Velociraptor.

An open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts. It belongs to the Forensics & IR category of cybersecurity.

An open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts.

Velociraptor is an open-source DFIR and endpoint-visibility platform built around a custom query language called VQL (Velociraptor Query Language). A Velociraptor server orchestrates lightweight agents on Windows, Linux, and macOS endpoints; analysts write or pick VQL artifacts that collect specific evidence (registry hives, MFT, $UsnJrnl, browser history, Sysmon events, persistence locations, memory captures, YARA hits) or perform live response actions (kill process, isolate host, dump memory). Velociraptor is unusually flexible compared to traditional EDR: artifacts are version-controlled YAML+VQL, so a community library of hunts and forensic collectors is published and reused widely (Rapid7's velociraptor-artifacts repo, the SANS community list). Use cases include large-scale hunting across thousands of hosts, bulk artifact collection during IR, evidence preservation, and continuous endpoint monitoring. Originally written by Mike Cohen (also behind GRR), Velociraptor was acquired by Rapid7 in 2021 but remains AGPL-licensed open source with active community development.

Defences for Velociraptor typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Velociraptor DFIR.