Today we are happy to announce support for one of our most requested features, that has been made possible by our implementation of advanced role-based access control (RBAC), Payloads.

Payloads are executables that can be delivered and executed through LimaCharlie's sensor (or agent). Payloads can be any executable. The main use case is to run something with specific functionality not available in the LimaCharlie offering. This feature can be used to run custom executables provided by another vendor to cleanup a machine, forensic utilities or firmware-related utilities, etc. The usefulness of this feature in a time-critical incident response cannot be understated. We encourage our users to use native functionality first as it comes with all the benefits of being tightly integrated into the platform, but if you need this powerful capability it is there.

In order to place tight controls over who can deploy and run payloads we have added specific permissions.

Payloads are managed with two permissions:

  • payload.ctrl: allows you to create and delete payloads.

  • payload.use: allows you to run a given payload.

Payloads are uploaded to the LimaCharlie platform and given a name. The task can then be used to run the payload with optional arguments.

The STDOUT and STDERR data will be returned in a related RECEIPT event, up to ~10 MB. If your payload generates more data, we recommend to pipe the data to a file on disk and use the log_get command to retrieve it.

A detailed explanation of how this new capability works can be found in the documentation here.

If you have any questions or want to request a new feature please do not hesitate to contact us.

And please remember, with great power comes great responsibility.



Introducing Code Labs


In the interest of helping users get up to speed with the more advanced capabilities of the LimaCharlie infrastructure, along with our online course, we are now producing code labs.

Code labs are guided exercises that walk the user through the process of implementing a solution using components of LimaCharlie. During the process each step is explained in detail which should leave the user with a "hands-on" understanding of the underlying technology.

For our first code lab we have chosen to explore the implementation of a Detection & Response (DR) rule to detect the MITRE ATT&CK framework Control Panel Items execution. DR rules are similar to Google Cloud Functions or AWS Lambda. They enable you to push DR logic to the LimaCharlie cloud where it will be applied in real-time to the data produced by the sensors (or agents). DR rules can also be applied to historical telemetry and external logs. For this lab we focus on the simple case where rules are applied to sensor events in real-time.

We believe this new format will go a long way in helping LimaCharlie users get the most out of our Security Infrastructure as a Service.

The code lab can be viewed here.


If you have an idea for our next topic please let us know. Happy hunting!


Fail Forward Fast


About five months ago the team at LimaCharlie launched a framework for automation that was built around the idea of Replicants. A Replicant was to be a digital automaton: a platform for building algorithms that could be configured by the user to automate away some of the drudgery.

The platform worked exceedingly well in that it allowed us to build out a wide variety of capabilities quickly. The Replicants were able to perform complex tasks on-demand for a single endpoint or continuously across the entire fleet.

The problem with the Replicants, as we came to understand it, was with the mental model. The concept worked great for us as developers building out the capabilities but it did not fit when thinking about it from the perspective of a user. The interface was awkward and having the Replicants grouped together did not make a lot of sense.

After spending some time thinking about it we came to the conclusion that users did not care about the Replicants but rather what they could do for them. Replicants use their individual abilities to do jobs and provide said abilities as a service. And so we refactored the technology to provide users with a set of services that can perform jobs at the user’s request.

We still use the Replicant platform on the backend to build out our services but now deliver the services that they offer using a familiar pattern.

Services are provided through the main navigation menu and with them you can automate YARA scanning, run detection and response rules against historical data, perform file integrity monitoring, automate incident response tasks and adjust your telemetry verbosity with more to come.

The process of arriving at this new delivery model has been an interesting one and exemplifies the benefits of being an early stage company adhering to an agile development philosophy.  Instinct often drives us towards the core of a problem and through an iterative process the solution can be honed.



Detection & Response Across Log Files


LimaCharlie’s Detection & Response (D&R) rules provide unmatched capabilities to customize specific behaviors and automate the response when detected. Up until now this feature was limited to data coming from endpoints. We recently introduced the ability to automatically fetch and ingest external logs onto LimaCharlie and knew right away we had to extend the D&R rules to those logs.

LimaCharlie has introduced the concept of D&R targets and you can now create D&R rules that specifically target different log types ingested. This means that, for example, you can create your own regular expressions that if matching a log line from your web proxy logs, generates a Detection. The possibilities are limitless.

The rules apply to any logs ingested, from the unstructured text logs to the raw Windows Event Logs and PCAP.

Information on log ingestion can be found in the documentation here, and information on log specific DR rules can be found here.

This concept of D&R targets opens up a whole new realm of possibilities and we are excited to explore new ways in which it can be applied. If you have any questions or would like a demo of our Security Infrastructure as a Service please do not hesitate to contact us.

D&R Targets

What is in a namespace?


