Wazuh

Wazuh is an open-source security platform that unifies several critical security functions — vulnerability detection, host-based intrusion detection (HIDS), log analysis, file integrity monitoring, and regulatory compliance auditing — into a single agent-manager architecture. Originally forked from OSSEC in 2015, Wazuh has grown into a comprehensive XDR and SIEM platform with over 25,000 GitHub stars, deployed across enterprises, government agencies, and managed security service providers worldwide.

The platform operates on a lightweight agent (available for Linux, Windows, macOS, Solaris, AIX, and HP-UX) that collects system telemetry and forwards it to the Wazuh manager for analysis. The vulnerability detection module maintains a continuously updated inventory of installed packages on each agent and cross-references them against CVE databases from NVD, Canonical, Red Hat, Debian, SUSE, Amazon, Microsoft, and Arch Linux. This provides always-current vulnerability posture across the entire fleet without requiring periodic scan sweeps — as new advisories are published, affected endpoints are flagged automatically.

Beyond vulnerability detection, Wazuh’s HIDS capabilities include file integrity monitoring (detecting unauthorised changes to critical system files and registry keys), rootkit detection, active response (automated blocking of IPs or killing processes in response to threats), and log-based intrusion detection with a configurable rule engine supporting over 4,000 built-in rules and custom decoder pipelines. The compliance module continuously evaluates endpoint configurations against PCI-DSS, HIPAA, NIST 800-53, GDPR, CIS Benchmarks, and TSC requirements, generating evidence for audit preparation. The Wazuh dashboard, built on OpenSearch, provides centralised visualisation, alerting, and fleet management, scaling from single-server deployments to distributed architectures managing tens of thousands of agents.