Stop Building Plumbing.
Start Building Detection.

Drop a production-ready Windows kernel telemetry layer into your security product and start receiving real-time endpoint events today — without building drivers, debugging pool leaks, or losing engineers to kernel plumbing.

Get the Dev Kit →

x64 + ARM64 14 event families Kernel-to-userspace in microseconds Ships with a working reference agent 15+ years Windows kernel experience

Built on proven experience

Developed by a principal engineer with 15+ years of hands-on Windows kernel development. Not a research project — production driver work, shipped in commercial security products.

Production quality, verifiably

Built to pass Driver Verifier. No pool leaks, no IRQL violations, no race conditions under load. Tested against Patch Tuesday regressions, not just a lab VM.

No hidden behavior

No outbound connections. No telemetry phoning home. No kill switches in kernel code. The SDK does exactly what the documentation says — nothing else.

The Problem

Kernel Telemetry Is Brutally Hard

Before you can write your first detection rule, train your first model, or ship your first demo, someone has to solve Windows kernel telemetry. That means:

A minifilter driver for file system events — creates, writes, renames, deletes
A WFP callout driver for network flows, DNS, and TLS metadata
Kernel notification callbacks for process start/exit, image load, thread creation, and registry writes
Handle acquisition monitoring via ObRegisterCallbacks — the only way to see OpenProcess calls
A high-throughput, crash-safe channel from kernel space to your user-mode agent
ETW consumer integration for authentication, WMI, AMSI, and scheduled task events
An IRQL-aware, pool-leak-free implementation that survives Patch Tuesday

This is specialized work. It takes a team of senior kernel engineers three to five years to do it correctly. Most security startups spend their entire seed round here — and by the time the plumbing works, the market has moved on.

The most dangerous assumption in security product development is that kernel telemetry is a six-month project.

The Solution

What Heathen Gives You

Heathen replaces 3–5 years of kernel engineering with a single integration.

Link against the SDK, implement a single C++ interface, and your agent starts receiving normalized, structured security events from the Windows kernel — in real time, on both x64 and ARM64.

You Handle

Detection logic and threat intelligence
Your customer experience and dashboards
Your response capabilities and integrations
The market differentiation that earns the deal

We Handle

Every line of kernel code
Driver signing and compatibility across Windows 10 1903 through Windows 11
The ring buffer, rollup, and deduplication layer
ETW consumer integration across five Microsoft providers
MITRE-mapped starter detection rules as a baseline

Your engineers work on the problems that grow your business. We work on the problems that would have stopped you before you started.

How It Works

Three Steps to Your First Event

Integration takes under a day for a working prototype. Most of that time is driver installation, not code.

Step 01

Load the drivers.

A single DriverOrchestrator call starts HeathenCNC (ring buffer broker), HeathenEDR (filesystem), and HeathenNetEDR (network). Load order, timing, and lifecycle are managed for you.

Step 02

Register your callbacks.

Fill in a HeathenEventCallbacks struct with the handlers your product needs. Every callback receives a typed C++ struct — no parsing, no offsets, no raw buffers. Unused families cost nothing.

Step 03

Receive events.

HeathenCNC shares a lock-free, memory-mapped ring buffer between kernel and your user-mode agent. Latency from kernel event to callback: microseconds. A slow consumer doesn’t drop the kernel.

// Full integration example — this is not pseudocode.
HeathenEventCallbacks cbs{};

cbs.onProcess = [](const EventHeader* hdr, void* ctx) {
    if (hdr->EventType == EVENT_PROCESS_START) {
        auto* e = static_cast<const ProcessStartEvent*>(hdr);
        // image path, command line, parent PID, user SID — all here
    }
};
cbs.onFile    = [](const EventHeader* hdr, void* ctx) { /* ... */ };
cbs.onHandle  = [](const EventHeader* hdr, void* ctx) { /* ... */ };
cbs.onNetwork = [](const EventHeader* hdr, void* ctx) { /* ... */ };

HEATHEN_RING* ring = HeathenRingCreate(16 << 20);
HeathenRingConsumeAndDispatch(ring, cbs);  // blocks; returns on each kernel signal

