CLI Reference
Every innerwarden CLI command, its flags, and a real example: query state, respond, configure, run modules, and guard AI agents.
For: operators and power users - the one place that documents every innerwarden command, its flags, and a real example.
The CLI is one binary, innerwarden, organised into 9 command groups plus a handful of top-level lifecycle commands. You pick a group by what you want to do, then a subcommand. Type any group on its own (e.g. innerwarden system) to see its subcommands, or add --help to anything for the exact flags on the version you have.
innerwarden get Query state: status, incidents, decisions, reports, metrics
innerwarden stream Watch incidents or events live
innerwarden action Block or unblock an IP by hand
innerwarden trust Allowlist IPs/users and suppress noisy patterns
innerwarden config Configure AI, notifications, integrations, responder, mesh
innerwarden system Health, hardening, tuning, data export, GDPR
innerwarden rule Manage detection rules (Sigma, YARA, ATR, correlation, playbooks)
innerwarden module Install and manage security modules
innerwarden agent Connect to and guard AI agents
Top-level (not in a group): setup, upgrade, uninstall, dashboard, install-warden, enable/disable/list (capabilities), completions.
Legacy aliases still work. The old flat names (
innerwarden status,innerwarden scan,innerwarden doctor,innerwarden block, ...) are kept as hidden aliases so old scripts and muscle memory do not break. They are hidden from--help. The grouped forms below are canonical - prefer them in new automation and docs.
Where to go for related things: TOML keys and env vars live on Configuration; what each detector actually catches lives on What It Detects; the systemd services and the supervisor live on Everyday Operations.
Global options
These apply before the command, e.g. innerwarden --data-dir /srv/iw get incidents.
| Flag | What it does | Default |
|---|---|---|
--sensor-config <PATH> | Path to the sensor config | /etc/innerwarden/config.toml |
--agent-config <PATH> | Path to the agent config | /etc/innerwarden/agent.toml |
--data-dir <PATH> | Directory holding the JSONL/SQLite data | /var/lib/innerwarden |
--dry-run | Show what would happen without applying it | off |
innerwarden get - query state
Read-only. Nothing here changes state.
get status
System overview, or the full timeline for one IP or user.
innerwarden get status # global overview
innerwarden get status 203.0.113.10 # everything about this IP
innerwarden get status root --days 7 # this user, last 7 days
| Flag | What it does | Default |
|---|---|---|
[target] | IP or username to inspect (omit for the global overview) | global |
--days <N> | How far back to search when a target is given | 3 |
get entity
The full behavioural profile for one attacker IP or user: DNA fingerprint, timeline, IOCs, and recurrence. Where get status <target> is the quick overview, get entity is the dedicated per-entity deep dive.
innerwarden get entity 203.0.113.10 # this attacker's profile
innerwarden get entity root --days 7
| Flag | What it does | Default |
|---|---|---|
<target> | IP or username (required) | required |
--days <N> | History window | 3 |
get incidents
Recent security incidents.
innerwarden get incidents # today, all severities
innerwarden get incidents --severity high # high and critical only
innerwarden get incidents --days 2 # last 2 days
innerwarden get incidents --live # stream as they arrive
| Flag | What it does | Default |
|---|---|---|
--days <N> | How far back | 1 (today) |
--severity <LEVEL> | Minimum: low, medium, high, critical | low |
--live | Stream new incidents in real time | off |
get decisions
What InnerWarden decided to do (blocks, suspensions, ignores, items parked for you).
innerwarden get decisions # today
innerwarden get decisions --days 7 # last week
innerwarden get decisions --action block_ip # only blocks
| Flag | What it does | Default |
|---|---|---|
--days <N> | How far back | 1 |
--action <TYPE> | block_ip, suspend_user_sudo, ignore, monitor, honeypot | all |
Ambiguous alerts the agent parks for your decision show as [PENDING]. To list only those, filter on the request_confirmation action. The same count is on the dashboard's "Needs review" tile (see Responding to Incidents).
