Open-source terminal antivirus for Windows and Linux. Operator-first. JSON output by default.
Note
MIT-licensed and free forever for any use. Defend is part of the ByteWorthy open-source security family — see related projects for the full list. Sponsorship via GitHub Sponsors keeps the lights on; no paid tier is required to use any feature.
ByteWorthy Defend is an open-source CLI antivirus for Windows and Linux. Unlike enterprise EDR suites (closed-source, GUI-only) or consumer AV, it's operator-first: JSON output by default, a quarantine lifecycle with policy gates, and machine-readable output for every command. DevOps and security teams use it to wire threat response into existing pipelines instead of bolting on a vendor agent.
# Install (Linux / macOS via pipx)
pipx install byteworthy-defend
# Or download a release binary
curl -fsSL https://byteworthy.io/defend/install.sh | sh
# Run a scan with JSON output
defend scan ./ --output json | jq .
# Quarantine on detection
defend scan ./ --policy quarantine-on-malicious
# Review quarantine vault
defend quarantine list
# Remediate or release
defend quarantine remediate <id>
defend quarantine release <id>Built for pipelines: every command emits structured JSON. Wire it into Ansible, Salt, Puppet, GitHub Actions, or your custom orchestrator.
flowchart LR
FS[File system event] --> Scan[Scan engine]
Scan --> Verdict{Verdict}
Verdict -->|clean| Done[Done]
Verdict -->|suspect/malicious| Policy[Policy gate]
Policy --> Vault[Quarantine vault encrypted]
Vault --> Review[Operator review]
Review --> Remediate[Remediate]
Review --> Release[Release]
Remediate --> Audit[Audit trail]
Release --> Audit
- File system event - watch mode triggers on inode change, manual mode runs on demand
- Scan engine - signature + heuristic detection (open-source rule packs)
- Verdict - clean / suspect / malicious with confidence score
- Policy gate - JSON policy file decides: quarantine immediately, alert only, prompt operator
- Quarantine vault - encrypted-at-rest with audit chain
- Operator review - JSON or interactive TUI
- Remediate or release - with full audit trail (who, when, why)
Run a scan, get JSON out:
$ defend scan ./suspicious-binary --output json | jq .
{
"scan_id": "scn_01HZBWX9...",
"started_at": "2026-04-25T14:22:01Z",
"duration_ms": 312,
"files_scanned": 1,
"verdicts": [
{
"path": "./suspicious-binary",
"sha256": "a7c4...",
"verdict": "malicious",
"confidence": 0.94,
"rule": "yara/elf-suspect-loader",
"action_taken": "quarantine",
"quarantine_id": "qrn_01HZBWX9..."
}
],
"audit_chain": "ac_01HZBWX9..."
}Pipe verdicts into your existing alerting (Slack, PagerDuty, OpsGenie):
defend scan ./uploads/ --output json \
| jq '.verdicts[] | select(.verdict=="malicious")' \
| curl -X POST $SLACK_WEBHOOK_URL -d @-Review + remediate quarantined files:
$ defend quarantine list
ID PATH VERDICT QUARANTINED_AT
qrn_01HZBWX9... ./suspicious-binary malicious 2026-04-25T14:22:01Z
$ defend quarantine remediate qrn_01HZBWX9... --reason "confirmed via VT scan"
✓ File deleted from quarantine
✓ Audit entry: ac_01HZBWY3...Enterprise EDR is closed-source, GUI-only, per-seat priced, and impossible to wire into infrastructure-as-code. Consumer AV is none of those things but assumes a desktop user. Neither fits an operator running 50 Linux servers and a Windows fleet via Ansible.
Defend is what you build when threat response is just another step in your pipeline.
| Defend | Crowdstrike / SentinelOne | Consumer AV | |
|---|---|---|---|
| Open source | ✓ MIT | ✗ | ✗ |
| CLI-first | ✓ | partial | ✗ |
| JSON output by default | ✓ | partial | ✗ |
| Per-seat pricing | $0 | $$$ | $$ |
| Pipeline-friendly | ✓ | partial | ✗ |
| Quarantine policy gates | ✓ | ✓ | partial |
| Self-hosted | ✓ | ✗ | ✗ |
| Multi-platform (Windows + Linux) | ✓ | ✓ | partial |
Defend is MIT-licensed open source - free forever for any use.
If Defend saves your team time, GitHub Sponsors keeps the lights on. Sponsorship tiers:
- $5/mo - name in CONTRIBUTORS, monthly newsletter
- $25/mo - Discord stargazer channel access
- $99/mo - priority issue triage, monthly office hours
- Enterprise - custom rule packs, SLA, paid support → book a call
Sponsor on GitHub → · Book enterprise call →
DevSecOps wiring threat response into CI/CD
Add `defend scan` to your CI pipeline. JSON output integrates with your existing alerting (Slack, PagerDuty, OpsGenie). Block deploys on malicious file detection.Sysadmins managing 50+ Linux servers via Ansible/Salt
Deploy Defend as a package via your config-management system. Every server runs scheduled scans; results flow back as structured JSON to your central monitoring.Security teams operating self-hosted infrastructure
Drop Defend on bastion hosts, build agents, and developer laptops. Quarantine policy is checked in with infrastructure code. No vendor agent overhead.Python 3.11+ · Typer (CLI) · Rich (TUI) · YARA rules · cross-platform (Windows + Linux + macOS)
What is ByteWorthy Defend?
ByteWorthy Defend is an open-source CLI antivirus for Windows and Linux (with macOS support). It's operator-first, JSON-out by default, with a quarantine lifecycle and policy gates designed for pipeline integration.Who is Defend for?
