Skip to content
Operate

CLI Reference

Every innerwarden CLI command, its flags, and a real example: query state, respond, configure, run modules, and guard AI agents.

For: operators and power users - the one place that documents every innerwarden command, its flags, and a real example.

The CLI is one binary, innerwarden, organised into 9 command groups plus a handful of top-level lifecycle commands. You pick a group by what you want to do, then a subcommand. Type any group on its own (e.g. innerwarden system) to see its subcommands, or add --help to anything for the exact flags on the version you have.

innerwarden get        Query state: status, incidents, decisions, reports, metrics
innerwarden stream     Watch incidents or events live
innerwarden action     Block or unblock an IP by hand
innerwarden trust      Allowlist IPs/users and suppress noisy patterns
innerwarden config     Configure AI, notifications, integrations, responder, mesh
innerwarden system     Health, hardening, tuning, data export, GDPR
innerwarden rule       Manage detection rules (Sigma, YARA, ATR, correlation, playbooks)
innerwarden module     Install and manage security modules
innerwarden agent      Connect to and guard AI agents

Top-level (not in a group): setup, upgrade, uninstall, dashboard, install-warden, enable/disable/list (capabilities), completions.

Legacy aliases still work. The old flat names (innerwarden status, innerwarden scan, innerwarden doctor, innerwarden block, ...) are kept as hidden aliases so old scripts and muscle memory do not break. They are hidden from --help. The grouped forms below are canonical - prefer them in new automation and docs.

Where to go for related things: TOML keys and env vars live on Configuration; what each detector actually catches lives on What It Detects; the systemd services and the supervisor live on Everyday Operations.


Global options

These apply before the command, e.g. innerwarden --data-dir /srv/iw get incidents.

FlagWhat it doesDefault
--sensor-config <PATH>Path to the sensor config/etc/innerwarden/config.toml
--agent-config <PATH>Path to the agent config/etc/innerwarden/agent.toml
--data-dir <PATH>Directory holding the JSONL/SQLite data/var/lib/innerwarden
--dry-runShow what would happen without applying itoff

innerwarden get - query state

Read-only. Nothing here changes state.

get status

System overview, or the full timeline for one IP or user.

innerwarden get status                       # global overview
innerwarden get status 203.0.113.10          # everything about this IP
innerwarden get status root --days 7         # this user, last 7 days
FlagWhat it doesDefault
[target]IP or username to inspect (omit for the global overview)global
--days <N>How far back to search when a target is given3

get entity

The full behavioural profile for one attacker IP or user: DNA fingerprint, timeline, IOCs, and recurrence. Where get status <target> is the quick overview, get entity is the dedicated per-entity deep dive.

innerwarden get entity 203.0.113.10          # this attacker's profile
innerwarden get entity root --days 7
FlagWhat it doesDefault
<target>IP or username (required)required
--days <N>History window3

get incidents

Recent security incidents.

innerwarden get incidents                    # today, all severities
innerwarden get incidents --severity high    # high and critical only
innerwarden get incidents --days 2           # last 2 days
innerwarden get incidents --live             # stream as they arrive
FlagWhat it doesDefault
--days <N>How far back1 (today)
--severity <LEVEL>Minimum: low, medium, high, criticallow
--liveStream new incidents in real timeoff

get decisions

What InnerWarden decided to do (blocks, suspensions, ignores, items parked for you).

innerwarden get decisions                    # today
innerwarden get decisions --days 7           # last week
innerwarden get decisions --action block_ip  # only blocks
FlagWhat it doesDefault
--days <N>How far back1
--action <TYPE>block_ip, suspend_user_sudo, ignore, monitor, honeypotall

Ambiguous alerts the agent parks for your decision show as [PENDING]. To list only those, filter on the request_confirmation action. The same count is on the dashboard's "Needs review" tile (see Responding to Incidents).

innerwarden get decisions --action request_confirmation

get responses

The enforcement audit log: which IPs are blocked right now, plus recent reverts.