innerwarden get decisions --action request_confirmation
get responses
The enforcement audit log: which IPs are blocked right now, plus recent reverts.
innerwarden get responses # active blocks only
innerwarden get responses --history --since-days 7 # include reverts
innerwarden get responses --ip 1.2.3.4 # one target
| Flag | What it does | Default |
|---|---|---|
--history | Include the recent revert history | off (active only) |
--since-days <N> | With --history, how far back | 7 |
--ip <IP> | Filter both lists to one IP | all |
get report
Print the daily security report.
innerwarden get report # today
innerwarden get report --date yesterday
innerwarden get report --date 2026-03-14
get metrics, get sensors, get posture
innerwarden get metrics # today's telemetry: events processed, AI latency, uptime
innerwarden get sensors # which collectors are active + today's event counts
innerwarden get posture # host hardening snapshot (sshd / services / sudo / firewall)
get posture prints the snapshot the agent refreshes every 10 minutes and uses to downgrade severity for attacks the host already neutralised (for example, a password brute force against a host with PasswordAuthentication no). It covers SSH config, sudoers group membership, listening services, and active firewall backends.
innerwarden stream - watch live
Like tail -f for incidents or events.
innerwarden stream # stream incidents
innerwarden stream --type events # stream raw events
innerwarden stream --interval 5 # poll every 5s
| Flag | What it does | Default |
|---|---|---|
--type <KIND> | incidents or events | incidents |
--interval <SECS> | Poll interval | 2 |
innerwarden action - manual response
Block or unblock an IP by hand. A reason is required and goes into the audit trail.
innerwarden action block 1.2.3.4 --reason "manual block after investigation"
innerwarden action unblock 1.2.3.4 --reason "confirmed false positive"
Both use the configured block_backend (ufw, iptables, nftables, firewalld, pf, or xdp; on RHEL/Rocky/Fedora the native backend is firewalld). The backend is a config key, see Configuration.
innerwarden trust - allowlist and suppression
Trusting an entity makes it monitor-only: it is still detected, logged, and notified, but the auto-block is suppressed. That is deliberate, you keep visibility on trusted entities. Read the never-blind workflow on Safe Observe and Allowlist before you add anything.
innerwarden trust add --ip 10.0.0.1 --reason "office NAT"
innerwarden trust add --ip 192.168.0.0/24 --reason "lab subnet"
innerwarden trust add --user deploy --reason "CI/CD service account"
innerwarden trust remove --ip 10.0.0.1
innerwarden trust remove --user deploy
innerwarden trust list
innerwarden trust suppress ssh_bruteforce # silence a detector
innerwarden trust suppress "firmware:trust_degraded" # silence by pattern
innerwarden trust unsuppress ssh_bruteforce # re-enable
innerwarden trust suppressions # show all active suppressions
| Subcommand | Key flags |
|---|---|
trust add | --ip <IP/CIDR>, --user <NAME>, --reason <TEXT> |
trust remove | --ip <IP/CIDR>, --user <NAME> |
trust list | (none) |
trust suppress <PATTERN> | substring match against incident IDs |
trust unsuppress <PATTERN> | removes a suppression |
trust suppressions | (none) |
innerwarden config - configuration
Run innerwarden config with no subcommand for an interactive menu. Every subcommand writes the right key in agent.toml for you, so you rarely need to edit TOML by hand. The keys these commands set are documented on Configuration.
AI provider
innerwarden config ai # interactive wizard
innerwarden config ai openai --key sk-...
innerwarden config ai anthropic --key sk-ant-...
innerwarden config ai ollama --model llama3.2 # local, no key
innerwarden config ai groq --key gsk-... --model llama-3.3-70b-versatile
| Flag | What it does |
|---|---|
[provider] | openai, anthropic, groq, deepseek, mistral, xai, gemini, ollama, and more |
--key <KEY> | API key for the provider |
--model <M> | Model name (the wizard lists options if omitted) |
--base-url <URL> | Endpoint override for OpenAI-compatible APIs |
For on-device triage with no API key, see install-warden near the end of this page.