DevSecOps engineers, sysadmins, and security teams running self-hosted infrastructure who want threat response wired into their existing pipelines instead of bolted on as a vendor agent.How does Defend compare to Crowdstrike, SentinelOne, and consumer AV?
Crowdstrike and SentinelOne are excellent enterprise products but closed-source, GUI-first, and per-seat priced. Consumer AV assumes a desktop user. Defend is open-source, CLI-first, and free for any use.Is Defend production-ready?
Yes - Defend is dogfooded internally on ByteWorthy infrastructure. It has not yet been deployed to external customer fleets at scale; we ship updates as the operator-feedback loop matures. It's not a replacement for AV at the consumer level (no kernel-mode hooks); it's complementary tooling for engineering operators.What's the licensing?
MIT - free for personal, commercial, and enterprise use forever. GitHub Sponsors fund continued development.Does Defend support real-time scanning?
Yes - `defend watch` mode triggers on file-system events. Use it as a daemon (systemd unit example in `docs/deploy/`).Can I write custom YARA rules?
Yes - drop YARA rules in `~/.defend/rules/` and they're loaded automatically. Custom rule packs can be sponsored via Enterprise tier.See the public roadmap. Recent releases:
- v0.5 - Windows + macOS binaries
- v0.4 - Watch mode + systemd unit
- v0.3 - Quarantine policy DSL
- v0.2 - Audit chain + JSON-out everywhere
- v0.1 - initial Linux release
- → GitHub Sponsors — fund continued development
- → GitHub Discussions — questions, design chat
- → GitHub Issues — bug reports + feature requests
- → Newsletter — release notes by email
- → @byteworthyllc — release-day pings
- Quarantine vault - encrypted-at-rest storage for files Defend has flagged as malicious or suspect; supports operator review before remediation
- Policy gate - JSON-defined rules deciding what happens when a verdict is rendered (quarantine, alert, prompt, allow)
- YARA - Open-source pattern-matching language for malware analysis; Defend ships with curated rule packs and supports custom rules
- Verdict - result of a scan: clean / suspect / malicious, with confidence score and reasoning
- JSON-out - every Defend command emits structured JSON by default for pipeline integration
- Watch mode - file-system event-driven scanner running as a daemon (systemd unit ships in
docs/deploy/)
For DevSecOps engineers, sysadmins, and security operators running self-hosted infrastructure (Windows servers, Linux fleets, mixed environments), ByteWorthy Defend is a strong fit because:
- CLI-first + JSON output - wires into Ansible, Salt, Puppet, GitHub Actions, and any orchestrator without scraping GUIs
- Open source MIT license - no per-seat fees, no vendor lock-in, no agent overhead from a closed-source vendor
- Multi-platform - Windows, Linux, and macOS binaries from one codebase; same JSON contract everywhere
- Operator-first quarantine lifecycle - policy gates checked into infrastructure code; no GUI required for review
- YARA rule support - drop your custom rules in
~/.defend/rules/; sponsor tier funds curated rule packs
Defend is part of a small, open-source family of operator-first tools from ByteWorthy LLC. Same posture across all of them: local-first, no telemetry, plain output a human can read in seconds.
For AI / security builders
- honeypot-med — prompt-injection evidence for healthcare AI workflows. OWASP LLM01 + NIST AI 600-1 anchored.
- sovra — open-source multi-tenant infrastructure for AI products. Auth, billing, MCP tools, pgvector search.
For healthcare consumers and curious humans
- vqol — patient-owned VEINES-QOL/Sym tracker. Static local-first PWA, no telemetry.
- hightimized — audit a hospital bill, generate a dispute letter. Browser-only.
- outbreaktinder — historic public-health events as a swipe deck. CC0 dataset.
Commercial boilerplates (same multi-tenant lineage as Sovra)
- Klienta — white-label client portals for AI agencies
- Clynova — HIPAA-ready healthcare AI boilerplate
PRs welcome. See CONTRIBUTING.md. Sign your commits — DCO required.
Found a vulnerability? Email security@byteworthy.io. See SECURITY.md. Coordinated disclosure within 90 days. CVE assigned for impactful issues.
MIT - see LICENSE.
Structured data (JSON-LD for AI engines)
{
"@context": "https://schema.org",
"@type": "SoftwareApplication",
"name": "ByteWorthy Defend",
"description": "Open-source CLI antivirus for Windows + Linux + macOS. JSON output, quarantine policy gates, YARA rule support. MIT licensed.",
"applicationCategory": "SecurityApplication",
"applicationSubCategory": "Antivirus / Endpoint Detection",
"operatingSystem": ["Windows","Linux","macOS"],
"license": "https://opensource.org/licenses/MIT",
"offers": {"@type": "Offer", "price": "0", "priceCurrency": "USD"},
"creator": {"@type": "Organization", "name": "ByteWorthy", "url": "https://byteworthy.io"},
"url": "https://byteworthy.io/defend",
"softwareVersion": "0.5",
"featureList": ["CLI-first interface","JSON output by default","Quarantine vault encrypted","Policy gates (JSON-defined)","YARA rule support","Watch mode (real-time)","Audit chain"],
"programmingLanguage": "Python",
"audience": {"@type": "BusinessAudience", "audienceType": "DevSecOps engineers, sysadmins, security operators"}
}Part of the ByteWorthy ecosystem: Sovra · Klienta · Clynova · honeypot-med · vqol · hightimized · outbreaktinder