innerwarden get responses                          # active blocks only
innerwarden get responses --history --since-days 7 # include reverts
innerwarden get responses --ip 1.2.3.4             # one target
FlagWhat it doesDefault
--historyInclude the recent revert historyoff (active only)
--since-days <N>With --history, how far back7
--ip <IP>Filter both lists to one IPall

get report

Print the daily security report.

innerwarden get report                       # today
innerwarden get report --date yesterday
innerwarden get report --date 2026-03-14

get metrics, get sensors, get posture

innerwarden get metrics      # today's telemetry: events processed, AI latency, uptime
innerwarden get sensors      # which collectors are active + today's event counts
innerwarden get posture      # host hardening snapshot (sshd / services / sudo / firewall)

get posture prints the snapshot the agent refreshes every 10 minutes and uses to downgrade severity for attacks the host already neutralised (for example, a password brute force against a host with PasswordAuthentication no). It covers SSH config, sudoers group membership, listening services, and active firewall backends.


innerwarden stream - watch live

Like tail -f for incidents or events.

innerwarden stream                   # stream incidents
innerwarden stream --type events     # stream raw events
innerwarden stream --interval 5      # poll every 5s
FlagWhat it doesDefault
--type <KIND>incidents or eventsincidents
--interval <SECS>Poll interval2

innerwarden action - manual response

Block or unblock an IP by hand. A reason is required and goes into the audit trail.

innerwarden action block 1.2.3.4 --reason "manual block after investigation"
innerwarden action unblock 1.2.3.4 --reason "confirmed false positive"

Both use the configured block_backend (ufw, iptables, nftables, firewalld, pf, or xdp; on RHEL/Rocky/Fedora the native backend is firewalld). The backend is a config key, see Configuration.


innerwarden trust - allowlist and suppression

Trusting an entity makes it monitor-only: it is still detected, logged, and notified, but the auto-block is suppressed. That is deliberate, you keep visibility on trusted entities. Read the never-blind workflow on Safe Observe and Allowlist before you add anything.

innerwarden trust add --ip 10.0.0.1 --reason "office NAT"
innerwarden trust add --ip 192.168.0.0/24 --reason "lab subnet"
innerwarden trust add --user deploy --reason "CI/CD service account"
innerwarden trust remove --ip 10.0.0.1
innerwarden trust remove --user deploy
innerwarden trust list

innerwarden trust suppress ssh_bruteforce          # silence a detector
innerwarden trust suppress "firmware:trust_degraded"  # silence by pattern
innerwarden trust unsuppress ssh_bruteforce        # re-enable
innerwarden trust suppressions                     # show all active suppressions
SubcommandKey flags
trust add--ip <IP/CIDR>, --user <NAME>, --reason <TEXT>
trust remove--ip <IP/CIDR>, --user <NAME>
trust list(none)
trust suppress <PATTERN>substring match against incident IDs
trust unsuppress <PATTERN>removes a suppression
trust suppressions(none)

innerwarden config - configuration

Run innerwarden config with no subcommand for an interactive menu. Every subcommand writes the right key in agent.toml for you, so you rarely need to edit TOML by hand. The keys these commands set are documented on Configuration.

AI provider

innerwarden config ai                                 # interactive wizard
innerwarden config ai openai --key sk-...
innerwarden config ai anthropic --key sk-ant-...
innerwarden config ai ollama --model llama3.2         # local, no key
innerwarden config ai groq --key gsk-... --model llama-3.3-70b-versatile
FlagWhat it does
[provider]openai, anthropic, groq, deepseek, mistral, xai, gemini, ollama, and more
--key <KEY>API key for the provider
--model <M>Model name (the wizard lists options if omitted)
--base-url <URL>Endpoint override for OpenAI-compatible APIs

For on-device triage with no API key, see install-warden near the end of this page.

