Endpoint scanning
One-time scan
cyguard scan
Produces a snapshot of:
- Running processes (name, PID, user, CPU%, memory)
- Open listening ports (TCP/UDP, bound address, PID)
- Installed software packages and versions
- Suspicious process flags
Output
# JSON output
cyguard scan --format json --output endpoint.json
Agent mode
Run cyguard as a persistent daemon that periodically reports to the platform:
cyguard agent \
--interval 300 \
--platform https://app.cybrium.ai \
--token $CYBRIUM_API_TOKEN
| Flag | Default | Description |
|---|---|---|
--interval | 300 | Scan interval in seconds |
--platform | — | Cybrium platform URL |
--token | — | API token for authentication |
In agent mode, cyguard:
- Runs a full scan at each interval
- Diffs against the previous scan to detect changes
- Reports new processes, ports, and software changes to the platform
- Flags suspicious processes immediately (no wait for next interval)
What cyguard flags as suspicious
- Known crypto miner process names
- Reverse shell patterns (e.g.,
/bin/sh -i,nc -e) - Processes listening on OT protocol ports from non-OT binaries
- Processes running as root with network connections to external IPs