// resources / install / docs

Stand up Project Mimir in 15 minutes. Enroll your first agent in two.

No vendor sales call. No license keys. git clone, docker compose up, and you have a self-hosted endpoint visibility platform on your own iron — running on hardware you control, with data that never leaves your network.

15m
Server up
<2m
First agent
<30s
Fleet query
// what you're installing

One server. One agent per host. SQL across your fleet.

Project Mimir is a self-hosted endpoint visibility platform built on top of osquery. The server is a single Go binary you run in Docker. The agent is a small static binary that runs on every endpoint and answers SQL questions about that machine — installed software, listening ports, logged-in users, file hashes, anything osquery exposes as a table. Your security team gets a live dashboard, ad-hoc query, IOC matching, and SIEM webhooks. You keep the data.

Mimir Server

One Go binary + PostgreSQL, run via docker compose. Hosts the React dashboard, REST API for humans + automation, and the gRPC endpoint that agents stream to.

Architecture →

Mimir Agent

Static binary on each endpoint. Bundles osquery, runs scheduled packs, holds a persistent gRPC stream to the server, buffers locally if the server's down. Linux, macOS, Windows.

Agent docs →

mimir-cli

Tiny admin tool that lives on the server. Generates enrollment secrets, lists and revokes them, and surfaces server state. Most day-to-day work happens in the dashboard, not here.

CLI reference →
// 01 — before you begin

Five-minute prereq check.

If you have Docker on a Linux box you can ping from your endpoints, you're ready.

Server box

Endpoints

// 02 — quickstart

The 15-minute install.

Three steps: bring the server up, generate a secret, install the agent on a host. We'll keep going to a real query at the end.

1

Bring up the server

Clone the repo, drop into the deploy directory, set a postgres password, and let docker compose do the rest. The compose file pulls Project Mimir, Postgres, and nginx and wires them up.

Open http://localhost when it's done — a setup wizard will walk you through creating the admin account.

deploy/docker-compose.yml
~/mimir-server — bash
$git clone https://github.com/bodenpat/Mimir $cd Mimir/deploy $POSTGRES_PASSWORD=changeme docker compose up -d # pulling postgres:16 ...... done # pulling mimir-server:1.11 ... done # building nginx ............. done ✓ mimir-postgres-1 Started ✓ mimir-server-1 Started ✓ mimir-nginx-1 Started # server is live → http://localhost
2

Generate an enrollment secret

Each agent enrolls with a one-time secret. Agents authenticate via mTLS after that — the secret only grants the right to get a client cert.

The plaintext is shown once. Project Mimir bcrypt-hashes it on the server. Lost it? Generate a new one.

mimir-cli reference
mimir-server — admin
$./bin/mimir-cli --server http://localhost:8080 enroll generate prod-fleet # created enrollment secret 'prod-fleet' # save this now — it will not be shown again: secret: m_a4f1c8e2_b9d7_4a30_9f5c_7e2b1d3a8c6f $./bin/mimir-cli --server http://localhost:8080 enroll list NAME CREATED USED STATUS prod-fleet 2026-04-25 10:14:02 0 active
3

Enroll your first agent

Pick the OS, run one command. The installer drops the binary, registers a service (systemd / launchd / Windows SCM), and the agent enrolls within 60 seconds. It'll show up in the dashboard automatically.

For Windows fleets, the same MSI also accepts msiexec /qn properties for Intune and SCCM — see deployment.md for MDM packaging.

docs/deployment.md
root@host01:~ — bash
#apt install ./mimir-agent.deb # installs mimir-launcher, mimir-agent, osqueryd #mimir-configure \ --server-addr mimir.corp.com:4433 \ --enroll-api-addr https://mimir.corp.com:8080 \ --enroll-secret m_a4f1c8e2_b9d7_4a30_9f5c_... ✓ wrote /etc/mimir/mimir-agent.yaml #systemctl enable --now mimir-launcher ✓ mimir-launcher.service active # enrolling ..... ✓ enrolled as host01.corp.com (id: 4a8c…)
user@laptop — zsh
$sudo installer -pkg mimir-agent.pkg -target / ✓ installer: package installed successfully # LaunchDaemon registered as _mimir user $sudo mimir-configure \ --server-addr mimir.corp.com:4433 \ --enroll-api-addr https://mimir.corp.com:8080 \ --enroll-secret m_a4f1c8e2_b9d7... ✓ wrote /etc/mimir/mimir-agent.yaml ✓ launched com.mimir.launcher ✓ enrolled as MacBook-Pro.local (id: 8d32…)
C:\> — Admin: cmd
>msiexec /i mimir-1.11.0.0-windows-amd64.msi ^ SERVER_ADDR=mimir.corp.com:4433 ^ ENROLL_API_ADDR=https://mimir.corp.com:8080 ^ ENROLL_SECRET=m_a4f1c8e2_b9d7... ^ /qn /norestart REM silent install — perfect for Intune / SCCM [OK] MimirLauncher service installed [OK] agent enrolled — visible at http://mimir.corp.com
4

Run your first fleet query

Open the dashboard, click Queries, paste an osquery SQL statement, hit run. Results stream back in real time over gRPC. Save anything useful into a Pack and it runs on a schedule across every host.