Responder (arm or disarm enforcement)

innerwarden config responder                         # interactive
innerwarden config responder --enable --dry-run true   # armed but log-only
innerwarden config responder --enable --dry-run false  # live blocking
FlagWhat it does
--enableTurn the responder on
--dry-run <true|false>true logs what it would do; false executes for real

A fresh install ships with the responder off and dry-run on. Arming it is a deliberate step, see Safe Observe and Allowlist.

Sensitivity and 2FA

innerwarden config sensitivity quiet     # only critical
innerwarden config sensitivity normal    # high + critical
innerwarden config sensitivity verbose   # medium and up
innerwarden config 2fa                    # require TOTP for actuating from chat

Notifications

innerwarden config telegram                            # interactive
innerwarden config telegram --token <T> --chat-id <C>
innerwarden config slack --webhook-url <URL>
innerwarden config discord --webhook-url <URL>
innerwarden config webhook --url <URL>
innerwarden config web-push
innerwarden config dashboard --user admin --password <PW>
innerwarden config digest 9            # daily digest at 09:00 UTC
innerwarden config digest off
innerwarden config budget 10           # cap immediate alerts at 10/day
innerwarden config test-alert          # test every configured channel
innerwarden config test-alert --channel telegram

What each channel looks like (and which the lay-operator profile shows) is on Dashboard and Notifications.

Enrichment and edge integrations

innerwarden config geoip                               # free, no key
innerwarden config abuseipdb --api-key <KEY>
innerwarden config abuseipdb --auto-block-threshold 90
innerwarden config cloudflare --zone-id <ID> --api-token <TOKEN>

Mesh (collaborative defense)

innerwarden config mesh enable
innerwarden config mesh disable
innerwarden config mesh status
innerwarden config mesh add-peer https://peer:8790
innerwarden config mesh add-peer https://10.0.1.5:8790 --label prod-eu

There is also a one-command helper, innerwarden mesh connect <peer>, that enables mesh, registers the peer, and opens the local firewall (source-scoped to the peer) for the mesh port in a single step.

Validate the config

innerwarden config validate                        # checks /etc/innerwarden/agent.toml
innerwarden config validate --path ./my-agent.toml

Parses agent.toml against the strict schema and fails loudly on a typo'd or unknown key, before a deploy can brick the agent at boot. Run it after any hand-edit.


innerwarden system - health, security, data

system doctor

Run diagnostics and print concrete fix hints. Start here whenever something looks wrong.

innerwarden system doctor

system test

Inject a synthetic incident and confirm the full pipeline reacts.

innerwarden system test            # default 12s wait
innerwarden system test --wait 20

system scan / harden / tune / calibrate

innerwarden system scan            # recommend modules for this host
innerwarden system harden          # findings: suggested host hardening
innerwarden system harden --verbose
innerwarden system tune            # propose detector threshold changes (last 7 days)
innerwarden system tune --days 14
innerwarden system tune --yes      # auto-apply the proposals
innerwarden system calibrate       # discover services/ports/outbound, build a calibration report

system harden is the host-hardening auditor (sysctl, SSH, firewall, access control); system tune adjusts detector thresholds from recent noise; system calibrate profiles this host's normal so you can approve a baseline. None of them block anything on their own.

system export

Export events, incidents, or decisions to JSON or CSV.

innerwarden system export incidents
innerwarden system export decisions --from 2026-03-01 --to 2026-03-15
innerwarden system export events --format csv --output /tmp/events.csv
FlagWhat it doesDefault
[kind]events, incidents, or decisionsincidents
--from <DATE> / --to <DATE>Date range (YYYY-MM-DD)today
--format <FMT>json or csvjson
--output <PATH>Output filestdout

system backup

innerwarden system backup                       # tar.gz of config
innerwarden system backup --output /tmp/iw.tar.gz

system gdpr

Data-subject export and erasure. The schedule and the privacy contract live on Privacy and GDPR; this is just the command.

