Rustinel Launches as Unified Open-Source Endpoint Detection Agent
A new open-source endpoint detection agent named Rustinel has been released, offering a unified, user-mode approach to telemetry collection and threat detection across Windows and Linux systems.

Rustinel, a new open-source endpoint detection agent, has been released to provide a unified telemetry collection and analysis platform for both Windows and Linux environments. By utilizing a single codebase, the tool aims to simplify the operational burden for defenders who previously had to manage disparate pipelines for different operating systems Help Net Security.
The agent functions by collecting telemetry through Event Tracing for Windows (ETW) on Windows systems and eBPF on Linux. This data is then normalized into a shared model and evaluated against three distinct detection layers: Sigma rules for behavioral matching, YARA signatures for scanning executables, and an IOC engine for deterministic checks against known hashes, IP addresses, and domains Help Net Security.
A key design decision for Rustinel is its user-mode architecture. Unlike many commercial EDR products that rely on kernel drivers for tamper resistance and early visibility, Rustinel operates entirely in user mode. According to author Théo Foucher, this approach prioritizes stability and transparency, noting that user-mode processes are significantly less likely to crash a host than kernel-mode components. Furthermore, the agent is written in Rust, which leverages memory safety to eliminate entire classes of common software defects Help Net Security.
While the tool offers significant operational benefits, it does have limitations. Foucher acknowledges that Rustinel cannot match the tamper resistance or deep kernel visibility of kernel-based EDRs, making it unsuitable for defending against kernel-mode rootkits or highly privileged attackers who may attempt to disable telemetry. Additionally, the agent currently struggles with memory-only payloads, obfuscated living-off-the-land activity, and encrypted command-and-control traffic Help Net Security.
The project is currently available on GitHub under the Apache 2.0 license. On Windows, it can be deployed as a service, while Linux deployment requires kernel 5.8 or newer with BTF support. The agent outputs alerts in an ECS-compatible NDJSON format, facilitating easy integration with common SIEM and log-analysis platforms like Elastic or Splunk Help Net Security.
Rustinel highlights a growing trend in the security community toward modular, open-source tooling that emphasizes operational simplicity and memory safety. By focusing on widely understood detection standards like Sigma and YARA, the project seeks to provide a flexible alternative for organizations looking to standardize their endpoint telemetry without the complexity of proprietary kernel-level agents Help Net Security.