Rustinel: Open-source endpoint detection for Windows and Linux
Rustinel: Open-source endpoint detection for Windows and Linux
https://www.helpnetsecurity.com/2026/05/11/rustinel-open-source-endpoint-detection-windows-linux/
Publish Date: 2026-05-11 01:30:00
Source Domain: www.helpnetsecurity.com
Open-source endpoint detection has long been split between Windows-focused tools built around Sysmon and Linux tools built around eBPF or auditd. Defenders running mixed environments have had to stitch together separate pipelines, separate rule sets, and separate maintenance burdens. Rustinel, a Rust-based endpoint agent, is an attempt to collapse that work into a single codebase.
A single agent across two operating systems
Rustinel collects telemetry through ETW on Windows and eBPF on Linux, normalizes the events into a shared model, and evaluates them against Sigma rules, YARA signatures, and atomic indicators of compromise. Alerts are written to disk as ECS-compatible NDJSON, a format that is easy to ship, parse, and integrate into SIEM or log-analysis pipelines such as Elastic or Splunk.
Windows coverage spans process creation, image load, network, file, registry, DNS, PowerShell, WMI, service, and scheduled task events. Linux coverage currently includes process, network, file, and DNS telemetry. According to the project, Windows coverage remains broader for now, with Linux eBPF support continuing to expand.
The agent runs in user mode on both platforms. On Windows it can be installed as a service. On Linux it requires kernel 5.8 or newer with BTF support and runs under root or a supervisor of the operator’s choice. Active response is optional and can be set to dry-run, with allowlists that exempt trusted paths.
A user-mode design choice
Most commercial EDR products ship a kernel driver to obtain early visibility and tamper resistance. Rustinel takes a different path. Author Théo Foucher said the choice was deliberate.
“Most commercial EDRs rely on a kernel driver for good reasons: tamper resistance, early visibility, and the ability to observe or block some activity before user-mode components see it. With Rustinel, I made a different design choice: stay as simple, transparent, and stable as possible while still collecting useful host…
