OZIPHR 2.0 — Enterprise security monitor verification is now available. Request early access →
Platform
OverviewCore platform capabilities Test Suite20+ adversarial simulations MonitorsFalco, Tracee, Tetragon, Wazuh, auditd How It WorksDeploy, discover, verify
Solutions
Red TeamsValidate detection coverage Blue TeamsVerify monitor resilience Security EngineeringBenchmark and compare tools
Product TourInteractive feature showcase
Resources
DocumentationPlatform guides and references Agent SetupDeployment and configuration MITRE ATT&CK MappingTechnique coverage matrix
Insights & ResearchLatest analysis and articles
Pricing

Verify your security monitors before the adversary does

The enterprise platform purpose-built to test whether your runtime security monitoring tools can detect threats, resist blinding, and survive evasion under real-world adversarial conditions.

Overview
Assets
Findings
Vulnerabilities
Reports
Compliance

Security Overview

Last updated: 2 min ago
Risk Score
72
Critical Findings
7
Exposed Assets
12
Monitors Active
5
Recent Findings
Reverse shell not detectedCritical
Falco blinding successfulCritical
Fileless exec evaded auditdHigh
Privilege escalation detectedPass
Container escape blockedPass
Security Posture Score
72
Built for security teams defending critical infrastructure
Cloud Infrastructure
Kubernetes Clusters
Container Platforms
Bare Metal Servers
CI/CD Pipelines
20+
Attack Simulations
5
Security Monitors
3
Phase Methodology
100%
MITRE ATT&CK Mapped
Platform

The verification layer your security stack is missing

You deploy monitors to detect threats. But do they actually work? OZIPHR answers that question with adversarial testing grounded in real attack techniques.

Monitor blinding detection

Tests whether an attacker with root-level access can silently disable each monitor using eBPF-based syscall interception and BPF map manipulation without triggering alerts.

Threat detection verification

Simulates real-world attack techniques including reverse shells, privilege escalation, credential access, and container escapes. Measures detection coverage and response latency.

Evasion resilience testing

Goes beyond basic detection with fileless execution, process masquerading, timestamp manipulation, and audit log tampering to test monitoring resilience under adversarial pressure.

Actionable intelligence reporting

Every finding maps to MITRE ATT&CK techniques with structured evidence, severity classification, and specific remediation steps. Results stream in real-time via WebSocket.

Why OZIPHR

From assumption to evidence

Most teams assume their monitors work. OZIPHR replaces that assumption with structured, reproducible, adversarial evidence.

01

Evidence-based verification

Not assumptions, not checklists, not vendor claims. Real adversarial test results with structured evidence artifacts, MITRE ATT&CK mapping, and reproducible methodology. Know exactly what your monitors detect and what they miss.

02

Zero-configuration discovery

Deploy the agent and walk away. Automatic detection of all installed security monitors through process scanning, systemd enumeration, and eBPF program discovery. No manual setup, no YAML files, no integration tokens.

03

Enterprise-grade reporting

Executive summaries for the board, technical deep-dives for engineers, compliance exports for auditors. Every finding includes severity classification, business impact assessment, and actionable remediation guidance.

Product

Enterprise-grade security verification

Purpose-built for security teams that need evidence-based confidence in their monitoring infrastructure.

Real-time Dashboard
Complete security posture visibility
Unified view of your entire monitoring infrastructure with real-time risk scoring, finding trends, and executive-ready reporting.
  • Aggregate security posture score
  • Real-time finding stream via WebSocket
  • Executive and technical report views
  • Multi-host fleet management
Dashboard Overview
Blinding Analysis
Know if your monitors can be silenced
Automated eBPF-based blinding tests that verify whether each security monitor can be disabled without triggering alerts or leaving forensic traces.
  • eBPF program detachment testing
  • BPF map corruption analysis
  • Per-monitor blinding resistance scores
  • Automated state restoration
60%
Blinding Resistance
MITRE ATT&CK Mapping
Structured results, not noise
Every test result maps directly to MITRE ATT&CK techniques with evidence artifacts, enabling structured communication with stakeholders and compliance frameworks.
  • Full MITRE ATT&CK technique mapping
  • Structured evidence artifacts
  • Severity and business impact classification
  • Exportable compliance reports
T1562.001Disable ToolsT1059.004Unix ShellT1620Reflective Load
ATT&CK Coverage
Multi-Monitor Support
Verify your entire monitoring stack
Automatic discovery and verification of all deployed runtime security monitors. Compare detection capabilities across tools with a single test run.
  • Falco, Tracee, Tetragon, Wazuh, auditd
  • Automatic monitor discovery
  • Side-by-side capability comparison
  • Per-monitor security scoring
FalcoTraceeTetragonWazuh
Monitor Fleet
Capabilities