LimaCharlie has introduced the concept of namespaces to our Detection and Response (DR) rules. What this means is that MSSPs can create proprietary rules which can be applied to customer organizations without letting those customers see the source for the given DR rules. This allows managed security providers to protect their intellectual property and leverage their expertise while taking advantage of the web application’s advanced role-based access control.

By default all DR rules are created in the general namespace which means you don’t have to worry about namespace related unless you want to make use of the feature. However, if you plan on having multiple groups of people accessing DR rules and want to maintain some segmentation, then namespaces are for you. 

To learn more about how to implement D&R rules inside of a managed namespace you can read the documentation.

The introduction of namespaces is another step towards creating the best Security Infrastructure as a Service in existence. You can get started using the LimaCharlie free tier - no credit card required - by signing up on the website:


Growing With LimaCharlie


As our customers grow with us we have continued to listen to them and have added a new feature to help manage multiple analysts across multiple organizations. Today we are introducing a top-level user management scheme that allows for the creation of user groups with defined permissions across organizations.

You heard that right, now you can create groups of analysts with permissions that span multiple organizations which should drastically reduce the administration required and allow for fine grained access control.

Organization Groups

The new feature can be found at the top of the root dashboard. In the upper right corner you will see a new ‘Create Group’ button. Clicking on this will prompt you to name the new group.

Once you name the group you will see it show up in the list of groups. From here you can click on it, select the organizations, set permissions and add users. Users can be a mix of owners and members of various groups that have access to a variety of organizations with different permission levels - the possibilities are endless.


The team at is committed to making the best tools out there for MSSPs and other security providers to run their operations. If you have an idea for a feature or would like a demonstration of how our Security Infrastructure as a Service can be used to enhance your pipeline please don’t hesitate to contact us.


Software Infrastructure as a Service


One of the advantages that a start-up company has when entering the market is the ability to adapt quickly to perceived market gaps. LimaCharlie’s original hypothesis saw our business built around offering the best endpoint detection and response solution in existence. We envisioned making it available as middleware with a no-strings-attached pricing model that would set it apart from other offerings.

As we started to roll things out - and in the process having a lot of conversations with our customers - we realized that some of the pain people were experiencing was in putting together a complete information security stack, and then keeping it functioning at scale. Managed security providers we spoke with were frustrated with all the busy work involved in keeping the wheels on a series of open source and proprietary products strung together with the digital equivalent of duct tape. It is not that the need for a strong drop-in endpoint detection and response capability does not exist - it most certainly does - but there are many industry-specific problems managing the infrastructure required for a good security posture. As of yet, nobody has tried to address these problems as a whole using a contemporary delivery model.

It was hearing the same problems being described by our customers repeatedly that got us thinking: we have always admired the way Amazon developed their web services. Companies went from racking servers and running cables to spinning up complex cloud-based infrastructure with just a few clicks as a result of their innovation. This transformation of the way computing resources are delivered touches almost every area of the digital economy with their approach being emulated by Google, Microsoft and many others. LimaCharlie is pushing to be at the edge of this type of transformation in information security. Starting with our strong endpoint detection and response offering, we have built out a series of technologies that can be strung together adhoc - at the click of a few buttons - to provide a completely integrated information security stack. LimaCharlie is calling our approach to providing a solution Security Infrastructure as a Service (SIaaS).

Global Coverage

The LimaCharlie global infrastructure is built on the Google Cloud Platform (GCP) and currently has computing resources available in the USA, Canada, Europe, India and the United Kingdom. Choosing a geographical location ensures data will always be processed in this location and never moved outside. New data centres can be spun up anywhere GCP is available upon customer request.

What this means is that you can spin up infrastructure to support security operations anywhere in the world as needed. Paradigms, such as infrastructure-as-code, used by LimaCharlie’s SIaaS allow you to roll out well articulated configurations in minutes and the best part is that everything just works.

Software Infrastructure asa\ a Service

To learn more and read about all the different components of LimaCharlie’s Software Infrastructure as a Service you can visit


External Log Ingestion

Log Listing

Logs are critical in information security but the amount of data they generate is huge and existing solutions for managing them are expensive. LimaCharlie can now automatically collect and store logs with no configuration, without installing another agent, for a full year. And yes, you can even send logs to LimaCharlie manually.

LimaCharlie can consume logs from any OS. Logs can be unstructured (no parsers necessary) and we even support pcap and Windows logs.

With this new capability you can search, visualize and correlate over a full year of log and endpoint data.

Detailed documentation on this new capability can be found here.

Coming soon is the extension of LimaCharlie’s powerful detection and response rules to include logs on top of the EDR data, which will allow you to build detections and automations based on logs.


With the addition of log ingestion and correlation LimaCharlie makes the promise of Security Infrastructure as a Service a reality.