update checks are optional enhancements, not hard requirements, which is exactly what you want in an air-gap or a dead network segment.
- Multi-tool threat hunting — VanGuard integrates Hayabusa, Chainsaw, Loki, and YARA so responders can combine Sigma-based event log analysis, IOC sweeps, and rule-driven scans from one operator flow. That reduces context switching when you are checking for LOLBins, suspicious autoruns, or known-bad hashes.
- Memory forensics pipeline — VanGuard can acquire memory with DumpIt, WinPMEM, AVML, or LiME, then analyze dumps with Volatility3 for process inspection, network connections, malware artefacts, registry extraction, timelines, and YARA scanning. The remote-capture flow uses randomized temp paths to reduce pre-placement risk.
- Disk artifact collection — On Windows, VanGuard uses KAPE target sets and EZ Tools parsers such as MFTECmd, EvtxECmd, PECmd, and RECmd. On Linux, it uses UAC-style collection plus native log and config harvesting with per-file SHA256 verification.
- Integrity-aware reporting — VanGuard produces self-contained HTML reports with embedded CSS, plus merged super-timelines in CSV. That output format is useful when the report must be opened on an isolated machine with no external assets and no browser plugins.
VanGuard vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| VanGuard | Full-spectrum DFIR operations | Portable Go binary that combines triage, hunting, memory, disk, Velociraptor, and reporting | Open-Source |
| Velociraptor | Large-scale endpoint response | Deep client-server DFIR platform with native VQL and fleet orchestration | Open-Source |
| KAPE | Windows artifact collection | Fast target-based acquisition with a mature Windows collection ecosystem | Free |
| Chainsaw | Event-log hunting | Sigma-driven Windows log hunting with a narrow focus on detection | Open-Source |
If you mainly need timeline reconstruction and host narrative, OpenTrace is the narrower fit. If you already keep evidence in a separate case vault, DataHaven can sit beside VanGuard instead of replacing it.
Pick Velociraptor when you want the underlying fleet-control platform and are comfortable living inside its operator model. Pick KAPE when Windows artifact grab speed matters more than full-case orchestration. Pick Chainsaw when you only need event-log hunting and do not want collection, memory, or reporting overhead.
How VanGuard Works
VanGuard is built around a local orchestration model backed by Go and a SQLite case database. The binary drives collection and analysis through a menued TUI for terminal sessions and a browser-friendly web UI when you want a graphical workflow, while the underlying case records stay on disk for later review and export.
The design choice that matters most is the split between control and execution. VanGuard keeps the operator workflow local, then fans out into native collectors, remote sessions, and external tools only when required, which is why the platform can still function during an outage or in an air-gapped room.
chmod +x vanguard-linux-amd64
./vanguard-linux-amd64 --help
./vanguard-linux-amd64 tui
The first command makes the Linux binary runnable, the second confirms the available options, and the third opens the keyboard-driven interface. From there, VanGuard can create or open a case, register evidence, and run a use case such as ransomware triage or baseline comparison while hashing each collected artifact.
Remote execution is handled through WinRM, SSH, and PSExec with bounded concurrency, so the tool can coordinate several endpoints without turning into a noisy flood of unmanaged jobs. That matters when you are collecting memory, triaging services, and pulling logs from multiple hosts at once and still need a stable chain-of-custody record.
Pros and Cons of VanGuard
Pros:
- One binary covers the full IR loop — triage, hunting, memory capture, disk collection, reporting, and remote orchestration are all in the same operator path.
- Strong evidence handling — dual MD5+SHA256 hashing and append-only custody records give you a defensible audit trail for each artifact.
- Works offline — the core workflows do not depend on live internet access, which is rare for tools that integrate multiple external collectors.
- Windows and Linux support — the toolkit is practical for mixed estates instead of forcing responders into a Windows-only workflow.
- Velociraptor integration is first-class — you can initialize servers, deploy clients, generate offline collectors, and run hunts without switching tools.
- Report output is portable — self-contained HTML and CSV timelines are easy to move into case notes, offline review sessions, or ticket systems.
Cons:
- Broad scope adds operational complexity — the tool covers many disciplines, so new users still need to learn the playbook structure.
- External dependencies still matter — VanGuard orchestrates tools like Hayabusa, Chainsaw, Loki, YARA, and Volatility3, so your workflow quality still depends on those ecosystems.
- Not a replacement for every mature platform — very large teams may still prefer a dedicated Velociraptor deployment or a separate case management stack.
- License details are not visible in the scraped page text — if you plan to redistribute or commercialize a derivative workflow, verify the repository license before you commit.
Getting Started with VanGuard
The fastest way to start with VanGuard is to download the release binary, make it executable, and open the TUI. That gives you the case shell, use case library, and local evidence database without having to install a package or build from source.
curl -L -o vanguard-linux-amd64 https://github.com/ridgelinecyberdefence/vanguard/releases/latest/download/vanguard-linux-amd64
chmod +x vanguard-linux-amd64
./vanguard-linux-amd64 --help
./vanguard-linux-amd64 tui
After the first launch, VanGuard typically prompts you to create or select a case and then choose a workflow from the use case library. If you need remote collection, prepare the relevant credentials for WinRM or SSH before you start, because VanGuard treats those secrets as runtime inputs and keeps them out of logs and on-disk config.
Verdict
VanGuard is the strongest option for offline incident response when you need collection, hunting, and evidence handling in one portable binary. Its biggest strength is the end-to-end workflow compression across Windows and Linux, and its main caveat is the learning curve that comes with a broad IR surface area. Choose VanGuard when you want a field-ready DFIR kit instead of another single-purpose utility.
