Project

Architecture and Contributors

Name: Inner Warden
Author: Inner Warden

Why Inner Warden exists, how the codebase is shaped, how to contribute safely, and the engineering choices behind the agent.

15 articles in this hub

Origin Story

Why We Built Inner Warden

A first-person manifesto about why a single-binary autonomous EDR for Linux is needed in 2026. The pain that pushed us out of MDR contracts and DIY Wazuh stacks.

Apr 23, 20265 min read

Read

Thesis

The Autonomous EDR Thesis

Defining autonomous EDR precisely: detection without a human in the loop, AI confidence-gated response, dry-run safety. Why this is the inevitable shape of endpoint security.

Apr 28, 20268 min read

Read

Vision

InnerWarden: The Self-Defending Server

From the deepest hardware layer to user applications, in one Rust binary. 40 monitors, 82 detectors, 69 correlation rules, behavior learning, mesh network. The full picture.

Apr 15, 20267 min read

Read

Architecture

Inner Warden Architecture: A 30-Minute Tour

The workspace map for a new contributor. Sensor, agent, ctl, the JSONL contract, SQLite as source of truth, slow_loop ticks, dashboard reads. With file paths.

Apr 30, 202612 min read

Read

Tutorial

Your First Inner Warden Detector in 50 Lines

Walk through writing a custom detector for `wget | sh` patterns. File location, the trait, registration, unit test, validation via make replay-qa.

Apr 26, 20269 min read

Read

Contributing

Contributing Your First PR to Inner Warden

Walk-through of make test, make check, make replay-qa, make heap-budget. Style points, the gates a PR has to clear, friendly enough to set the bar without scaring people off.

May 5, 20267 min read

Read

Orientation

Where to Start Hacking on Inner Warden

Three contributor tracks: add a detector or Sigma rule, add a notification sink, add an integration recipe. With a what-NOT-to-start-with list.

May 6, 20266 min read

Read

Engineering

Why We Switched to jemalloc (and How glibc malloc Was Eating 1GB RAM)

The story of how glibc malloc fragmentation caused our Rust daemon to grow to 1.3GB under bot traffic, and how jemalloc fixed it with 3 lines of code.

Apr 1, 20267 min read

Read

eBPF

Aya, eBPF, Rust: Lessons From Shipping 40 Hooks to Production

Real lessons from running 40 eBPF hooks (tracepoints, kprobes, LSM, XDP). #![no_std], CO-RE/BTF, ring buffer with epoll, common verifier failures, debugging.

Apr 29, 202610 min read

Read

Validation

We Ran MITRE Caldera Against Our Own Product. Here's What We Found.

5 rounds of adversary emulation with Caldera v5.3.0. From 36% detection to 67% of testable techniques. The argv truncation fix, 15+ false positive cleanups, and why mapped is not detected.

Apr 20, 202614 min read

Read

Manifesto

Endpoint Security for the Rest of Us

How PostgreSQL, Linux, and Let's Encrypt democratized previously-elite tech. Endpoint detection is next. A freelance dev's VPS deserves the same defenses as Goldman Sachs.

Apr 28, 20266 min read

Read

Velocity

Ship Now, Secure Now: You Can't Pick One Anymore

AI codegen made shipping faster. Attacker tooling made exploitation faster. The old ship-first-harden-later loop is dead. The case for security that defaults on.

May 4, 20266 min read

Read

Opinion

Why Default-Deny Is the Wrong Default

A security tool that ships with auto-block ON locks operators out and gets uninstalled. The case for dry-run-first: detect everything, log everything, escalate on confidence.

May 3, 20267 min read

Read

Architecture

Agent vs Agentless Monitoring: When Each Wins

Network IDS vs cloud APIs vs eBPF on host. Encrypted traffic, runtime visibility, fleet-scale config audit. When you'd choose each, not a settled debate.

May 8, 20267 min read

Read

Architecture

Collaborative Defense: How Game Theory Protects a Security Mesh Network

Ed25519 signed signals, tit-for-tat trust evolution, staging pools with TTL auto-reversal. How Inner Warden nodes share threat intelligence without letting anyone abuse the network.

Apr 3, 20269 min read

Read