Responder (arm or disarm enforcement)
innerwarden config responder # interactive
innerwarden config responder --enable --dry-run true # armed but log-only
innerwarden config responder --enable --dry-run false # live blocking
| Flag | What it does |
|---|---|
--enable | Turn the responder on |
--dry-run <true|false> | true logs what it would do; false executes for real |
A fresh install ships with the responder off and dry-run on. Arming it is a deliberate step, see Safe Observe and Allowlist.
Sensitivity and 2FA
innerwarden config sensitivity quiet # only critical
innerwarden config sensitivity normal # high + critical
innerwarden config sensitivity verbose # medium and up
innerwarden config 2fa # require TOTP for actuating from chat
Notifications
innerwarden config telegram # interactive
innerwarden config telegram --token <T> --chat-id <C>
innerwarden config slack --webhook-url <URL>
innerwarden config discord --webhook-url <URL>
innerwarden config webhook --url <URL>
innerwarden config web-push
innerwarden config dashboard --user admin --password <PW>
innerwarden config digest 9 # daily digest at 09:00 UTC
innerwarden config digest off
innerwarden config budget 10 # cap immediate alerts at 10/day
innerwarden config test-alert # test every configured channel
innerwarden config test-alert --channel telegram
What each channel looks like (and which the lay-operator profile shows) is on Dashboard and Notifications.
Enrichment and edge integrations
innerwarden config geoip # free, no key
innerwarden config abuseipdb --api-key <KEY>
innerwarden config abuseipdb --auto-block-threshold 90
innerwarden config cloudflare --zone-id <ID> --api-token <TOKEN>
Mesh (collaborative defense)
innerwarden config mesh enable
innerwarden config mesh disable
innerwarden config mesh status
innerwarden config mesh add-peer https://peer:8790
innerwarden config mesh add-peer https://10.0.1.5:8790 --label prod-eu
There is also a one-command helper, innerwarden mesh connect <peer>, that enables mesh, registers the peer, and opens the local firewall (source-scoped to the peer) for the mesh port in a single step.
Validate the config
innerwarden config validate # checks /etc/innerwarden/agent.toml
innerwarden config validate --path ./my-agent.toml
Parses agent.toml against the strict schema and fails loudly on a typo'd or unknown key, before a deploy can brick the agent at boot. Run it after any hand-edit.
innerwarden system - health, security, data
system doctor
Run diagnostics and print concrete fix hints. Start here whenever something looks wrong.
innerwarden system doctor
system test
Inject a synthetic incident and confirm the full pipeline reacts.
innerwarden system test # default 12s wait
innerwarden system test --wait 20
system scan / harden / tune / calibrate
innerwarden system scan # recommend modules for this host
innerwarden system harden # findings: suggested host hardening
innerwarden system harden --verbose
innerwarden system tune # propose detector threshold changes (last 7 days)
innerwarden system tune --days 14
innerwarden system tune --yes # auto-apply the proposals
innerwarden system calibrate # discover services/ports/outbound, build a calibration report
system harden is the host-hardening auditor (sysctl, SSH, firewall, access control); system tune adjusts detector thresholds from recent noise; system calibrate profiles this host's normal so you can approve a baseline. None of them block anything on their own.
system export
Export events, incidents, or decisions to JSON or CSV.
innerwarden system export incidents
innerwarden system export decisions --from 2026-03-01 --to 2026-03-15
innerwarden system export events --format csv --output /tmp/events.csv
| Flag | What it does | Default |
|---|---|---|
[kind] | events, incidents, or decisions | incidents |
--from <DATE> / --to <DATE> | Date range (YYYY-MM-DD) | today |
--format <FMT> | json or csv | json |
--output <PATH> | Output file | stdout |
system backup
innerwarden system backup # tar.gz of config
innerwarden system backup --output /tmp/iw.tar.gz
system gdpr
Data-subject export and erasure. The schedule and the privacy contract live on Privacy and GDPR; this is just the command.
