Overview#
Launch real-time, fleet-wide artefact-collection hunts across thousands of endpoints from a single authenticated API, then track client reach and returned results without leaving the Argus platform.
Velociraptor is an open-source endpoint monitoring and digital forensics and incident-response platform maintained by Rapid7 and a wide community of contributors. Argus connects to a Velociraptor deployment so security operations and DFIR teams can coordinate targeted hunts, retrieve specific artefacts such as Windows event logs, registry hives, process lists, and network state, and feed the results straight into case management and evidence workflows. Hunts stream collection from a lightweight cross-platform agent in real time, giving responders an immediate, continuously updating view of how far a hunt has reached and what it has found.
Every hunt that lands in Argus is persisted as a durable record with its own classification level, recorded in the platform audit trail, and registered as an operational entity for lineage. Analysts coordinate response across the whole estate while classification-level controls keep sensitive hunt records visible only to appropriately cleared personnel.
Key Features#
- Fleet-wide hunt launch: Start an artefact-collection hunt that fans out across thousands of endpoints, naming the specific Velociraptor artefact to gather, an optional description, and the responsible analyst, all from one authenticated API.
- Real-time client reach tracking: See how many clients a hunt has reached as collection streams back, so responders know whether fleet coverage matches the scope of the investigation.
- Result volume awareness: Monitor how many results each hunt has returned to judge whether the artefact selection is producing useful investigative output or needs refining.
- Aggregate operational stats: Retrieve organisation-level totals covering total hunts, completed hunts, total clients reached, and total results returned, giving team leads an at-a-glance picture of response activity.
- Targeted artefact retrieval: Direct hunts at precise artefacts, Windows event logs, registry hives, running process lists, network state, and more, rather than collecting broad disk images, keeping collection fast and focused.
- Classification-level filtering: Each hunt record carries its own secrecy level, and records are filtered against the requesting analyst's clearance so sensitive operations stay visible only to cleared responders.
- Durable hunt records: Hunt status, client and result counts, creator, and timestamps are persisted as the authoritative record, surviving beyond the live session for later review and reporting.
- Built-in lineage and audit: Every hunt ingest writes an interop audit record and registers an operational entity event, satisfying data-lineage requirements for forensic evidence chains.
Use Cases#
Security Operations and DFIR#
A security operations team confirms an intrusion on one host and needs to know how far it spread. They launch a hunt for the relevant artefacts across the entire endpoint fleet and watch, in real time, the client count climb and results arrive. Within minutes they have a fleet-wide picture of which machines hold the same indicators, allowing accurate scoping before containment begins.
Real-Time Threat Hunting#
Proactive hunters run targeted collections for suspicious registry keys, scheduled tasks, or anomalous network connections across the estate on a routine cadence. Because collection streams in real time from a lightweight agent, hunters get answers in the moment rather than waiting for a batch job to finish, and feed any positive hits into case management without escalating prematurely.
Incident Scoping and Containment#
During an active incident, responders coordinate multiple concurrent hunts targeting different artefact types, event logs on one pass, process and network state on another, then use the combined client reach and result counts to confirm the blast radius. The aggregate stats give incident leads a single number to report on how broadly the response has executed.
Classified and Restricted Environments#
Hunts run against endpoints in restricted networks are recorded at the appropriate classification level. Classification-level filtering ensures the resulting hunt records are returned only to cleared personnel, while the audit trail captures every access for accountability.
Integration#
Velociraptor hunt management is exposed through a GraphQL API. Read fields return the hunt inventory for your organisation and the aggregate operational stats, while a launch operation starts a new hunt by naming the target artefact, description, creator, and classification level, returning the new hunt identifier and a confirmation flag. Hunt records expose the hunt identifier, description, artefact name, client count, result count, status, creator, classification level, and creation timestamp.
All operations are protected by OAuth 2.0 bearer tokens and scoped to the authenticated organisation, so one tenant can never read another tenant's hunts. PostgreSQL is the authoritative store for hunt records, which means hunt history, counts, and classification remain consistent and reportable over time. Each ingest also emits an interop audit record and an operational entity event, giving downstream lineage and reporting tools a consistent, normalised signal to act on.
Because hunt results land alongside the platform's case management, evidence, and forensics workbench capabilities, analysts move directly from a hunt result into evidence packaging and case escalation. Webhook notifications can signal when a hunt record has been ingested, letting downstream automation begin correlation or reporting as soon as a hunt is recorded. Velociraptor sits beside complementary collection capabilities in the platform, batch-oriented endpoint response and agentless Windows forensic collection, so teams choose the right tool per scenario while working from one consistent interface.
Open Standards#
- Velociraptor (open-source DFIR platform): The endpoint monitoring and DFIR platform from Rapid7 and the wider community; Argus coordinates its hunts and consumes their results natively.
- VQL (Velociraptor Query Language): Hunts target artefacts specified in VQL, the expressive language Velociraptor uses to describe exactly which endpoint data to collect.
- GraphQL: The hunt-management API is delivered over GraphQL, giving customers a typed, self-describing contract for launching hunts and reading hunt inventory and stats.
- OAuth 2.0 (RFC 6749): Every API operation is authenticated with OAuth 2.0 bearer tokens, ensuring organisation-scoped, authorised access throughout.
- ISO/IEC 27037:2012 (Digital Evidence Identification and Collection): The hunt audit trail and classification controls align with ISO/IEC 27037 guidance on identifying, collecting, and preserving digital evidence in a forensically sound manner.
Security & Compliance#
Every hunt ingestion is written to the platform's audit trail with a defined source standard identifier, the authenticated analyst, the organisation scope, and a timestamp, establishing the lineage required for forensic evidence chains. Hunt records carry their own classification level, and reads are filtered against the requesting analyst's clearance, so sensitive operations remain visible only to cleared personnel. All hunt data is scoped to the authenticated organisation, providing strict multi-tenant isolation, and PostgreSQL serves as the authoritative record so hunt history and provenance stay demonstrable for later review or legal proceedings.
Last Reviewed: 2026-05-26 / Last Updated: 2026-05-26