Getting started

From zero to your first incident and remediation in under 10 minutes.

Step 1 — Create an account

Go to kefal.dev/app/ and sign up. Pick any username (it's internal, not your email). You'll land on an empty dashboard with a 7-day trial. No card required.

What you get on the trial Every feature: the graph view, all 32 built-in invariants, AI-generated remediations, the full incidents timeline. The only thing the trial gates is the number of days — not functionality.

Step 2 — Install an agent on a server you want to protect

Follow the installation guide for your OS. The short version for Linux amd64:

curl -L -o kefal-agent https://kefal.dev/download/kefal-agent-linux-amd64
chmod +x kefal-agent
sudo ./kefal-agent

Enter your Kefal username and password when prompted. The agent begins sending snapshots every 60 seconds.

Step 3 — Watch your infrastructure appear in the dashboard

Refresh kefal.dev/app/. Within 60–90 seconds of the first snapshot, your host shows up as a node in the Graph view. The Graph shows four types of nodes connected by relationships Kefal extracts from your snapshots:

Host — one per agent. Your server.
Service — processes running on the host (nginx, postgres, sshd, etc.).
Port — listening TCP/UDP ports.
Identity — usernames seen (root, www-data, postgres, you).

Relationships:

host runs service — a process observed on a host
service listens on port — a listening socket
host has user — an identity observed on the host
user logged_in on host — a currently active login session

Switch between Graph view (visual, Cytoscape.js) and List view (table, sortable) with the toggle in the top nav.

Step 4 — Understand your first incident

Kefal begins evaluating invariants on every ingest. Most snapshots on a healthy baseline server produce zero incidents. But if you install Kefal on a server that already has issues (common!), expect 1–5 incidents in the first hour. Click the Incidents tab to see them.

Each incident has:

Severity — one of low, medium, high, critical.
Type — which invariant fired (e.g. service_privilege_exposure).
Triggering data — the exact snapshot fields that matched. Reveals why the invariant fired, not just that it fired.
Causal chain — the sequence of graph nodes that led to the violation.
Status — open, acknowledged, or dismissed.

Deduplication Kefal suppresses duplicate incidents: the same invariant firing on the same triggering data within a 24-hour window updates the existing incident's last_seen timestamp rather than creating a new one. You won't get 1440 copies of the same alert per day.

Step 5 — Read a remediation

Every incident gets an AI-generated remediation shortly after it's raised. Click an incident to expand it. The remediation contains:

Three concrete actions to resolve the issue, ranked by priority.
For each action: a shell command or config change, a risk level (low / moderate / high), and an explanation of what it does.
An overall urgency rating — how quickly you should act.

Remediations are suggestions, not automatic fixes. You review, accept/reject, and apply them yourself on the affected host. After applying, mark the remediation as applied in the dashboard so Kefal can confirm the next snapshot no longer violates the invariant.

Never paste a remediation command without reading it first. The AI generates actions that are usually correct and sometimes aggressive. Understand what each command does before running it. Kefal's job is to surface the problem and suggest a fix — yours is to decide whether to apply it.

What's next

Install the agent on your other servers. Each one appears as a new host in the same graph.
Browse the 32 built-in invariants to see what Kefal watches for.
For integrations or automation, see the API reference.
Questions about data, privacy, uninstall? See the FAQ.