Coverage

Everything That Matters on a Windows Endpoint

Event Family	What You See
File System	Create (new vs. existing), write+close with last-writer PID, rename with old/new path, delete, attribute changes
Process	Start (image path, command line, user SID, PPID), exit, real-time allow/deny decisions before the process runs
Network	TCP/UDP flow create/close, DNS queries with response IPs, TLS SNI, inbound and outbound with port and protocol
Registry	Key/value create, open, set, delete — including writes into service key paths
Image Loads	Every DLL and driver mapped into any process — path, base address, size, kernel vs. user-mode flag; real-time allow/deny before the image maps
Thread Creation	Source and target PID — cross-process threads (remote thread injection) flagged automatically
Handle Acquisition	Every OpenProcess / OpenThread / DuplicateHandle — original requested access, actually granted access, NTSTATUS
Named Pipes	Server create and client connect, pipe name, role, async flag — C2 pipe name patterns detected out of the box
Authentication	Logon/logoff (success, failure, type), special logon, network vs. interactive vs. service
WMI Activity	Queries, filter/consumer/binding create — WMI persistence mechanism coverage
AMSI / Scripts	Every script block evaluation, scan result, interpreter identification
Scheduled Tasks	Create, delete, enable, disable — task name, path, and action
Token Privileges	Privilege enable/disable events — SeDebugPrivilege, SeImpersonatePrivilege, and others
DNS	Per-query, per-process — FQDN, record type, response addresses, error codes

Built-in Detection

Seven MITRE ATT&CK Rules, Ready to Use

Heathen ships an optional static detection library with seven baseline rules. Pure library — no threads, no I/O, no global state — callable directly from any event callback.

Rule	Technique	Severity
VSS / shadow copy deletion	T1490	Critical
Cross-process memory access	T1055	Suspicious
Remote thread injection	T1055.003	Suspicious
Process suspension	T1055	Suspicious
C2 named pipe patterns	T1570	Suspicious
Service key modification	T1543.003	Notable
Cross-process termination	T1562	Notable

These are starting points, not a finished product. Your detection capability is your moat — Heathen gives you the foundation, not the ceiling.

Build vs. Buy

The Cost of Building It Yourself

We understand the instinct. Kernel code that ships in your product feels better when your team wrote it. Here is what that actually costs:

	Build It Yourself	Heathen SDK
Time to first reliable file event	12–18 months	Same day
Time to full telemetry coverage	3–5 years	Included
Engineers required	3–5 senior kernel developers	0
Estimated total cost	$3M–$8M in engineering alone	Licensing fee
Kernel verifier / pool leak debugging	Hundreds of hours	Done
Windows version compatibility	Your problem on every Patch Tuesday	Our problem
Driver signing	EV certificate + WHQL process	Included in SDK
ARM64 support	Separate project	Included

The engineering talent that can build a correct, verifier-clean, production-grade minifilter stack is genuinely rare and expensive. The same talent can build detection logic, response orchestration, and customer-facing capabilities that are visible, valuable, and differentiated.

Heathen exists because the kernel work is hard, slow, thankless — and identical for every company that has to do it.

Licensing

How This Works

Dev Kit License

Evaluate the full SDK in your own environment. No time limit. The only restriction: no redistribution of SDK components or driver binaries outside your organization.

Pre-built driver packages (x64 + ARM64), production-signed
Static libraries: HeathenLib, HeathenStore, HeathenDetection
SDK headers — complete public API surface
Three reference implementations with full source
Full API documentation

Commercial License

Ready to ship to customers? Commercial licenses cover redistribution rights, priced by endpoint count at deployment.

Distribution rights — ship the drivers in your product
Startup: up to 1,000 endpoints — $1,800 / year
Growth: up to 10,000 endpoints — $9,600 / year
Scale / Enterprise — see full pricing
Priority support and compatibility guarantees

Endpoints are counted per device running your product. A 5,000-endpoint deployment requires the 10,000-endpoint tier — you are never billed retroactively for growth within a tier.

No retroactive licensing. No audits. Units deployed during an active subscription term are licensed in perpetuity for that version. Non-renewal stops new deployments and updates — existing installs keep running. No kill switches.

Get Started

Get the Dev Kit

Fill out the form below. You’ll get the dev kit download and a no-distribution license within one business day — reviewed personally, not by a bot. Prefer to ask questions first? Email the developer directly →

Request received.

We’ll review your submission and send you the dev kit link within one business day.

First Name

Last Name

Company

Your Role

Work Email

What are you building?

How did you hear about Heathen? (optional)

I have read and agree to the Dev Kit License Agreement

Please open the agreement above before accepting.

We don’t spam. We don’t share your information. We respond to every submission personally. See our privacy policy.