Installation &
Deployment

Stand up Kaimz on your own infrastructure end-to-end: the brain and console, TLS, first-run setup, and agents on Windows and Linux.

On this page

Prerequisites
Deploy the brain & console
Reverse proxy & TLS
First-run & MFA
Install the Linux agent
Install the Windows agent
Verify the deployment
Upgrades & backups

Prerequisites

Kaimz runs entirely on infrastructure you control. To start a pilot you need one Linux host for the brain and console, plus the endpoints you want to protect.

Server hostLinux (Ubuntu/Debian/RHEL), 2+ vCPU, 8 GB RAM, 40 GB+ disk for telemetry.

RuntimeNode.js (brain) and the Next.js console — bundled by the installer.

NetworkReachable by your endpoints on the brain port; outbound to NVD/CISA for intel feeds (or mirror them).

TLSA certificate for the console host (your CA or Let's Encrypt).

Sizing: 8 GB RAM comfortably covers a pilot of tens to a few hundred endpoints. Scale RAM/disk with fleet size and retention; Enterprise supports multi-node HA.

Deploy the brain & console

The brain ingests telemetry and runs the detection/correlation engines; the console is the operator web UI. Deploy both on your server host behind your reverse proxy.

Provision the Linux host and apply OS updates.
Deploy the brain and console packages and start them as services (the console runs on its web port; the brain on its API port).
Confirm both processes are healthy before exposing them.

Get the packages: the exact install bundle and current commands are provided with your deployment. Contact us to start a Community or pilot deployment.

Reverse proxy & TLS

Put the console behind your reverse proxy (nginx, Caddy, Traefik) and terminate TLS there. Agents communicate with the brain over mutual TLS, so plan certificate distribution for the agent fleet.

# nginx (sketch) — proxy the console behind TLS
server {
  listen 443 ssl;
  server_name console.internal.example.com;
  ssl_certificate     /etc/ssl/console.crt;
  ssl_certificate_key /etc/ssl/console.key;
  location / { proxy_pass http://127.0.0.1:CONSOLE_PORT; }
}

Air-gapped? Mirror the NVD/CISA feeds internally and point the brain at your mirror — no component requires a vendor cloud.

First-run & MFA

Open the console URL and complete first-run setup (create the first administrator).
Enable MFA immediately (TOTP) and map RBAC roles to your team — least privilege from day one.
Generate an API key if you plan to automate (see the API Reference).

Install the Linux agent

The Linux agent runs as a systemd service and streams process, network and auth telemetry to the brain. One-line install (registers to your brain origin):

# Run on each Linux endpoint (root)
curl -fsSL https://<brain-host>/install-agent.sh | sudo bash

# Verify the service
systemctl status kaimz-agent

Install the Windows agent

The Windows agent runs as SYSTEM with a self-healing watchdog and a ~30-second heartbeat. From an elevated PowerShell:

# Run on each Windows endpoint (elevated PowerShell)
irm https://<brain-host>/install-agent.ps1 | iex

# The installer registers a scheduled task and starts the agent

Tamper resistance: the agent uses single-instance guards, an ACL-locked install directory and a watchdog that restarts it if stopped. Uninstall requires the per-install token.

Verify the deployment

Each endpoint appears in Asset inventory with an online status and recent heartbeat.
Telemetry and detections begin to populate; run an initial scan from the asset detail view.
Trigger a benign test (e.g. a LOLBin command) on a pilot host and confirm a detection + the Threat Storyline render.
Test a response action (isolate/lift) on a pilot host to confirm RTR works end-to-end.

Upgrades & backups

Upgrades are rolled out to the brain/console packages; agents update via your standard software-distribution process.
Back up the telemetry store and configuration on a schedule that matches your retention and compliance needs.
High availability (Enterprise) runs the brain/console across multiple nodes to remove single points of failure.

← Back

Docs overview

API Reference

Get started