Comprehensive attack simulation suite

Curated tests covering the techniques adversaries actually use in post-exploitation scenarios.

Blinding

SunnyDay BPF

Detach eBPF programs from tracepoints to disable monitor visibility

Blinding

SunnyMap BPF

Corrupt BPF map data to blind event filtering

Detection

Reverse Shell

Spawn outbound shell connections to test network detection

Detection

Privilege Escalation

SUID exploitation and capability manipulation

Detection

Credential Access

Read /etc/shadow and dump process memory

Detection

Container Escape

Namespace breakout and host filesystem access

Detection

Kernel Module Load

Rootkit-style kernel module insertion

Detection

Suspicious Network

DNS tunneling and C2 callback simulation

Evasion

Fileless Execution

Execute payloads from memory via memfd_create

Evasion

Process Masquerade

Rename processes to mimic legitimate binaries

Evasion

Log Tampering

Modify or delete audit and system log entries

Evasion

Timestomping

Alter file timestamps to evade forensic timelines

Workflow

Deploy. Discover. Verify.

From agent deployment to actionable results in under five minutes.

01

Deploy the agent

Install the single-binary Go agent on target hosts. The agent authenticates via API key and requires elevated privileges to perform realistic adversarial testing.

02

Automatic discovery

The agent detects all installed security monitors by scanning for running processes, systemd services, and eBPF programs. No manual configuration needed.

03

Verify and report

Executes the full test suite against each monitor. Results stream to the dashboard in real-time with MITRE ATT&CK mapping, evidence, and remediation guidance.

Platform Architecture

Agent

Target endpoints

Lightweight · Auto-discovery · Non-destructive

OZIPHR Engine

Analysis & correlation

Real-time processing · Threat mapping · Scoring

Dashboard

Command center

Live telemetry · MITRE ATT&CK · Reporting
Compatibility

Monitors we verify

Verification coverage for the most widely deployed runtime security and audit frameworks on Linux.

F
Falco
Runtime Security
Sysdig's eBPF-based runtime threat detection engine
T
Tracee
eBPF Tracing
Aqua Security's runtime security and forensics tool
G
Tetragon
Cilium Runtime
Isovalent's eBPF security observability platform
W
Wazuh
XDR / SIEM
Open-source threat detection and compliance monitoring
A
auditd
Linux Audit
Native kernel audit framework for syscall logging
Insights

Research and analysis

Latest thinking on runtime security verification, monitor resilience, and adversarial testing methodology.

Research
May 202612 min read

Understanding eBPF-Based Monitor Blinding Attacks

How attackers leverage BPF tracepoint hijacking and map poisoning to silently disable Falco, Tracee, and Tetragon in production — and how to test for it.

Read article →
Industry
May 20268 min read

Why Runtime Security Verification Matters for SOC Teams

78% of breached organizations had EDR deployed. The gap between assumed detection capability and actual coverage is where attackers operate.

Read article →
Technical Guide
April 202615 min read

MITRE ATT&CK Coverage: Mapping Your Detection Gaps

A practical guide to assessing real ATT&CK technique coverage across Falco, Tracee, Tetragon, auditd, and Wazuh — with automated testing methodology.

Read article →
Use Cases

Built for security teams

Security professionals across disciplines rely on OZIPHR to validate their monitoring infrastructure.

Red Teams

Map detection gaps before penetration tests. Understand which techniques your monitors miss and where blind spots exist in your defensive posture.

Blue Teams

Confirm that your monitoring stack can resist blinding attempts and continue detecting threats even when an attacker has root-level access.

Security Engineering

Compare detection capabilities across monitors with structured, reproducible results. Make data-driven decisions with MITRE ATT&CK-mapped evidence.