innerwarden system gdpr export --entity 203.0.113.10
innerwarden system gdpr export --entity root --output /tmp/data.jsonl
innerwarden system gdpr erase  --entity 203.0.113.10 --yes

system watchdog

A lightweight cron-style health check (separate from the supervisor process on Everyday Operations).

innerwarden system watchdog                    # check now
innerwarden system watchdog --threshold 600    # 10 min of silence = unhealthy
innerwarden system watchdog --notify           # Telegram alert if unhealthy
innerwarden system watchdog --status           # show the cron schedule

system reconcile-blocks

Cross-check firewall DENY rules against the cloud-provider safelist and release any that now fall inside a known-safe range. Dry-run unless you pass --apply.

innerwarden system reconcile-blocks            # show the cleanup plan
innerwarden system reconcile-blocks --apply    # actually release matching rules

Other system tools

innerwarden system navigator > coverage.json   # MITRE ATT&CK Navigator layer
innerwarden system smm                          # Ring -2 firmware audit (--json / --baseline / --drift)
innerwarden system hypervisor                   # Ring -1 hypervisor integrity (--json)
innerwarden system circuit-status               # block-rate circuit-breaker state for this hour
innerwarden system circuit-reset                # clear the breaker for this hour
innerwarden system chain-break list             # documented intentional audit-chain breaks

The circuit breaker refuses runaway auto-blocking once an hourly cap is crossed; circuit-status/circuit-reset inspect and clear it. chain-break register records a legitimate manual edit to the hash-chained decision log so the tamper alarm stops firing for that range.


innerwarden rule - detection rules

Rules are YAML under /etc/innerwarden/rules/, hot-reloaded every 60 seconds. Correlation rule IDs (CL-NNN) and SOC playbook IDs (pb-*) route to the right subdirectory automatically.

innerwarden rule list                       # all rule types
innerwarden rule list --type sigma
innerwarden rule list --type correlation
innerwarden rule list --type playbooks
innerwarden rule enable CL-024
innerwarden rule disable drop-service-daemon-file-ops
SubcommandWhat it does
rule list [--type <T>]List rules; --type is one of event_pipeline, sigma, yara, atr, correlation, playbooks
rule enable <id>Re-enable a disabled rule
rule disable <id>Disable a rule (writes disabled: true into its YAML)

innerwarden playbook test <id> -f <incident.jsonl> dry-runs a SOC playbook against a captured incident through the running agent (no skills fire, nothing is written). It needs the agent's dashboard URL and, if remote, --user/--password. Use rule list --type playbooks to find IDs.


innerwarden module - security modules

Modules are self-contained packages (manifest + config + docs + tests). See Write a Module and Module Reference.

innerwarden module list                          # installed modules
innerwarden module search                        # browse the registry
innerwarden module search ssh                    # filter by keyword
innerwarden module install ssh-protection        # from the registry
innerwarden module install ssh-protection --enable
innerwarden module install ./my-module           # from a local path
innerwarden module enable ./modules/ssh-protection
innerwarden module disable ./modules/ssh-protection
innerwarden module status ssh-protection
innerwarden module uninstall ssh-protection
innerwarden module validate ./my-module          # check a package
innerwarden module validate ./my-module --strict
innerwarden module publish ./my-module           # package into a .tar.gz
innerwarden module update-all                    # update all installed
innerwarden module update-all --check            # check only

install accepts a registry name, an HTTPS .tar.gz URL, or a local file/directory. Most commands take --yes to skip the confirmation prompt and --modules-dir <PATH> to point at a non-default install directory.


innerwarden agent - AI-agent management and guardrail

This group is the AI-agent guardrail surface. The full picture, advisory vs enforcement, is on AI Agent Guardrail and Connect Your Agent.

innerwarden agent                       # interactive menu
innerwarden agent list                  # agents available to install
innerwarden agent add <name>            # install an agent (OpenClaw, ...)
innerwarden agent scan                  # find agents already running
innerwarden agent status                # connected agents + detected tools
innerwarden agent connect               # auto-detect and connect
innerwarden agent connect 1234          # connect a specific PID
innerwarden agent connect --name my-agent --label work
innerwarden agent disconnect ag-0001

agent proxy (the MCP enforcement proxy)