innerwarden system gdpr export --entity 203.0.113.10
innerwarden system gdpr export --entity root --output /tmp/data.jsonl
innerwarden system gdpr erase --entity 203.0.113.10 --yes
system watchdog
A lightweight cron-style health check (separate from the supervisor process on Everyday Operations).
innerwarden system watchdog # check now
innerwarden system watchdog --threshold 600 # 10 min of silence = unhealthy
innerwarden system watchdog --notify # Telegram alert if unhealthy
innerwarden system watchdog --status # show the cron schedule
system reconcile-blocks
Cross-check firewall DENY rules against the cloud-provider safelist and release any that now fall inside a known-safe range. Dry-run unless you pass --apply.
innerwarden system reconcile-blocks # show the cleanup plan
innerwarden system reconcile-blocks --apply # actually release matching rules
Other system tools
innerwarden system navigator > coverage.json # MITRE ATT&CK Navigator layer
innerwarden system smm # Ring -2 firmware audit (--json / --baseline / --drift)
innerwarden system hypervisor # Ring -1 hypervisor integrity (--json)
innerwarden system circuit-status # block-rate circuit-breaker state for this hour
innerwarden system circuit-reset # clear the breaker for this hour
innerwarden system chain-break list # documented intentional audit-chain breaks
The circuit breaker refuses runaway auto-blocking once an hourly cap is crossed; circuit-status/circuit-reset inspect and clear it. chain-break register records a legitimate manual edit to the hash-chained decision log so the tamper alarm stops firing for that range.
innerwarden rule - detection rules
Rules are YAML under /etc/innerwarden/rules/, hot-reloaded every 60 seconds. Correlation rule IDs (CL-NNN) and SOC playbook IDs (pb-*) route to the right subdirectory automatically.
innerwarden rule list # all rule types
innerwarden rule list --type sigma
innerwarden rule list --type correlation
innerwarden rule list --type playbooks
innerwarden rule enable CL-024
innerwarden rule disable drop-service-daemon-file-ops
| Subcommand | What it does |
|---|---|
rule list [--type <T>] | List rules; --type is one of event_pipeline, sigma, yara, atr, correlation, playbooks |
rule enable <id> | Re-enable a disabled rule |
rule disable <id> | Disable a rule (writes disabled: true into its YAML) |
innerwarden playbook test <id> -f <incident.jsonl> dry-runs a SOC playbook against a captured incident through the running agent (no skills fire, nothing is written). It needs the agent's dashboard URL and, if remote, --user/--password. Use rule list --type playbooks to find IDs.
innerwarden module - security modules
Modules are self-contained packages (manifest + config + docs + tests). See Write a Module and Module Reference.
innerwarden module list # installed modules
innerwarden module search # browse the registry
innerwarden module search ssh # filter by keyword
innerwarden module install ssh-protection # from the registry
innerwarden module install ssh-protection --enable
innerwarden module install ./my-module # from a local path
innerwarden module enable ./modules/ssh-protection
innerwarden module disable ./modules/ssh-protection
innerwarden module status ssh-protection
innerwarden module uninstall ssh-protection
innerwarden module validate ./my-module # check a package
innerwarden module validate ./my-module --strict
innerwarden module publish ./my-module # package into a .tar.gz
innerwarden module update-all # update all installed
innerwarden module update-all --check # check only
install accepts a registry name, an HTTPS .tar.gz URL, or a local file/directory. Most commands take --yes to skip the confirmation prompt and --modules-dir <PATH> to point at a non-default install directory.
innerwarden agent - AI-agent management and guardrail
This group is the AI-agent guardrail surface. The full picture, advisory vs enforcement, is on AI Agent Guardrail and Connect Your Agent.
innerwarden agent # interactive menu
innerwarden agent list # agents available to install
innerwarden agent add <name> # install an agent (OpenClaw, ...)
innerwarden agent scan # find agents already running
innerwarden agent status # connected agents + detected tools
innerwarden agent connect # auto-detect and connect
innerwarden agent connect 1234 # connect a specific PID
innerwarden agent connect --name my-agent --label work
innerwarden agent disconnect ag-0001
agent proxy (the MCP enforcement proxy)
Wrap a real MCP server so InnerWarden sits in the path of the agent's tool calls and inspects, blocks, or kills them. Everything after -- is the real server command.