Pricing

Choose your verification depth

Every plan includes core platform access. Higher tiers unlock advanced attack paths developed by our offensive security research team.

Free
For evaluation
$0
forever
Get started with basic detection verification. No credit card required.
  • Up to 2 hosts
  • 5 detection simulations
  • 7-day result retention
  • Community support
  • Blinding tests
  • Evasion tests
  • API access
  • Custom paths
5 paths · 2 hosts
Get Started
Starter
For growing security teams
$349
per month
Blinding and detection verification across your core infrastructure with MITRE mapping.
  • Up to 10 hosts
  • 12 attack simulations
  • Blinding + Detection phases
  • MITRE ATT&CK mapping
  • 30-day result retention
  • Email support
  • Evasion tests
  • Custom paths
12 paths · 10 hosts
Start 14-Day Trial
Most Popular
Professional
For mature security operations
$899
per month
Full 3-phase verification with all attack paths, advanced reporting, and API access.
  • Up to 50 hosts
  • 20+ attack simulations
  • All 3 phases: Blind + Detect + Evade
  • Advanced reporting & PDF export
  • 90-day result retention
  • Priority support & SLA
  • Full API access & webhooks
  • Custom R&D paths
20+ paths · 50 hosts
Start 14-Day Trial
Enterprise
For organizations at scale
Custom
annual contract
Everything in Professional plus proprietary attack paths developed by Milenium Security researchers.
  • Unlimited hosts & users
  • All Professional paths included
  • Custom attack paths by R&D team
  • Dedicated security engineer
  • Unlimited retention
  • On-premise deployment option
  • SSO, RBAC & full audit log
  • Enterprise SLA & uptime guarantee
Unlimited paths · Unlimited hosts
Contact Sales
After deploying OZIPHR, we identified that our primary runtime monitor could be silently detached via BPF manipulation — something we had never tested for. It was a blind spot hiding in plain sight.
Security Director — European SaaS Company
Due to the sensitive nature of security verification engagements, we do not disclose client identities without explicit consent.
Enterprise Ready

Built for production environments

Designed from the ground up for enterprise security teams operating at scale.

On-Premise Deployment

Self-hosted server and agents. Your data never leaves your infrastructure.

API-First Architecture

Full REST API with WebSocket streaming. Integrate with your existing toolchain.

Compliance Reporting

Pre-built reports mapped to SOC 2, ISO 27001, and NIST CSF frameworks.

Multi-Tenant Support

Workspace isolation with role-based access control and SSO integration.

FAQ

Common questions

Does OZIPHR require root access?
Yes. The agent requires elevated privileges to perform realistic adversarial testing, including eBPF program manipulation, kernel module loading, and process-level operations. This mirrors the access level a real post-exploitation attacker would have.
Will OZIPHR damage my system?
No. All tests are designed to be non-destructive and reversible. The agent does not modify system configurations permanently, install persistent backdoors, or exfiltrate real data. Blinding tests restore eBPF program state after completion.
What Linux distributions are supported?
OZIPHR supports any Linux distribution with kernel 5.4+ that supports eBPF. This includes Ubuntu 20.04+, Debian 11+, CentOS/RHEL 8+, and Amazon Linux 2023. Container environments (Docker, Kubernetes) are fully supported.
How is the security score calculated?
The score is a weighted composite of three factors: blinding resistance (can monitors survive being disabled), detection coverage (how many attack techniques are detected), and evasion resilience (can monitoring be bypassed). Each factor contributes to a 0-100 aggregate score.
Can I add custom tests?
The current release includes a curated suite of 20+ tests covering the most critical post-exploitation techniques. Custom test support and plugin architecture are on the roadmap for future releases.

Stop trusting your monitors. Start verifying them.

The gap between assumed security and actual security is where breaches happen. OZIPHR closes that gap with evidence-based verification.

