Kefal documentation

Everything you need to install Kefal, read your first incident, and understand the 32 built-in invariants.

Installation →

One-line install on Linux amd64, Linux ARM64, or Windows x64. Enroll and verify in under two minutes.

Getting started →

From install to first incident: account, agent, dashboard, remediation. The 5-step walkthrough.

The 32 invariants →

What each detection rule watches for, why it matters, and what to do when it fires.

API reference →

Every endpoint, expected payloads, auth models, curl examples. For advanced integrations.

FAQ →

Data collected, data sharing, uninstall, severity levels, trial, billing. The short answers.

Need help?

Write to freddavidblum@catalystais.com or open an issue on GitHub.

What Kefal is, in one paragraph

Kefal is a compositional cyber-defense agent for small and mid-sized businesses. A single binary sits on each server you want protected. It sends periodic snapshots of processes, ports, and identities to a central service that builds a living graph of your infrastructure — and raises an incident when something violates the logic of your system. Detection is by compositional coherence, not by signatures: Kefal notices what doesn't belong, even if no rule was ever written for it.

Core concepts

Agent — a single Go binary that runs on each of your servers. Reports snapshots every 60 seconds.
Snapshot — the state of a host at a moment in time: hostname, OS, processes, ports, logged-in users.
Graph — a relational model of every host, service, port, and identity in your fleet, built automatically from snapshots.
Invariant — a rule that describes a pattern that should or shouldn't appear in the graph. Kefal ships with 32 built-in invariants across 7 categories.
Incident — a violation of an invariant. Ranked by severity. Each comes with an AI-generated remediation plan (three concrete actions).