innerwarden agent proxy --mode guard -- npx -y @some/mcp-server --flag
| Flag | What it does | Default |
|---|---|---|
--mode <MODE> | advisory (alert only), warn, guard (block disallowed calls), kill (block + terminate) | advisory |
--label <TEXT> | Label for audit and alerts | none |
--error-response | Return denials as a JSON-RPC error instead of an isError result | off |
-- <server-cmd> | The MCP server command and its args (required) | - |
agent mcp-serve (the advisory front door)
Expose InnerWarden itself as an MCP server over stdio, so a cooperating coding agent can ask it, before it acts: innerwarden_check_command (is this command safe, deny/review/allow), innerwarden_check_ip (known threat?), and innerwarden_security_context (host threat level). It is a thin adapter over the loopback Agent API and returns capability-level answers only, never the rule that fired.
innerwarden agent mcp-serve
innerwarden agent mcp-serve --label claude-code
| Flag | What it does |
|---|---|
--label <TEXT> | Label for audit and alerts |
mcp-serve is advisory (it only helps an agent that chooses to ask). The enforcement that does not depend on the agent cooperating is agent proxy plus the host eBPF and Execution Gate. See AI Agent Guardrail.
Top-level commands
setup
First-time wizard: scans the host, configures AI, notifications, the Local Warden model, the responder, and the most relevant modules.
innerwarden setup
innerwarden setup --mode advanced
upgrade
Check for a newer signed release and install all binaries.
innerwarden upgrade # check + install
innerwarden upgrade --check # just check
innerwarden upgrade --check --notify
innerwarden upgrade --yes # no prompt
| Flag | What it does | Default |
|---|---|---|
--check | Only report whether an update exists | off |
--yes | Skip the confirmation prompt | off |
--notify | Telegram alert if a new version is available | off |
--install-dir <PATH> | Where binaries live | /usr/local/bin |
--allow-unsigned-stable / --allow-unsigned-canary | Supply-chain escape hatches; not recommended | off |
dashboard
Open or check the local dashboard with one command, no systemd or firewall surgery. The dashboard binds to localhost by default.
innerwarden dashboard # status: bind, URL, login, ready-to-paste SSH tunnel
innerwarden dashboard open # expose securely: set a login, bind 0.0.0.0, firewall-lock to YOUR SSH client IP
innerwarden dashboard open --allow 203.0.113.7 # lock to a specific IP instead
innerwarden dashboard open --public # allow any IP (least safe)
innerwarden dashboard close # back to localhost only
innerwarden dashboard tunnel # print the exact SSH port-forward command (nothing is exposed)
Flag (on open) | What it does | Default |
|---|---|---|
--allow <IP> | Firewall-lock remote access to this IP | your current SSH client IP |
--public | Allow any source IP (least safe) | off |
Exposing is always password-protected: the agent refuses a non-loopback bind without credentials, so open sets a login first and prints it once. open/close write [dashboard] bind in agent.toml and restart the agent (watchdog-aware). The safest option is dashboard tunnel: an SSH local-forward that leaves the dashboard on localhost. More on access and notifications: Dashboard and Notifications.
uninstall
Remove InnerWarden in a safe order. This command owns uninstall; Install and First Run links here.
innerwarden uninstall # remove software, KEEP config + data
innerwarden uninstall --purge # also remove config, data, logs, and the innerwarden user
innerwarden uninstall --dry-run # preview exactly what would be removed (no sudo needed)
innerwarden uninstall --yes # skip the confirmation prompt
| Flag | What it does |
|---|---|
--purge | Also remove /etc/innerwarden, /var/lib/innerwarden, /var/log/innerwarden, and the innerwarden user |
--dry-run | Print the exact plan and exit (no root needed) |
--yes | Skip the confirmation prompt |
It stops the watchdog/supervisor first (so nothing respawns the agent mid-uninstall), then the agent and sensor, then removes the binaries, systemd units, the embedded eBPF object, the pinned BPF maps, the sudoers drop-ins, and the firewall rules InnerWarden added. Config and data are kept by default so a reinstall keeps your history and license; --purge removes them too.
