Velociraptor.

An open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts. 它属于网络安全的 取证与应急响应 分类。

An open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts.

Velociraptor is an open-source DFIR and endpoint-visibility platform built around a custom query language called VQL (Velociraptor Query Language). A Velociraptor server orchestrates lightweight agents on Windows, Linux, and macOS endpoints; analysts write or pick VQL artifacts that collect specific evidence (registry hives, MFT, $UsnJrnl, browser history, Sysmon events, persistence locations, memory captures, YARA hits) or perform live response actions (kill process, isolate host, dump memory). Velociraptor is unusually flexible compared to traditional EDR: artifacts are version-controlled YAML+VQL, so a community library of hunts and forensic collectors is published and reused widely (Rapid7's velociraptor-artifacts repo, the SANS community list). Use cases include large-scale hunting across thousands of hosts, bulk artifact collection during IR, evidence preservation, and continuous endpoint monitoring. Originally written by Mike Cohen (also behind GRR), Velociraptor was acquired by Rapid7 in 2021 but remains AGPL-licensed open source with active community development.

针对 Velociraptor 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Velociraptor DFIR。