Coming Soon

Incident response
starts here.

Arden is a zero-dependency DFIR event log analyzer for Windows. Single executable. 71 detection rules. 14 Sigma rules. Real-time dashboard. Deploy in seconds — no agents, no cloud, no subscriptions.

↓ Download Arden See How It Works
71
Detection Rules
14
Sigma Rules
<30s
Startup Time
0
Dependencies

Named after the Ardennes — the forested region where Allied defenders held the line against a massive offensive in the winter of 1944. Arden is built for the same mission: when attackers breach the perimeter, you need to see what happened, how far they got, and where to cut them off.

PowerShell — arden.exe
PS C:\> .\arden.exe --serve
 
╔═════════════════════════════════════════════════╗
ARDEN — DASHBOARD SERVER
╚═════════════════════════════════════════════════╝
 
🌐 Dashboard: http://localhost:8080
📡 API: http://localhost:8080/api/status
 
[*] Reading local event logs...
[*] 6 parallel readers active
[+] Parsed 47,283 events in 28 seconds
[!] 17 CRITICAL23 HIGH • 41 MEDIUM • 12 LOW
[!] COMPOUND RISK: CRITICAL — Active lateral movement detected
Detection Coverage
71 rules. Every attack phase.
From initial access to impact, Arden covers the full MITRE ATT&CK kill chain with hand-tuned detection rules and self-exclusion logic that minimizes noise. 63 rules work with native Windows event logs — no Sysmon required. 8 additional rules activate automatically when Sysmon is present, detecting DLL hijacking, process injection, COM hijacking, timestomping, and UAC bypass.
11
Lateral Movement
RDP, PsExec, WMI, Pass-the-Hash, PS Remoting, Named Pipes, DCOM, Explicit Credentials, Network Logon
8
Defense Evasion
Defender Disabled, Firewall Disabled, Suspicious PS, Log Clearing, Audit Policy, Process Injection, Sysmon Disabled
6
Credential Access
NTLM Auth, Kerberoasting, LSASS Access, DCSync, Comsvcs Dump, SAM Hive Dump
8
Persistence
Scheduled Tasks, Registry, Account Creation, Admin Group Modification, WMI Subscriptions, BITS Jobs, Accessibility Features, DCShadow
5
Command & Control
RDP Tunneling, SSH Tunnel Tools, Web Shell Detection, Firewall Loopback, RMM Tool Detection
11
Execution & Escalation
LOLBins, MSHTA, Regsvr32, WMIC XSL, CMSTP, MSI abuse, renamed binaries, BYOVD Drivers, New Services, Special Privileges, UAC Bypass
3
Discovery
Admin Group Enumeration, Directory Access, Reconnaissance Commands (net, whoami, ipconfig)
3
Impact
Shadow Copy Deletion, BCDEdit Recovery Disable, Critical Service Termination
Capabilities
Everything you need. Nothing you don't.
Built for solo responders and small teams who need to move fast. No cloud dependency. No license server. No vendor lock-in.
🚀

30-Second Startup

6 parallel PowerShell readers with HashSet filtering parse 50K+ events in under 30 seconds. No indexing, no pre-processing.

📡

Agent Deployment

Push lightweight agents via admin share + WMI. Pull model with heartbeat monitoring. Deploy to your entire network from the dashboard.

🌐

Real-Time Dashboard

Server-Sent Events stream alerts live. Kill chain visualization, dual filtering (host + severity), and full-text search across all fields.

📄

Export & Report

One-click CSV and JSON exports. Filter-aware — exports respect your active severity, tactic, host, and date range filters.

🚫

False Positive Triage

Suppress by rule, rule+host, or rule+user. Reason tracking. Triage dashboard shows what's hidden and why. One-click removal.

🛡

Sigma Rules

14 custom Sigma YAML rules included. Cobalt Strike pipes, Impacket tools, BITS abuse, potato attacks, download cradles, and more.

Getting Started
Three commands. Full visibility.
No installer. No setup wizard. No dependencies to chase. Download, run, investigate.
1

Download

Single portable executable. 15MB. Runs on Windows 10/11, Server 2016+. No .NET, no Python, no runtime needed.

2

Run

arden.exe --serve reads local event logs, runs all 71 detection rules, and launches the dashboard.

3

Investigate

Dashboard opens at localhost:8080. See alerts by severity, filter by host, export findings. Deploy agents to remote machines from the UI.

Comparison
Why Arden?
Most SIEM and EDR platforms require dedicated infrastructure, cloud subscriptions, and weeks of onboarding. Arden runs in 30 seconds on the machine you're already investigating — no server, no cloud, no commitment.
Capability Traditional SIEM / EDR Arden
Time to first alert Days to weeks 30 seconds
Dependencies Agent + server + DB + cloud Zero
Deployment Professional services Double-click
Monthly cost $500 – $5,000+/mo From $19/mo
Cloud requirement Required Fully offline
MITRE ATT&CK coverage Varies by config 71 rules out of the box
Data leaves your network Yes (telemetry/cloud) Never
Multi-host collection Requires agent per host Built-in agent deployment
Pricing
Simple, transparent pricing.
No per-endpoint fees. No ingestion limits. No surprise invoices. Early access members get a discount on their first year.
Standalone
$19 /month
or $190/year (save $38)
Single machine analysis
71 detection rules + 14 Sigma
Real-time dashboard
EVTX/JSON/XML import
CSV & JSON export
Alert triage & suppression
Fully offline — no cloud
Join Early Access
Most Popular
Network
$29 /month
or $290/year (save $58)
Everything in Standalone
Multi-host agent deployment
Network discovery (CIDR scan)
Active Directory integration
Remote log collection (WinRM/SMB)
Agent health monitoring
Centralized multi-host dashboard
Join Early Access

Ready to hold the line?

Arden is currently in development. Join the early access list to be notified when it launches — and get a discount on your first year.

Windows 10/11 • Server 2016+ • x64 • No runtime required