Wrap a real MCP server so InnerWarden sits in the path of the agent's tool calls and inspects, blocks, or kills them. Everything after -- is the real server command.

innerwarden agent proxy --mode guard -- npx -y @some/mcp-server --flag
FlagWhat it doesDefault
--mode <MODE>advisory (alert only), warn, guard (block disallowed calls), kill (block + terminate)advisory
--label <TEXT>Label for audit and alertsnone
--error-responseReturn denials as a JSON-RPC error instead of an isError resultoff
-- <server-cmd>The MCP server command and its args (required)-

agent mcp-serve (the advisory front door)

Expose InnerWarden itself as an MCP server over stdio, so a cooperating coding agent can ask it, before it acts: innerwarden_check_command (is this command safe, deny/review/allow), innerwarden_check_ip (known threat?), and innerwarden_security_context (host threat level). It is a thin adapter over the loopback Agent API and returns capability-level answers only, never the rule that fired.

innerwarden agent mcp-serve
innerwarden agent mcp-serve --label claude-code
FlagWhat it does
--label <TEXT>Label for audit and alerts

mcp-serve is advisory (it only helps an agent that chooses to ask). The enforcement that does not depend on the agent cooperating is agent proxy plus the host eBPF and Execution Gate. See AI Agent Guardrail.


Top-level commands

setup

First-time wizard: scans the host, configures AI, notifications, the Local Warden model, the responder, and the most relevant modules.

innerwarden setup
innerwarden setup --mode advanced

upgrade

Check for a newer signed release and install all binaries.

innerwarden upgrade                 # check + install
innerwarden upgrade --check         # just check
innerwarden upgrade --check --notify
innerwarden upgrade --yes           # no prompt
FlagWhat it doesDefault
--checkOnly report whether an update existsoff
--yesSkip the confirmation promptoff
--notifyTelegram alert if a new version is availableoff
--install-dir <PATH>Where binaries live/usr/local/bin
--allow-unsigned-stable / --allow-unsigned-canarySupply-chain escape hatches; not recommendedoff

dashboard

Open or check the local dashboard with one command, no systemd or firewall surgery. The dashboard binds to localhost by default.

innerwarden dashboard               # status: bind, URL, login, ready-to-paste SSH tunnel
innerwarden dashboard open          # expose securely: set a login, bind 0.0.0.0, firewall-lock to YOUR SSH client IP
innerwarden dashboard open --allow 203.0.113.7   # lock to a specific IP instead
innerwarden dashboard open --public # allow any IP (least safe)
innerwarden dashboard close         # back to localhost only
innerwarden dashboard tunnel        # print the exact SSH port-forward command (nothing is exposed)
Flag (on open)What it doesDefault
--allow <IP>Firewall-lock remote access to this IPyour current SSH client IP
--publicAllow any source IP (least safe)off

Exposing is always password-protected: the agent refuses a non-loopback bind without credentials, so open sets a login first and prints it once. open/close write [dashboard] bind in agent.toml and restart the agent (watchdog-aware). The safest option is dashboard tunnel: an SSH local-forward that leaves the dashboard on localhost. More on access and notifications: Dashboard and Notifications.

uninstall

Remove InnerWarden in a safe order. This command owns uninstall; Install and First Run links here.

innerwarden uninstall               # remove software, KEEP config + data
innerwarden uninstall --purge       # also remove config, data, logs, and the innerwarden user
innerwarden uninstall --dry-run     # preview exactly what would be removed (no sudo needed)
innerwarden uninstall --yes         # skip the confirmation prompt
FlagWhat it does
--purgeAlso remove /etc/innerwarden, /var/lib/innerwarden, /var/log/innerwarden, and the innerwarden user
--dry-runPrint the exact plan and exit (no root needed)
--yesSkip the confirmation prompt

It stops the watchdog/supervisor first (so nothing respawns the agent mid-uninstall), then the agent and sensor, then removes the binaries, systemd units, the embedded eBPF object, the pinned BPF maps, the sudoers drop-ins, and the firewall rules InnerWarden added. Config and data are kept by default so a reinstall keeps your history and license; --purge removes them too.