If the binary is missing or broken, the installer can tear everything down the same way:
curl -fsSL https://innerwarden.com/install | sudo bash -s -- --uninstall # or --uninstall --purge
install-warden
Install the on-device Local Warden model (distilled SecureBERT) so AI triage runs locally with no API key.
innerwarden install-warden # default model (~91 MB), real pinned hash, no --sha256 needed
innerwarden install-warden --model minilm-l6 --yes
| Flag | What it does | Default |
|---|---|---|
--model <NAME> | minilm-l6 (default, distilled, ~87 MB) or roberta-v1 (larger teacher) | minilm-l6 |
--url <URL> | Override the release URL (air-gapped or mirror installs) | pinned release |
--sha256 <HASH> | Override the pinned archive hash (only with --url) | pinned |
--yes | Skip the confirmation prompt | off |
--configure | Also write [ai.warden] into agent.toml (used by the installer) | off |
install-classifier is kept as a visible alias.
Capabilities and completions
innerwarden list # show all capabilities + status
innerwarden enable <capability> # activate (e.g. block_ip, sudo_protection)
innerwarden enable <capability> --force # re-apply / repair drift (e.g. a missing sudoers drop-in)
innerwarden disable <capability>
innerwarden completions bash >> ~/.bashrc
innerwarden completions zsh >> ~/.zshrc
innerwarden completions fish
Two offline harnesses (on the innerwarden-agent binary)
These run on the innerwarden-agent binary, not the innerwarden CLI. Each is a one-shot: do the work, print a report, exit without entering the live loop.
# Replay a captured incidents JSONL through the SOC playbooks in dry-run.
innerwarden-agent --playbook-replay /var/lib/innerwarden/incidents-2026-05-30.jsonl
# Offline autoencoder backtest. Train on events before the cutoff, score the rest.
innerwarden-agent --backtest-anomaly --backtest-cutoff 2026-05-15
| Flag | What it does |
|---|---|
--playbook-replay <INCIDENTS_JSONL> | Batch-validate SOC playbooks against captured incidents (no skills fire, no audit written) |
--backtest-anomaly | Offline anomaly-model backtest (no live traffic, no training leakage) |
--backtest-cutoff <YYYY-MM-DD> | Cutoff for --backtest-anomaly: events before it train, on/after it are scored |
Quick reference
| I want to... | Command |
|---|---|
| First-time setup | innerwarden setup |
| Check health | innerwarden system doctor |
| Today's serious threats | innerwarden get incidents --severity high |
| What InnerWarden did | innerwarden get decisions |
| What is blocked right now | innerwarden get responses |
| Stream incidents live | innerwarden stream |
| Block / unblock an IP | innerwarden action block <IP> --reason "..." |
| Configure AI | innerwarden config ai |
| Arm enforcement (live) | innerwarden config responder --enable --dry-run false |
| Arm enforcement (safe) | innerwarden config responder --enable --dry-run true |
| Set up Telegram | innerwarden config telegram |
| Trust an IP | innerwarden trust add --ip 10.0.0.1 --reason "..." |
| Silence a detector | innerwarden trust suppress <pattern> |
| Daily report | innerwarden get report |
| Export data | innerwarden system export incidents --format csv |
| Validate config before deploy | innerwarden config validate |
| Open the dashboard | innerwarden dashboard |
| Local AI, no key | innerwarden install-warden |
| Guard an MCP server | innerwarden agent proxy --mode guard -- <server> |
| Upgrade | innerwarden upgrade |
| Remove InnerWarden | innerwarden uninstall |
Anything not covered here: run innerwarden <group> --help. Related reading: Configuration, Everyday Operations, Responding to Incidents, AI Agent Guardrail.