← Back
OZIPHR

Sign in

Access your security verification dashboard

No account? Create one
← Back
OZIPHR

Request access

Start verifying your security monitors

Have an account? Sign in
Overview

Security Dashboard

Hosts
0
0 online
Monitors
0
0 blind
Critical
0
Immediate
High
0
0 medium
Pass Rate
of all tests
MITRE
0
techniques
Posture Score
--
of 100
Phase Breakdown
BLINDING
0/0
DETECTION
0/0
EVASION
0/0
Host Scores

No hosts

MITRE ATT&CK Coverage
Run agent to see coverage
Severity Distribution
Recent Alerts
View all →

No alerts

Top Failing Tests

No failures

Activity Timeline

No activity

Attack Chain Results
Manage chains →

No chain results yet — select chains and run the agent

Assets

Hosts

Managed endpoints running security monitors

0
Total Hosts
0
Online
0
Offline
0
Monitors

No hosts registered

Deploy the agent on a target system

← Back to hosts
Host Detail

Host

Monitors
All
Blinding
Detection
Evasion
TestCategoryResultSeverityDetected ByDuration
Analysis

Findings

Blinding, detection, and evasion verification results

0
Total Findings
0
Passed
0
Failed
0
MITRE Techniques
All
Blinding
Detection
Evasion
Failed Only
TestMITRE ATT&CKCategoryResultSeverityHostEvidenceDuration
Configuration

Test Library

Select which tests the agent will execute on your hosts

0 / 20 selected
0
Blinding Tests
0
Detection Tests
0
Evasion Tests
0
Selected
All
Blinding
Detection
Evasion
Deploy Agent

Ready-to-run command for your target host. The agent will only execute the tests you selected above.

Adversary Simulation

Attack Chains

Select which kill chain simulations the agent will execute

0 chains
Safe Simulation — All attack chains use non-destructive techniques. No system modifications, no real connections, no data exfiltration. Temporary artifacts are auto-removed after each step.
Recent Results
Analysis

Chain Results

Detailed results from attack chain simulations

0
Total Runs
0
Caught
0
Fully Completed
-
Avg Attacker Progress
Notifications

Alerts

Security findings that require attention

0
Total Alerts
0
Critical
0
High
0
Unread
All
Critical
High
Unread

No alerts

Security

Vulnerabilities

0
Total
0
Critical
0
High
0
Medium
0
Resolved
VulnerabilityMITRE ATT&CKSeverityHostCategoryStatusEvidenceFirst Seen
Exposure

Attack Surface

Exposure by Category
Attack Vectors
Monitor Coverage Map
Exposed Endpoints
HostIPMonitorsBlindableFailed TestsRisk ScoreLast Scan
Governance

Compliance

SOC 2 Type II
Controls Passing
ISO 27001
Controls Passing
NIST CSF
Functions Covered
Control Mapping
FrameworkControl IDRequirementOZIPHR TestMITRE ATT&CKStatus
Threat Intelligence

MITRE ATT&CK Coverage

Technique coverage matrix based on your verification results

15
Techniques Tested
0
Detected
0
Missed
Technique Matrix
Technique IDNameTacticTestCategoryStatus
Export

Reports

Generate and download verification reports

Executive Summary
Security Posture Report

High-level overview of security posture score, critical findings, and key recommendations for leadership.

PDF · 2-3 pages
Technical Report
Full Verification Results

Detailed test results with evidence, MITRE ATT&CK mapping, remediation guidance, and per-monitor analysis.

PDF · 10-20 pages
Compliance Report
Framework Mapping

Results mapped to SOC 2, ISO 27001, and NIST CSF control requirements with gap analysis.

PDF · 5-10 pages

Export Raw Data

Performance

Detection Speed Race

Per-monitor detection latency benchmark — who catches threats fastest

0
Tests with Latency
-
Fastest Monitor
0
Monitors Tracked
-
Last Run
Monitor Leaderboard
Detection Rate vs Speed
Per-Test Speed Comparison
Latency Distribution
Account

Settings

Manage profile, security, and API access

Plan & Usage

Upgrade Plan
Current Plan
Hosts Used
Tests / Run
Retention
Host capacity:

Deploy Agent

Run this command on your target host to install and execute the OZIPHR agent.

# One-line install — requires root
curl -fsSL /install.sh | sudo bash -s -- YOUR_API_KEY
Create an API key below first, then the command above will auto-fill with your key.

Profile

Security

Active Sessions

Loading sessions...

API Keys

Key created — copy now, shown only once:

No API keys — create one to connect agents