TomeSpell
Perimeter SecurityTomeSpell
Linux Perimeter Security

One Platform.
Complete Perimeter Defense.

Vulnerability scanning, intrusion detection, and canary deployment in a single self-hosted solution. Know when attackers probe your network, exploit your systems, or access sensitive files.

Get Started
Scroll to explore
The Problem

Your Perimeter Has Blind Spots

Traditional security tools leave dangerous gaps in Linux infrastructure visibility.

Fragmented Tooling
Separate scanners, IDS systems, and honeypots that don't share context or correlate events.
Reactive Detection
Most tools alert after the breach. By the time you see the log, the attacker has moved laterally.
Deployment Complexity
Enterprise solutions require dedicated teams, complex configurations, and expensive licensing.
Limited Visibility
No insight into what processes run, what files change, or what connections are made on your hosts.
The Solution

Three Capabilities.
One Platform.

TomeSpell integrates vulnerability scanning, intrusion detection, and canary deployment into a unified self-hosted platform.

Vulnerability Scanning
Intrusion Detection
Canary & Honeypot
Features

Everything Under One Roof

Deep visibility into your Linux infrastructure with integrated scanning, detection, and deception capabilities.

Vulnerability Scanning

Continuous Vulnerability Assessment

Automatically scan your Linux hosts for known CVEs and system weaknesses. Prioritize remediation with severity-ranked findings and track progress over time.

  • Automated CVE detection across installed packages
  • System weakness enumeration and scoring
  • Scheduled and on-demand scan workflows
  • Remediation tracking with historical trends
prod-server-01
Linux x86_64
Online
Monitored Paths
/etc/passwd
/var/log/auth.log
/home/admin/.ssh/
File Access Detected
/etc/passwd read by uid 0
2 seconds ago
Intrusion Detection

Real-Time eBPF-Based Monitoring

Monitor process execution, file access, and network connections at the kernel level using eBPF. Detect suspicious activity the moment it happens — not hours later in a log file.

  • Process execution and file write monitoring
  • Network connection tracking and analysis
  • Configurable detection rules and thresholds
  • Active response against identified threats
Port Scan Detected
Source:92.118.xx.xx
Ports Hit:12 in 3 seconds
Pattern:Sequential
Trap Ports
:21 :23 :25 :445 :1433 :3389 :5432 :6379
Honeypot Services

Deploy Decoy Services That Detect Attackers

Run SSH, HTTP, and TCP honeypot services on your hosts. Any interaction with these services is an immediate indicator of compromise — legitimate users never touch them.

  • SSH, HTTP, and TCP honeypot protocols
  • Full session logging and attacker fingerprinting
  • Port scan detection on trap ports
  • Zero false positives — any interaction is suspicious
SSH
:2222
HTTP
:8888
TCP
:9999
SSH Honeypot Alert
Source:45.33.xx.xx
Username:root
Password:admin123
47
Attempts Today
12
Unique IPs
3
Active Traps
Canary Documents

Trackable Documents That Phone Home

Generate PDF documents with embedded tracking that alert you the moment they're opened. Plant them in sensitive locations and know instantly when someone accesses them.

  • PDF documents with embedded callbacks
  • Dual tracking via JavaScript and link methods
  • Detailed access reports with IP and user agent
  • Deploy as tripwires in sensitive directories
confidential-report.pdf
Generated with tracking
14:32:17Document opened
IP: 185.234.xx.xx
Location: Moscow, Russia
Reader: Adobe Acrobat
Hardware Canaries

Physical Devices That Extend Your Perimeter

Deploy hardware canary devices on your network that act as physical tripwires. Detect unauthorized network scanning, rogue devices, and physical security breaches.

  • USB and network-connected canary devices
  • Unauthorized device detection
  • Physical security breach alerting
  • Integration with the central dashboard
Intrusion Detection Scenario
LIVE DEMO
1
Insider ThreatPlugs in USB
2
Trap TriggeredFile accessed
3
Alert SentInstant notify
4
Threat LoggedFull forensics
Detection Time
<1s
Data Captured
12 fields
Alert Channels
3 active
How It Works

From Deployment to Detection

Get your infrastructure protected in five straightforward steps.

Step 1

Deploy Controller

Install the TomeSpell controller on your server. A single binary with a web dashboard and API.

Step 2

Enroll Agents

Deploy lightweight agents on your Linux hosts. They auto-register and start reporting immediately.

Step 3

Configure Policies

Set up scan schedules, detection rules, honeypot services, and notification channels.

Step 4

Monitor in Real-Time

Agents report vulnerabilities, process events, file changes, and network connections in real-time.

Step 5

Detect & Respond

Receive instant alerts when threats are identified. Review findings with full context and remediation guidance.

Use Cases

Built for Security Teams

TomeSpell adapts to your security workflow, whether you're protecting a handful of servers or an entire fleet.

Security Operations

Central visibility into your Linux fleet. Correlate vulnerability data with real-time intrusion detection and canary alerts in a single dashboard.

Compliance & Audit

Demonstrate continuous vulnerability management and intrusion detection capabilities. Generate reports for auditors with historical scan data and incident timelines.

Incident Response

When a breach occurs, TomeSpell provides the process tree, file access history, and network connections you need to understand the full scope of the incident.

Deception & Early Warning

Deploy honeypots and canary documents across your infrastructure. Any interaction is an early warning sign — detect attackers before they reach critical assets.

FAQ

Frequently Asked Questions

Everything you need to know about TomeSpell.

Ready to Secure
Your Infrastructure?

Deploy TomeSpell today and gain complete visibility into your Linux perimeter.

Get Started Now