The last months have been about building something we've needed for a long time: a security platform that actually follows your infrastructure, instead of forcing your infrastructure to conform to the platform.
I want to walk you through what we shipped and why it matters—not in the abstract, but in the concrete terms of what you can now do that you couldn't do before.
Container-Native Monitoring
Every container now tells its story. When an event fires—a privilege escalation, an authentication failure, a configuration drift—LinuxGuard doesn't just tell you what happened. It tells you which container, which pod, which workload was responsible.
Think about a Kubernetes node running dozens of workloads. A database sidecar. An application pod. An init container. A DaemonSet agent. Before, when an anomaly occurred, you were hunting through timestamps and PIDs, correlating logs across systems, trying to reconstruct which workload triggered the alert.
Not anymore. Every event carries its workload identity. The container that opened that suspicious file. The pod that attempted privilege escalation. The namespace where drift occurred. Triage happens in seconds instead of hours because the answer to "which container was this?" is right there.
And LinuxGuard now runs as a container—a fully static binary that operates as PID 1, reaps zombie processes, forwards signals correctly, and enrols via short-lived tokens without persistent state. It runs in distroless images with no shell and no package manager.
For CI pipelines, we added ephemeral mode. Spin up a runner, monitor it for the duration of the build, tear it down. No persistent identity files. No leftover state. Security monitoring that matches the lifecycle of how you're actually working.
Multi-Architecture Support
LinuxGuard now runs on every major architecture: AMD64, ARM64, ARMv7, RISC-V. One pull command. One installation. The right binary for your processor.
Imagine deploying sensors across global infrastructure. Cloud instances on AMD64. Raspberry Pi devices monitoring industrial equipment on ARM. RISC-V boards in embedded systems at the edge. Different processors, different environments, different constraints.
Same security platform. Same visibility. Same posture enforcement.
We built a multi-architecture build matrix that compiles eBPF probes per architecture, packages init scripts for every supported init system, and publishes a unified container manifest that automatically resolves to the correct binary. You don't think about architecture anymore—you just deploy.
We were honest about the constraints. ARMv7 runs in degraded mode—no eBPF probes, but full configuration monitoring and authentication tracking. RISC-V is best-effort. We document exactly what you get on each architecture because transparency matters more than marketing claims.
Real-Time Communication, Even When Connectivity Isn't Perfect
Security monitoring shouldn't require perfect network conditions. Edge deployments, air-gapped environments, restricted egress—these are real-world constraints, not edge cases.
We built real-time WebSocket communication with automatic fallback to HTTP polling. Commands reach agents in under five seconds instead of waiting on polling intervals. Playbooks fire near-instantaneously. And if connectivity degrades, the agent gracefully falls back, queues events, and resumes when the link returns.
For air-gapped environments, we added relay mode. Deploy a proxy at the network boundary. Agents communicate inward. The relay handles outbound traffic. Zero compromise on security posture, even in the most restrictive networks.
Centralised Configuration
The control plane now manages agent configuration centrally. Push log levels, update collection rules, enable feature flags—across the entire fleet, from the console, without touching a single host.
You can enable debug logging on a production agent for live diagnostics without restarting the service. You can apply a fleet-wide policy update in seconds instead of orchestrating configuration management runs across thousands of hosts.
Centralised configuration with distributed execution. The control plane decides, the agents act.
What This Unlocks
Let me paint a concrete picture.
A global manufacturing company runs LinuxGuard across three continents. Bare-metal servers in their European data centre on AMD64. ARM-based IoT gateways in Asian factories with spotty connectivity. RISC-V boards embedded in production equipment. Kubernetes clusters running mixed workloads in the cloud.
One platform. One dashboard. Complete visibility.
When a suspicious SSH key appears on a factory gateway, the alert fires immediately—despite intermittent connectivity. When a container attempts privilege escalation in their Kubernetes cluster, they know exactly which pod, which namespace, which workload. When configuration drift occurs on a bare-metal database server, they see the field-level change with full attribution.
They're not managing multiple tools for different environments. They're not piecing together partial visibility. They're securing everything—from edge to cloud, from bare metal to ephemeral containers—with a single platform.
This is what we built.
Why It Matters
For too long, security monitoring has been architecture-dependent and deployment-constrained. You could monitor your x86 servers. Maybe your ARM instances if you were lucky. Containers, only if they looked like traditional VMs. Edge devices—good luck.
The result was always the same compromise: secure what you can with the tools you have, and hope the rest holds.
The edge device nobody thought to monitor. The ARM-based gateway running an old distribution. The ephemeral container that existed for four minutes during a deployment but had root access. The factory-floor server with intermittent connectivity that drifted out of compliance months ago because the monitoring tools couldn't reach it.
Those gaps are where the damage happens.
We're building LinuxGuard to close them. Visibility should follow your workload—wherever it runs, whatever processor it's on, however it connects. Your security platform shouldn't constrain your infrastructure choices. It should adapt to them.
What's Next
We're expanding active response capabilities. Container-aware enforcement. Workload-scoped isolation. Architecture-aware remediation scripts that understand the capabilities of each platform.
We're building smarter behavioural analytics that learn normal patterns per workload type—because a database container behaves differently than a web frontend, and the platform should recognise that.
And we're going deeper into the edge. Ultra-low-power modes for constrained devices. Mesh networking for environments where traditional connectivity doesn't exist. Security monitoring that works on a solar-powered sensor node in a remote location.
The Foundation
The last months were about building the foundation: container-native execution, multi-architecture support, real-time communication, centralised control.
What comes next builds on that foundation—security monitoring that doesn't force you to choose between innovation and visibility, that doesn't leave gaps because your infrastructure doesn't match the vendor's reference architecture.
LinuxGuard follows your workload. Bare metal. Containers. Virtual machines. AMD64. ARM. RISC-V. Cloud. Edge. Air-gapped networks.
Everywhere.
Because the future of infrastructure is heterogeneous, distributed, and constantly evolving—and your security platform needs to be, too.
LinuxGuard is an identity-first security platform for modern Linux infrastructure. Learn more at linuxguard.io.