FREE LINUX CLI AVAILABLE NOW!

Your System. Last Trusted State.

AuditWalk monitors your filesystem against a trusted baseline, detects system drift, and produces safe repair actions through a clear workflow. Built for environments where automated activity makes system integrity harder to take for granted.

Linux CLI is available now, with support for additional platforms planned next. Get $9 off the full license today — including early access to the full platform, upcoming GUI, and automation features when they ship.

Linux CLI MacOS CLI Windows CLI
Linux CLI CLI Guide
WATCHING — 0 DRIFT DETECTED

Where AuditWalk Fits

Situations where trust cannot be assumed.

AuditWalk can serve different kinds of users who all share one common need: they want a clearer way to establish a trusted reference, detect change, and review drift before taking action. The profiles below show several examples you may identify with.

Explore Example Scenarios

If one or more of these profiles feels relevant, the next step is to explore the use cases page. It walks through hypothetical situations and shows how Baseline Scan creation, PreFlight checks, Compare runs, and Repair planning can help address specific problems.

Crypto & Blockchain

Baseline before trust-bound moves.

Before moving funds or running high-value wallet workflows, capture a verified system reference so you can compare afterward and confirm nothing unrelated changed.

  • Run a full scan and establish baseline before high-value transfers
  • Compare immediately afterward to detect unexpected drift
  • Preserve pre- and post-state for review or audit trails

Autonomous Agents

Agents act on your behalf. Verify what they actually did.

When automation operates on your system, establish a reference before the run and compare afterward so changes are visible, reviewable, and attributable.

  • Capture system state before an agent cycle begins
  • Compare after execution to identify added, removed, or modified files
  • Review unexpected startup entries, executables, or config drift

IT Service Providers

Baseline at intake. Compare on every callback.

Establish a reference when a machine is received, serviced, or returned. Later compares create a clear record of what changed between visits.

  • Create a baseline at intake or after completed repair
  • Compare on return visits to detect regressions or unintended changes
  • Export findings to improve transparency with customers

Developers & SRE

Configuration drift happens. Catch it before it matters.

In technical environments, compare current state against an accepted reference across deployments and maintenance windows to surface meaningful drift.

  • Baseline before rollout and compare after deployment activity
  • Monitor long-running nodes for unexpected divergence
  • Feed structured findings into operational review workflows

After Remote Access

Someone had access. Find out what changed.

When a contractor, technician, or support session touches a machine, compare post-session state against a prior reference to identify what changed in that window.

  • Capture a baseline before remote sessions when possible
  • Compare immediately afterward to review modifications
  • Tie findings to specific paths for stronger accountability

Suspicious Activity

You clicked something. Determine whether it changed the system.

After suspicious downloads or unexpected prompts, use PreFlight or Compare to inspect what changed before deciding whether deeper action is warranted.

  • Run PreFlight or Compare after suspicious activity
  • Focus on impacted paths, binaries, or recent changes
  • Document findings before deciding on repair or escalation

Core Workflow

How AuditWalk Works

AuditWalk separates observation from trust. A scan captures the system as it exists at a given moment, but it does not automatically declare that state safe, approved, or trustworthy. That distinction matters. Observation is technical; trust is deliberate.

When you confirm a baseline, you are establishing a known reference point — a state you have reviewed and accepted as the standard for future comparison. From there, AuditWalk compares new observations against that trusted baseline so changes can be identified, reviewed, and judged with context.

01

Scan

Captures the current filesystem state. Pure observation — no claim about whether the system is good or trusted.

02

Baseline

Your deliberate sign-off: "I've reviewed this scan and vouch for it as the trusted state." Unlocks all downstream commands.

03

PreFlight

Fast, targeted verification of specific areas against the baseline. Faster than a full compare.

04

Compare

Full drift detection across the entire scope. Produces structured findings against the confirmed baseline.

05

Doctor

Interprets drift evidence and recommends safe next actions.

Paid · v0.2
06

Repair

Generates a reviewable repair plan. Nothing executes without explicit approval.

Paid · v0.2

auditwalk scan run --profile full

Runs a read-only scan of the current filesystem and saves the result as a versioned artifact. This command records what exists on the system at that moment, giving AuditWalk a concrete observation to review and preserve. A scan does not declare the system trusted; it creates the evidence from which trust can later be established.

  • Produces a unique scan_id for traceability
  • Never changes files or system state
  • Supports quick, full, and paranoid profiles
  • Serves as the starting point for baseline and compare workflows

auditwalk baseline set --scan-id <scan_id>

Marks a reviewed scan as trusted baseline state. This is an explicit operator action: AuditWalk does not auto-confirm trust. Once baseline exists, later observations gain context.

  • Requires an existing scan_id
  • Creates trusted reference for all comparisons
  • Can be listed/reviewed via baseline commands
  • Enables PreFlight and Compare outputs

auditwalk preflight run --path /etc

Runs a scoped verification pass against the active baseline. Use when you need fast confidence in targeted directories without running full-system compare.

  • Path-targeted and quick to run
  • Uses trusted baseline as reference
  • Ideal for post-change spot checks
  • Optional step before full compare

auditwalk compare run

Performs full drift detection between current state and confirmed baseline. Produces structured findings that can be exported, reviewed, or escalated into Doctor and Repair workflows.

  • Full-scope baseline-relative change output
  • Supports severity grouping and export formats
  • Feeds interpretation and repair planning
  • Primary source for audited change history

auditwalk doctor run --compare-id <compare_id>

Interprets findings and helps prioritize what likely matters. Reserved for paid v0.2 workflow layer.

  • Advisory interpretation over compare output
  • Highlights likely high-impact findings
  • Suggests practical next steps
  • Available in paid roadmap tier

auditwalk repair plan --doctor-id <doctor_id>

Builds a deliberate, reviewable repair plan from confirmed findings and recommendations. Execution remains explicit and operator-approved.

  • Plan-first model with no silent mutation
  • Scoped actions and rationale per change
  • Supports dry-run and selective apply paths
  • Operator must confirm before any changes are applied

Resources

Documentation and Project Files

Reference material, engineering notes, and support paths for operators using AuditWalk in the field.

Getting Started

Engineering

Support and Legal