See every endpoint.
In real time. Without the contract.

Project Mimir is a self-hosted endpoint visibility platform built on osquery. Enroll thousands of hosts, query your fleet in SQL, and ship IOC alerts to your SIEM — all in 90 seconds.

Instant Demo → View on GitHub
Apache 2.0 / BSL 1.1 Free
// security model

Your fleet's secrets stay on your infrastructure.

The point of an EDR is to know what's happening on every endpoint. The cost, with most vendors, is shipping that knowledge to a third party. Project Mimir doesn't make that trade. Modern crypto, mutual auth on every connection, signed releases, and zero outbound telemetry — designed by a CISO who cares about security

mTLS on every byte

Every agent ↔ server connection is mutually authenticated TLS 1.3. Each agent gets a unique ECDSA P-256 client cert at enrollment — no shared secrets at rest, no API keys to rotate, no bearer tokens to leak.

One-time enrollment secrets

Enrollment secrets are bcrypt-hashed on the server, plaintext shown exactly once. They authorize one thing only: getting a client cert. Decommissioned hosts can't re-enroll without an admin.

Signed releases, killable in seconds

Agent binaries are Ed25519-signed; agents verify before applying any update and refuse downgrades. A bad SHA can be blacklisted across the fleet and rollout frozen to 0% in one runbook step.

SSO that fits your IdP

OIDC and SAML 2.0 with JIT provisioning and group-based admin elevation. There's a self-contained fake IdP for local testing — no Okta sandbox required to validate your assertions.

crypto-manifest.txt — readonly
transportTLS 1.3, mTLS both ways
agent certECDSA P-256, per-host
enroll secretbcrypt cost 12, one-shot
release signEd25519, manifest-pinned
at restPostgres + AES-256 (your KMS)
SSOOIDC + SAML 2.0, JIT
audit logappend-only, signed
egress→ your server only
telemetry✓ none. ever.
No phone-home, no usage pings.The server doesn't need outbound internet. Your fleet's process trees don't end up in someone else's data lake.
Open source, audit it yourself.Apache 2.0 / BSL 1.1. Read the enrollment handshake, the cert issuance flow, the signing pipeline — line by line, before you install.
Built for HA & sovereignty.Multi-instance behind your LB, your Postgres, your KMS, your data-residency zone. Nothing leaves the boundary you draw.
// what you get

Five primitives. One binary. Your data.

Project Mimir focuses on the unsexy parts of EDR — enrollment, transport, query distribution, IOC matching, host inventory — and stays out of your way for everything else.

Live host inventory

Every enrolled host sends a heartbeat every 30s. Online / stale / offline state, plus full system facts in one queryable table.

IOC matching

Subscribe to threat feeds or paste your own indicators. Project Mimir matches process, file, and network events as they arrive — no batch lag.

Ad-hoc SQL queries

Type a query, hit run, watch results stream back from thousands of hosts in under three seconds. Save useful queries to a Pack.

Fleet drift detection

Catch the host running osquery 5.11.0 when everyone else is on 5.13.1. Same for kernel, packages, configs — anything queryable.

Compliance packs

CIS, PCI, HIPAA — bundled query packs that map to the controls your auditor cares about. Schedule, dashboard, export.

SIEM webhooks

Project Mimir is a sensor, not a destination. Forward alerts to Splunk, Elastic, Datadog, or any HTTPS endpoint with a JSON payload.

// runs everywhere your fleet does

One agent. Every operating system that matters.

Heterogeneous fleets are reality. The dev laptops are Macs, the production servers are Linux, the corporate desktops are Windows, and somewhere in the rack room there's a FreeBSD storage node nobody talks about. Project Mimir's agent ships for all of them — same protocol, same dashboard, same SQL.

Tier 1 · CI-tested

Windows

Win 10, 11 · Server 2019, 2022, 2025
amd64arm64
.msi · Intune / SCCM
Tier 1 · CI-tested

macOS

macOS 14 (Sonoma) · 15 (Sequoia)
universalarm64amd64
.pkg · LaunchDaemon
Tier 1 · CI-tested

Linux

Ubuntu 22, 24 · Debian 12 · Mint · Pop!_OS
amd64arm64
.deb · systemd
Tier 2 · Community

RHEL family

RHEL 9 · Rocky 9 · Alma 9 · Fedora 40+
amd64arm64
.rpm · systemd
Tier 2 · Community

FreeBSD

FreeBSD 13 · 14 · 14.1
amd64arm64
.pkg · rc.d
Same protocol everywheregRPC over mTLS — no per-OS quirks in transport
Native service integrationsystemd · launchd · Windows SCM · rc.d
Single binary, zero depsosquery + agent fused — no Python, no JVM, nothing
One SQL surfacesame osquery schema across every OS — write once
// threat hunting

Hunt for indicators across every host — not just the ones still online.

The point of an IOC is to find compromise wherever it lives. Project Mimir matches indicators against live events as they arrive, and back-fills against the last 30 days of fleet history the moment you add a new one. Drop in a hash, paste a STIX/TAXII feed, or write your own osquery SQL — same engine, same alert surface.

01 · indicator

Add what you're hunting for

File hashes, filenames, file paths, Windows registry keys, network IOCs. Manual paste, CSV bulk import, or pull from a STIX/TAXII feed on a schedule.

Sources: STIX 2.1 · MISP · custom feeds · paste
02 · match

Live + retrospective

Every agent matches new events as they happen — process, file, network. Server back-fills new IOCs against 30 days of historical events the moment you save them.

Cadence: real-time stream · 15-min refresh · 30-day backfill
03 · triage

One ranked alerts feed

IOC hits land in the unified /alerts feed alongside tamper, compliance, and drift events. Keyboard-first triage. Forward via webhook to your SIEM.

Outputs: webhook · Splunk · Elastic · Datadog · email
File hashSHA-256 · SHA-1 · MD5 — matched on every file event
Process / cmdlineexec name, parent, full args — wildcards allowed
Registry keyHKLM / HKCU paths and value names — Windows hosts
Network IOCdomains · IPs · CIDR blocks · JA3 fingerprints
mimir.corp.com — hunt
# Hunt for known Mimikatz hashes across the fleet, last 30 days SELECT hostname, path, sha256, last_seen FROM file_events WHERE sha256 IN ('31a3a...c2', '7b9e8...4f') AND last_seen > (strftime('%s', 'now') - 2592000); -- Streaming results across 2,401 hosts... ▸ finance-vm-11 C:\Users\Public\m.exe 31a3a...c2 2m ago ▸ dev-laptop-3 /tmp/.cache/d 7b9e8...4f 14m ago ▸ kiosk-lobby-02 C:\PerfLogs\m.exe 31a3a...c2 1h ago 3 matches · 2,398 clean · query ran in 4.2s

// /alerts — last hour

CRIT
Mimikatz signature on 3 hostsIOC · file_hash · 31a3a…c2
2m
HIGH
STIX feed: APT29 C2 domain hitIOC · network · evil-c2.example
11m
HIGH
Suspicious registry persistenceIOC · regkey · Run\winupdate
28m
MED
cmd.exe spawned by winword.exeIOC · process · 4 hosts
42m
MED
Outbound to known TOR exit nodeIOC · network · 1 host
55m