If the binary is missing or broken, the installer can tear everything down the same way:

curl -fsSL https://innerwarden.com/install | sudo bash -s -- --uninstall          # or --uninstall --purge

install-warden

Install the on-device Local Warden model (distilled SecureBERT) so AI triage runs locally with no API key.

innerwarden install-warden          # default model (~91 MB), real pinned hash, no --sha256 needed
innerwarden install-warden --model minilm-l6 --yes
FlagWhat it doesDefault
--model <NAME>minilm-l6 (default, distilled, ~87 MB) or roberta-v1 (larger teacher)minilm-l6
--url <URL>Override the release URL (air-gapped or mirror installs)pinned release
--sha256 <HASH>Override the pinned archive hash (only with --url)pinned
--yesSkip the confirmation promptoff
--configureAlso write [ai.warden] into agent.toml (used by the installer)off

install-classifier is kept as a visible alias.

Capabilities and completions

innerwarden list                    # show all capabilities + status
innerwarden enable <capability>     # activate (e.g. block_ip, sudo_protection)
innerwarden enable <capability> --force   # re-apply / repair drift (e.g. a missing sudoers drop-in)
innerwarden disable <capability>
innerwarden completions bash >> ~/.bashrc
innerwarden completions zsh  >> ~/.zshrc
innerwarden completions fish

Two offline harnesses (on the innerwarden-agent binary)

These run on the innerwarden-agent binary, not the innerwarden CLI. Each is a one-shot: do the work, print a report, exit without entering the live loop.

# Replay a captured incidents JSONL through the SOC playbooks in dry-run.
innerwarden-agent --playbook-replay /var/lib/innerwarden/incidents-2026-05-30.jsonl

# Offline autoencoder backtest. Train on events before the cutoff, score the rest.
innerwarden-agent --backtest-anomaly --backtest-cutoff 2026-05-15
FlagWhat it does
--playbook-replay <INCIDENTS_JSONL>Batch-validate SOC playbooks against captured incidents (no skills fire, no audit written)
--backtest-anomalyOffline anomaly-model backtest (no live traffic, no training leakage)
--backtest-cutoff <YYYY-MM-DD>Cutoff for --backtest-anomaly: events before it train, on/after it are scored

Quick reference

I want to...Command
First-time setupinnerwarden setup
Check healthinnerwarden system doctor
Today's serious threatsinnerwarden get incidents --severity high
What InnerWarden didinnerwarden get decisions
What is blocked right nowinnerwarden get responses
Stream incidents liveinnerwarden stream
Block / unblock an IPinnerwarden action block <IP> --reason "..."
Configure AIinnerwarden config ai
Arm enforcement (live)innerwarden config responder --enable --dry-run false
Arm enforcement (safe)innerwarden config responder --enable --dry-run true
Set up Telegraminnerwarden config telegram
Trust an IPinnerwarden trust add --ip 10.0.0.1 --reason "..."
Silence a detectorinnerwarden trust suppress <pattern>
Daily reportinnerwarden get report
Export datainnerwarden system export incidents --format csv
Validate config before deployinnerwarden config validate
Open the dashboardinnerwarden dashboard
Local AI, no keyinnerwarden install-warden
Guard an MCP serverinnerwarden agent proxy --mode guard -- <server>
Upgradeinnerwarden upgrade
Remove InnerWardeninnerwarden uninstall

Anything not covered here: run innerwarden <group> --help. Related reading: Configuration, Everyday Operations, Responding to Incidents, AI Agent Guardrail.