CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →From GRR to Velociraptor
Mike Cohen, ex-Google, was among the main authors of GRR Rapid Response — Google’s open source framework for large-scale live forensics. From the GRR experience comes the need for a lighter engine, with more expressive query language and simplified distribution.
In 2018 Mike Cohen starts Velociraptor under Velocidex. The first public release happens on 8 July 2019, under AGPLv3 licence. In 2021 Rapid7 acquires Velocidex; the project remains open source with governance steered by Rapid7 but with a public repository and active external contributors.
VQL, the query language
The core of Velociraptor is VQL (Velociraptor Query Language): a SQL-like language to query endpoints in real time. VQL supports queries, plugins, functions and allows composition of heterogeneous data sources (file system, Windows registry, ETW events, logs, memory).
Conceptual example:
SELECT OSPath, Mtime, Size
FROM glob(globs="C:/Windows/System32/**.exe")
WHERE NOT pe_parser(file=OSPath).Signature.VerifiedReturns executables in System32 with unverified signature.
Artifact DSL
Artifacts are parameterised, versioned, reusable VQL queries. The public Velociraptor Artifact Exchange library contains hundreds of artifacts for:
- forensic triage (MFT, UsnJrnl, Prefetch, ShimCache, AmCache, Event Log, Registry hives)
- detection (persistence mechanism, suspicious process tree, ATT&CK technique)
- collection (memory dump via integrated WinPMem, file collection)
The official catalogue is constantly updated by community and development team.
Hunt engine and server architecture
Velociraptor has a server–client architecture (agent on endpoint, central server with web UI):
- Hunt — artifact execution on all or a subset of endpoints
- Flow — single-endpoint execution
- Event monitoring — artifacts continuously emitting events (process creation, file events, ETW)
Server↔client communication goes over encrypted gRPC, with certificate authentication. The server runs on Linux or Windows; agents on Windows, Linux, macOS.
DFIR use cases
- Live triage — forensic artefact collection on a suspicious endpoint without full imaging
- Enterprise hunt — IoC search (hash, TTPs) across thousands of machines
- Continuous monitoring — always-on detection artifacts (EDR-like)
- Incident response — structured evidence collection, export to timelines (Plaso, Timesketch)
- Proactive hunting — scheduled jobs for known anomalies
Integration with other tools
- Sigma — Sigma rules → Velociraptor artifact conversion
- YARA — memory and file scanning with native integration
- ELK, Splunk — event export via Kafka, HTTP, file
- TheHive/Cortex — responder for evidence collection from case
Licence and post-Rapid7 model
After the 2021 acquisition Velociraptor remains AGPLv3, with code on GitHub and official binaries freely distributed. Rapid7 offers commercial support and integration with its InsightIDR platform, but open source use requires no licence.
In the Italian context
Velociraptor is used in:
- DFIR teams — rapid and remote forensic collection
- MSSPs / SOCs — distributed hunt in absence of commercial EDR
- Public CSIRTs — incident response on PA
- Universities — forensic and threat hunting teaching
Among open source DFIR/EDR tools it is one of the most powerful for query depth and scalability, thanks to the VQL model and solid client-server design.
References: Velociraptor, author Mike Cohen. Initial public release 8 July 2019 (Velocidex). AGPLv3 licence. Acquisition of Velocidex by Rapid7 in 2021, project remained open source. VQL language. Documentation: https://docs.velociraptor.app.