Arden is a zero-dependency DFIR event log analyzer for Windows. Single executable. 46 detection rules. 14 Sigma rules. Real-time dashboard. Deploy in seconds — no agents, no cloud, no subscriptions.
6 parallel PowerShell readers with HashSet filtering parse 50K+ events in under 30 seconds. No indexing, no pre-processing.
Push lightweight agents via admin share + WMI. Pull model with heartbeat monitoring. Deploy to your entire network from the dashboard.
Server-Sent Events stream alerts live. Kill chain visualization, dual filtering (host + severity), and full-text search across all fields.
One-click CSV and JSON exports. Filter-aware — exports respect your active severity, tactic, host, and date range filters.
Suppress by rule, rule+host, or rule+user. Reason tracking. Triage dashboard shows what's hidden and why. One-click removal.
14 custom Sigma YAML rules included. Cobalt Strike pipes, Impacket tools, BITS abuse, potato attacks, download cradles, and more.
Single portable executable. 15MB. Runs on Windows 10/11, Server 2016+. No .NET, no Python, no runtime needed.
arden.exe --serve reads local event logs, runs all 46 detection rules, and launches the dashboard.
Dashboard opens at localhost:8080. See alerts by severity, filter by host, export findings. Deploy agents to remote machines from the UI.
| Capability | Enterprise SIEM | Arden |
|---|---|---|
| Time to first alert | Days to weeks | ✓ 30 seconds |
| Dependencies | Agent + server + DB + cloud | ✓ Zero |
| Deployment | Professional services | ✓ Double-click |
| Annual cost | $50K – $500K+ | ✓ One-time purchase |
| Cloud requirement | Required | ✓ Fully offline |
| MITRE ATT&CK coverage | Varies by config | ✓ 46 rules out of the box |
| Data leaves your network | Yes (telemetry/cloud) | ✓ Never |
Download Arden and run your first investigation in under a minute. No signup. No telemetry. Your logs stay on your machine.
Windows 10/11 • Server 2016+ • x64 • ~15MB • No runtime required