A Network Watchtower for everyone
Vedetta is practical security visibility for your networks.
Open-source SIEM and threat intelligence for home networks and small businesses. Know every device. Detect Threats. Own your data.
Vedetta is in public beta
Nine rounds of independent security review, and the watchtower is open.
Self-hosted, LAN-first visibility you fully control — free, open-source, and ready for real networks.
Monitoring that stands on its own
- Device discovery across ARP, DHCP, mDNS, and SSDP/UPnP
- Passive DNS capture with local threat scoring and enrichment
- EOL router & camera risk detection (FBI IC3 advisory models)
- Docker Core + native macOS/Linux sensor, loopback-first by default
- Opt-out community threat network — pseudonymous, known-bad indicators only
Honest about the edges
- Local detection works with zero cloud dependency
- Hardened auth: scoped tokens, admin-gated sensor enrollment, loopback-default transport
- Telemetry is on by default and opt-out — see Privacy
- The native sensor install still assumes some networking comfort
- AGPLv3 — audit it, fork it, run it on your own hardware
Stand up your watchtower
Clone the repo, generate credentials, and bring up Core with Docker Compose — the Start section has the exact commands. Deploy on a Raspberry Pi, a Linux box, or a Mac.
Powerful Features
Device Discovery
Automatically find every device on your network: phones, cameras, smart home gear, servers. Know what's connected and when something new shows up.
Community Threat Intel
Contribute privacy-reduced, pseudonymous telemetry — on by default, opt out any time — to help build a shared threat network. Every Vedetta instance makes every other instance smarter. Strength in numbers.
Runs Anywhere
Deploy on a Raspberry Pi, a Linux server, or a Mac. Docker-based Core with native sensors. Self-hosted, LAN-first visibility you fully control.
DNS Monitoring
Passive DNS analysis via libpcap and Pi-hole integration. DNSMasq and other options for advanced setups. See where your devices are calling home, catch suspicious domains, and track query patterns over time.
EOL Router & Camera Risk
Detects specific end-of-life and vulnerable router and camera models from the FBI IC3 FLASH 2026-03-12 advisory and raises risk scoring when they exhibit suspicious behavior.
Core + Sensor
Core manages the dashboard, database, and intelligence. Sensors are lightweight binaries that can be deployed on each network segment with full L2 fingerprinting.
Open Source
AGPLv3 licensed. Audit the code, contribute to it, fork it, extend it. No vendor lock-in, no subscriptions. Your network data stays on your hardware.
Status
Clear lines between shipped work and roadmap work.
Vedetta is in public beta. These buckets are the honest version of the product state right now.
Local monitoring that already stands on its own
- Docker-based Core with API, UI, and local storage
- Native sensor for macOS and Linux workflows
- Passive DNS capture plus active and passive device discovery
- Log ingestion pipeline plus local DNS scoring and enrichment
- Device risk categories (known-exploited, end-of-life, high-risk IoT) and EOL Router & Camera Detection (FBI IC3 advisory models)
- UniFi log ingestion (CEF/syslog → firewall events) — syslog path implemented
- Passive discovery correlation and device labeling across ARP, DHCP, mDNS, and SSDP/UPnP
- Optional Pi-hole and AdGuard Home pollers
Validating the newest work
- Real-world SNR validation of UniFi ingestion and discovery correlation on live deployments
- Community telemetry and threat network — implemented, on by default (opt-out), security-reviewed for beta; growing the reporter base toward useful consensus
- Install and onboarding polish
- Token rotation and broader admin/dashboard auth hardening
- More durable docs and setup guidance
Broader network visibility layers
- More firewall/router connectors after UniFi is validated: OpenWRT, pfSense/OPNsense, and MikroTik
- Wiring the community advisory feed into Core enrichment
- More local DNS collection options for advanced setups
Who It Is For
Grounded fit, honest install, explicit trust model.
Vedetta is being built for small environments that want real visibility without pretending they already have a full SOC.
Who Vedetta fits today
- Homelab users
- Technical home users
- Small businesses without a full security team
- Consultants, MSPs, and security practitioners helping tiny environments
Core plus sensor is the current model
Required today: Vedetta Core and at least one native sensor. Optional today: Pi-hole, AdGuard Home, telemetry, and early connector experimentation.
Public beta, homelab-friendly, not plug-and-play
The current path uses Docker for Core and a native sensor install with elevated local access. That is honest public beta software, not a fake frictionless setup story.
Self-hosted first
The local deployment stays fully useful with no cloud dependency. Community telemetry is on by default but trivially opt-out, advisory-only, and privacy-reduced and pseudonymous (not anonymous) — no internal/device source IPs, MACs, or hostnames are ever serialized into the payload. (As with any outbound connection, the network intermediary — Cloudflare — sees your Core's public WAN address; that is transport metadata, not part of what is shared.)
Not a Pi-hole companion product
Pi-hole and AdGuard Home are useful if you already run them. Vedetta is being built to ingest useful security signals from multiple DNS and network data sources over time.
Local-first public beta means explicit boundaries
Machine-to-machine sensor auth is in place. Token rotation and broader admin/dashboard hardening are still ahead, and the current product should still be treated as LAN-first public beta software, not hardened public internet infrastructure.
Start
Two moving parts, by design.
Core is the dashboard and data plane. The sensor is the local network-side view. That split is where the current product gets its value.
Start Vedetta Core
Generate machine credentials first, then bring up Core with Docker Compose. gen-env.sh writes distinct ingest/read tokens and the single-use first-admin setup code — skip it and the onboarding wizard cannot mint your admin token.
git clone https://github.com/MahdiHedhli/vedetta.git
cd vedetta
./scripts/gen-env.sh
docker compose up -d
Open the dashboard at http://localhost:3107, run the onboarding wizard, and enter the setup code printed by gen-env.sh (or read it from docker logs vedetta-backend) to create your first admin token. Then use the wizard's "Connect a sensor" step to mint a one-time enrollment code.
Install the native sensor
The current public installer supports macOS and Linux. Review the script before running it, and pass the enrollment code from the wizard as --enroll-code.
curl -fsSL -o /tmp/vedetta-sensor-install.sh \
https://raw.githubusercontent.com/MahdiHedhli/vedetta/main/sensor/deploy/install.sh
sudo bash /tmp/vedetta-sensor-install.sh \
--core https://vedetta.example.com \
--enroll-code <ENROLL_CODE>
Core binds to 127.0.0.1 (loopback) only. For a sensor on the same host use --core http://localhost:8080; for a remote sensor, front Core with the TLS reverse proxy and point --core at that HTTPS hostname (e.g. https://vedetta.example.com). Don't send tokens over plaintext http://<CORE_IP>:8080.
If you want the longer operational details, the repo README and roadmap go deeper on what is available now, what is optional, and what is still next.