FREE LINUX CLI AVAILABLE NOW!

Your System. Last Trusted State.

AuditWalk helps you compare filesystem state against a trusted baseline, detect system drift, and build reviewable repair plans through a clear workflow. Built for environments where automated activity makes system integrity harder to take for granted.

Getting Started

Install the Linux CLI.
Scan your system and set a trusted baseline.
Run compare to review what changed.

Linux CLI is available now. Additional platforms are in development. Get $9 off the full license today, including priority release notifications, upcoming GUI access during your license term when shipped, and automation features as they ship.

Linux CLI macOS CLI Coming soon — notify me Windows CLI Coming soon — notify me

Start Free CLI CLI Guide

WATCHING — 0 DRIFT DETECTED

Where AuditWalk Fits

Situations where trust cannot be assumed

AuditWalk can serve different kinds of users who all share one common need: they want a clearer way to establish a trusted reference, detect change, and review drift before taking action. The profiles below show several examples you may identify with.

Explore Example Scenarios

If one or more of these profiles feels relevant, explore the use cases page. It walks through realistic scenarios and shows how baseline establishment, preflight checks, compare runs, and repair planning apply in practice.

Crypto & Blockchain

Baseline before trust-bound moves.

Before moving funds or running high-value wallet workflows, capture a verified system reference so you can compare afterward and confirm nothing unrelated changed.

Run a full scan and establish baseline before high-value transfers
Compare immediately afterward to detect unexpected drift
Preserve pre- and post-state for review or audit trails

Autonomous Agents

Agents act on your behalf. Verify what they actually did.

When automation operates on your system, establish a reference before the run and compare afterward so changes are visible, reviewable, and attributable.

Capture system state before an agent cycle begins
Compare after execution to identify added, removed, or modified files
Review unexpected startup entries, executables, or config drift

IT Service Providers

Baseline at intake. Compare on every callback.

Establish a reference when a machine is received, serviced, or returned. Later compares create a clear record of what changed between visits.

Create a baseline at intake or after completed repair
Compare on return visits to detect regressions or unintended changes
Export findings to improve transparency with customers

Developers & SRE

Configuration drift happens. Catch it before it matters.

In technical environments, compare current state against an accepted reference across deployments and maintenance windows to surface meaningful drift.

Baseline before rollout and compare after deployment activity
Monitor long-running nodes for unexpected divergence
Feed structured findings into operational review workflows

After Remote Access

Someone had access. Find out what changed.

When a contractor, technician, or support session touches a machine, compare post-session state against a prior reference to identify what changed in that window.

Capture a baseline before remote sessions when possible
Compare immediately afterward to review modifications
Tie findings to specific paths for stronger accountability

Suspicious Activity

You clicked something. Determine whether it changed the system.

After suspicious downloads or unexpected prompts, use Preflight or Compare to inspect what changed before deciding whether deeper action is warranted.

Run Preflight or Compare after suspicious activity
Focus on impacted paths, binaries, or recent changes
Document findings before deciding on repair or escalation

Core Workflow

How AuditWalk Works

AuditWalk separates observation from trust. A scan captures the system as it exists at a given moment, but it does not automatically declare that state safe, approved, or trustworthy. That distinction matters. Observation is technical; trust is deliberate.

When you confirm a baseline, you are establishing a known reference point — a state you have reviewed and accepted as the standard for future comparison. From there, AuditWalk compares new observations against that trusted baseline so changes can be identified, reviewed, and judged with context.

Scan

Captures the current filesystem state. Pure observation — no claim about whether the system is good or trusted.

Baseline Set

Your deliberate sign-off: "I've reviewed this scan and vouch for it as the trusted state." Enables downstream workflows that rely on a confirmed baseline.

Preflight

Fast, targeted verification of specific areas against the baseline. Faster than a full compare.

Compare

Full drift detection across the entire scope. Produces structured findings against the confirmed baseline.

Doctor Run

Interprets drift evidence and recommends safe next actions.

Repair Plan

Generates a reviewable repair plan. Nothing executes without explicit approval.

Example command: auditwalk scan run --profile full

Runs a read-only scan of the current filesystem and saves the result as a versioned artifact. This command records what exists on the system at that moment, giving AuditWalk a concrete observation to review and preserve. A scan does not declare the system trusted; it creates the evidence from which trust can later be established.

Produces a unique scan_id for traceability
Never changes files or system state
Supports quick, full, and paranoid profiles
Serves as the starting point for baseline and compare workflows

auditwalk baseline confirm <scan_id>

Marks a reviewed scan as trusted baseline state. This is an explicit operator action: AuditWalk does not auto-confirm trust. Once baseline exists, later observations gain context.

Requires an existing scan_id
Creates trusted reference for all comparisons
Can be listed/reviewed via baseline commands
Enables Preflight and Compare outputs

auditwalk preflight run --path /etc

Runs a scoped verification pass against the active baseline. Use when you need fast confidence in targeted directories without running full-system compare.

Path-targeted and quick to run
Uses trusted baseline as reference
Ideal for post-change spot checks
Optional step before full compare

auditwalk compare run

Performs full drift detection between current state and confirmed baseline. Produces structured findings that can be exported, reviewed, or escalated into Doctor and Repair workflows.

Full-scope baseline-relative change output
Supports severity grouping and export formats
Feeds interpretation and repair planning
Primary source for audited change history

auditwalk doctor run --compare-id <compare_id>

Interprets findings and helps prioritize what likely matters in the workflow.

Advisory interpretation over compare output
Highlights likely high-impact findings
Suggests practical next steps
Designed for guided follow-up after compare

auditwalk repair plan --doctor-id <doctor_id>

Builds a deliberate, reviewable repair plan from confirmed findings and recommendations. Execution remains explicit and operator-approved.

Plan-first model with no silent mutation
Scoped actions and rationale per change
Supports dry-run and selective apply paths
Operator must confirm before any changes are applied

Signal

News Reports

News & Reports

Guide

System Integrity Monitoring for Individuals and Small Teams

The operating model anchor for lightweight baseline-first integrity practice.

Guide

What to Do After Suspected System Drift

An evidence-first response checklist for high-stress moments when trust state is unclear.

Guide

How to Know What Changed on Your Linux System

A baseline-first workflow to move from uncertainty to evidence-backed change visibility.

Guide

Preflight vs Compare: When to Use Each on Linux

A practical decision guide for fast readiness checks versus full baseline drift analysis.

Guide

Trusted Baseline vs Snapshot vs Backup

Three related controls with different jobs: trust reference, point-in-time image, and recovery copy.

Update

Observer Doctrine Refinement

Phone and tablet witness model finalized for high-trust operator workflows.

Engineering

Last Trusted State vs Signature Detection

Signature detections identify known artifacts. State models identify unexpected drift before action.

Engineering

Preflight Result v1 Contract

Contract-focused reference for preflight output semantics, structure, and operator interpretation.

Pattern

Interval-Regular Authentication Attempts

Pattern analysis of interval-regular auth attempts and how to triage persistence-related risk in context.