No agents online yet? You can spin up mimir-mockfleet — 200 deterministic virtual hosts for QA. See docs/qa/mockfleet.md.

osquery table reference
mimir.corp.com — Queries
-- "Show me every host that restarted osquery in the last hour." SELECT hostname, version FROM osquery_info WHERE start_time > (strftime('%s','now') - 3600); ▶ dispatched to 2,401 hosts ✓ 2,398 returned in 1.4s HOSTNAME VERSION host01.corp.com 5.13.1 host02.corp.com 5.13.1 laptop-mbp.local 5.13.1 DESKTOP-A1B2C3 5.13.1 … 2,394 more rows · Save to Pack · Export CSV
// 03 — concepts to know

Five terms that show up everywhere.

You don't need to read every doc to be productive — but these five concepts thread through the dashboard, the API, and the runbooks.

Pack

A YAML bundle of osquery queries that run on a schedule across all agents. Project Mimir ships with default packs (system-info, installed-software, network-connections, security-posture). You can upload your own from the Settings UI — no restart.

packs/ →

IOC (Indicator of Compromise)

A file hash, filename, file path, or Windows registry key you want to hunt for across the fleet. Drop one in and Project Mimir matches it against every endpoint every 15 minutes — and back-scans up to 90 days of history when you add it.

phase4-ioc-hunting.md →

Alert

The unified /alerts page is the daily triage view. One ranked feed across IOC hits, tamper events, compliance violations, fleet changes, and host-state transitions. Keyboard-first: j/k to walk, A to ack, / to search.

alerts-redesign.md →

Enrollment

Each agent's first contact with the server. The agent sends the bcrypt-checked enrollment secret, the server issues a unique ECDSA P-256 client certificate, and from then on every connection is mTLS. Decommissioned hosts cannot re-enroll without an admin.

enrollment & machine-id →
// 04 — full documentation

Every doc, sorted by what you need.

All canonical docs live in the GitHub repo. They version with the code, so what you read always matches what you're running.

Get up and running

Operate it day-to-day

Architecture & internals

Reference & data

// 05 — faq

Questions you'll have on day one.

Do my endpoints need outbound internet to enroll?
No. Endpoints only need outbound TCP to your Project Mimir server on ports 4433 (gRPC) and 8080 (enrollment HTTPS). If your server is on the corp network, agents stay on the corp network. The agent buffers results locally in SQLite when the server is unreachable and replays them when the connection comes back.
What if I don't want to install another agent on every endpoint?
The agent is the osquery binary plus a small wrapper that handles enrollment, mTLS, and a persistent gRPC stream. If you're already running osquery in any form, you're 90% of the way there. The wrapper is a static Go binary with no runtime dependencies.
How does this compare to CrowdStrike / SentinelOne?
Project Mimir is built for security teams that need the visibility of a CrowdStrike deployment without the six-figure contract. It's an open inventory and query layer — you bring your own threat intel and detection logic. Our Why Mimir page goes into detail on where Project Mimir wins and where commercial EDRs are still the right call.
Where does my data go?
Into your PostgreSQL. Project Mimir never phones home. There is no telemetry endpoint, no anonymized usage pingback, no license check. The server doesn't even need outbound internet beyond pulling osquery binary updates from the location you configure.
Can I roll out to Windows fleets via Intune or SCCM?
Yes — that's the primary deployment path for Windows. The MSI accepts SERVER_ADDR, ENROLL_API_ADDR, and ENROLL_SECRET as msiexec /qn properties. Detection rules, per-collection secrets, and upgrade behavior are all in docs/deployment.md.
What about HA / multi-instance deployments?
Run multiple server instances behind a load balancer with a shared PostgreSQL. The osquery binary store on disk needs to be on shared storage (NFS / NAS / S3-mounted). The full HA checklist — including the MIMIR_SECRET_KEY sharing requirement for TAXII — is in deployment.md § Multi-Instance.
Is there an SSO / OIDC integration?
Yes — OIDC and SAML 2.0 with JIT provisioning and group-to-admin elevation, shipped in v1.9.2.0. For local development and integration testing there's a self-contained fake IdP: make dev-sso-up. See docs/fakeidp.md.
I broke something. Where do I file an issue?
Open one on github.com/bodenpat/Mimir/issues with the server version (mimir-server --version), the agent version (mimir-agent --version), and the relevant log lines. If it's a security issue, mark it accordingly — please don't post exploits in public threads.

Skip the install. Try the live demo.

Want to see the dashboard, the globe, and the IOC matcher with real fleet data before you commit? The instant demo runs entirely in your browser with mockfleet's 200 simulated hosts.

Instant Demo → github.com/bodenpat/Mimir ↗