We built a Rust EDR. macOS notarization tried to kill it Nemesis Security launched a Rust-based EDR called Blue and a pentesting tool called Red, designed to avoid the kernel-panic failures that caused the July 2024 CrowdStrike outage. Blue uses macOS EndpointSecurity and Linux eBPF to catch ransomware in under a second without risking system crashes, while Red autonomously orchestrates 290 Kali tools via LLM to find vulnerabilities. The products are available free for individuals and licensed for teams. Tooling for attack and defense . Two shipping products. Free at the edge for individuals; per-seat for teams; licensed for operators. We build the tools we wish existed when nobody was looking. In July 2024, a single kernel-driver update bricked 8.5 million machines 1 in a morning. The fix was a manual safe-mode visit per machine. The product was the biggest name in endpoint security. That's the failure mode we're built against. Not the threat. The tool we use against the threat . An EDR you can't turn off and can't silently crash. A pentest tool that scoreboard-verifies what it claims. Written in Rust, signed end to end. No “AI-powered” copy where it doesn't belong. The product line. Each one solves a real problem and ships under its own brand. Don't need both? Don't buy both. An EDR that catches ransomware in under a second, and can't brick your fleet on a bad update. The big-name kernel drivers BSOD-looped 8.5 million machines last year 1 https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/ . Blue runs on EndpointSecurity macOS and eBPF Linux . Kernel-authorized APIs that can't panic the kernel. Behavioral detection on a kernel-sourced event stream, not signature matching. <50ms · neutralized in <1s free for individuals · 1 device, strictly local . No cloud telemetry, ever. Business + MSSP tiers per-seat with cloud console + AI threat intelligence. 290 Kali tools. One reasoning loop. 24.4× more findings than your scanner. Verified. Red plans, executes, and replans across the full Kali arsenal through a single closed-loop LLM. Recon to report, every tool's output feeding the next decision. In a controlled study against fixed-script automation it surfaced 24.4× more findings p<0.001 over 120 runs 2 /red study and autonomously surfaced three CVSS 9.8 CVEs without human steering. Auto runs the engagement end-to-end · Co-Pilot hands the operator the next three commands with the target pre-filled · https://nvd.nist.gov/vuln/detail/CVE-2024-38476 CVE-2024-38476 · https://nvd.nist.gov/vuln/detail/CVE-2024-38474 CVE-2024-38474 . All CVSS 9.8, all surfaced autonomously during the controlled study https://nvd.nist.gov/vuln/detail/CVE-2023-25690 CVE-2023-25690 any frontier LLM Anthropic / OpenAI / Gemini or fully local via Ollama Qwen, Llama, your fine-tune · no data ever leaves your network · hash-chained audit log free · Pro $99/mo · Business $599/mo · Enterprise custom · self-serve, no setup fee Docker image /red/ · Kali UTM VM /red/ One stack. Two coordinates. Each product is shippable on its own. Together they cover both sides of an engagement. Finding the holes, then stopping what comes through them. A customer never has to glue separate vendors together to answer one question. ┌──────────────┐ ┌──────────────┐ │ NEMESIS RED │ │ NEMESIS BLUE │ │ │ │ │ │ finds the │ │ stops the │ │ weakness │ │ payload │ │ first │ │ on-device │ └──────┬───────┘ └──────┬───────┘ │ │ ▼ ▼ scoreboard proof sub-second kill of exploitation + file rollback Why Blue, when Falcon exists? The honest answer: because Blue is architected for five constraints the big-name EDRs took shortcuts on. Each row below is a concrete capability, not a marketing claim. Every ✓ on the Blue column is something we'd defend in a technical interview. Two questions decide which EDR you buy. Does an individual get the real engine for free? And is the agent source readable? Falcon: no and no. Blue: yes and yes. Two ways to get started. Pick a product. Each one is live and shipping today. Questions you'd ask in a real conversation. We're skipping the “how does it work” marketing dance. The architecture spec is on the trust center /security/ . Here are the three real ones. New vendor. Why should I trust you with kernel access? You shouldn't, yet. The agent ships with an equivalent hardening story on every platform. macOS: Apple Developer-ID + notarization, hardened runtime, Team-ID-pinned self-check JRMYSV7NC2 . Linux: sigstore-signed releases, deterministic builds, seccomp ptrace -deny, capability drops. Windows: Authenticode EV signing, Protected Process Light PPL at runtime, WHQL-certified minifilter. A re-signed or modified binary fails its own self-check on any of the three. An external pentest is on the roadmap before paid GA, and the trust center publishes the threat model honestly, including the limits. We're also Nemesis Red's own customer: the same team that builds Blue gets it attacked by Red before each release. Is Nemesis Red just another AI-generated exploit demo? No. Red's scoreboard verification is the whole point. Every claimed exploit has to land in a third-party ledger before it counts. You can't lie to a scoreboard. The agent is built around the constraint that if it can't prove the exploit, the exploit didn't happen. What does “free for individuals” actually cost me? Heartbeat metadata agent version, integrity head hash, threat count delta and nothing else. No file contents, no command lines, no browser data, no telemetry on the processes you run. The free tier is opt-out-able down to zero outbound traffic; the trust center spells out every byte that leaves your machine.