Untracked configuration
is exposure.
A Linux fleet is only as secure as the drift you can prove does not exist. Hand-edited configs, half-applied patches, missed reboots, stale CVEs, and undocumented exceptions are where breaches get their opening.
oxharden exists for one reason: to make Linux hardening visible, verifiable, repeatable, and operationally boring.
The things we refuse to compromise.
oxharden is founder-built, but not casually built. These are not brand values. They are engineering constraints — the ones we would rather lose a deal than weaken.
The agent speaks to the control plane over mutually authenticated gRPC on TLS 1.3. No inbound ports. No open listeners. It runs as a non-root user by default, with explicit Linux capabilities granted for the data it needs to collect. We do not pretend visibility is free, and we do not run a blanket root daemon to get it.
Written in Go, the agent is built to inspect production Linux systems without becoming production noise. We intentionally trade scan speed for predictable resource use, because a security agent should not be the hottest process in top.
Every detector is covered by integration tests against real distro images. Known-vulnerable fixtures are pinned, scanner regressions fail CI, and bad data is stopped long before it can lie to your audit.
One agent out. One encrypted line back.
No bastion to maintain, no port to expose. Agents dial home over authenticated gRPC and send signed evidence; the control plane never reaches into your network.
Quiet on the host.
Loud on the truth.
The agent is designed to inspect without becoming the workload. We favor predictable CPU, bounded memory, and clean evidence over flashy scan-speed claims. When the scan finishes, the host gets its resources back and the control plane gets the truth.
I started oxharden because I got tired of pretending green dashboards meant secure systems.
Like you, I’ve dealt with the ‘checkbox theater’ — vague scores and scanner results that take half a day to disprove. I needed a tool that provided the ground truth: whether a Linux host is patched, hardened, exposed, or lying somewhere in between.
oxharden exists to eliminate the guesswork. We provide real host state, real vulnerability context, and direct answers about what is actually running on your infrastructure. No fluff. No theater. Just evidence you can defend and act on.
Built past the first scan.
oxharden is built for the full lifecycle of Linux hardening: exposure, evidence, drift, remediation, and proof over time.
Findings ranked by what attackers are exploiting now, not just what scores highest on paper. In production across the fleet today.
Snapshot known-good host state, detect when configuration drifts, and show the exact path back to baseline.
Run the control plane inside your own boundary for classified, regulated, and high-control environments. No data leaves the perimeter.
Researching runtime exploit signals and verifiable software bills of materials for every host you ship.
Launch your first scan in minutes.
Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.
curl -fsSL https://packages.executepath.dev/install.sh \ | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs