BastionGuard™

BastionGuard™
A security control plane for Linux desktop endpoints.

BastionGuard is a Linux security platform designed for users who want deterministic behavior, explicit policies, and visible decisions — not opaque “trust us” protection.

BastionGuard provides multilingual support, including Arabic, German, Spanish, French, Italian, Japanese, Dutch, Polish, Portuguese, and Russian.

Get BastionGuard

Check a domain phishing

When a destination is not present in our blocklists, BastionGuard applies heuristic page analysis to detect phishing patterns.

Real-time Scanning

On-access scanning integrated with the filesystem, fully configurable and auditable. Includes i-notify and monitors each directory.

Anti-Ransomware

Detects ransomware behavior using YARA rules and controlled scanning, with user-visible rules and allowlists.

Anti-Phishing

Blocks malicious domains and redirects using deterministic lists, DNS control, and firewall enforcement — no silent cloud decisions

USB Scanning

Removable devices are scanned on insertion, with explicit user feedback and no automatic execution.

Secure Payments

Enforces a sandboxed browser for payment and checkout domains, based on a user-managed allowlist.

Webcam & Microphone Privacy

Controls access to camera and microphone resources, preventing silent or unexpected usage.

Identity Leak Monitoring

Monitors exposed credentials using public breach intelligence, with clear severity and source attribution.

Samba / Network Share Scanning

Scans files accessed through Samba and network shares, enforcing the same security policies applied to local files.

Security Updates

Keeps all security engines and threat intelligence up to date with verified signature, rule, and database updates.

Why BastionGuard

Security you can see, control, and reason about.
BastionGuard is not a “trust us” security product.
It is a security control plane built for Linux desktops, where every protection mechanism is explicit, deterministic, and observable.
Most desktop security tools hide decisions behind opaque engines, cloud scoring, or silent automation. BastionGuard does the opposite.

BastionGuard does not try to be invisible.
It tries to be understandable.
You get:
Clear states
Explicit toggles
Verifiable actions
Predictable behavior
Security should be something you operate, not something you hope works

Security as a control plane, not a black box

Security you can see, control, and reason about.

BastionGuard is not a “trust us” security product.
It is a security control plane for Linux desktops, where protection is explicit, deterministic, and observable.
No opaque engines. No silent automation. No hidden cloud decisions.

Deterministic by design

Every action in BastionGuard follows explicit rules and policies:
No silent blocking
No hidden heuristics
No undisclosed cloud decisions
If something is blocked, scanned, redirected, or sandboxed, you know why — and you can inspect, change, or disable that behavior.
Designed around Linux primitives: systemd, filesystem policies, local services, and explicit privilege boundaries.

Local-first, not cloud-dependent

BastionGuard operates primarily on the local system:
Local signature databases
Local YARA rules
Local DNS control
Local policy enforcement
Cloud services are optional and clearly scoped (for example, identity breach monitoring or optional Safe Browsing checks). Core protections remain functional even offline.

Explicit policy boundaries

BastionGuard enforces clear security boundaries, instead of blending everything into a single opaque engine:
Filesystem access is scanned explicitly
USB devices are scanned on insertion
Network shares (Samba) are treated as untrusted sources
Payment domains are allowed only through an explicit allowlist
Secure browsing runs in a sandboxed environment
Webcam and microphone access are controlled, not assumed safe
There are no implicit trust zones.

Privilege separation and transparency

BastionGuard respects Linux security principles:
User-level services use systemd –user
System-level changes require explicit privilege escalation
Configuration files are readable, inspectable, and versionable
Updates are visible and auditable
Nothing happens “behind your back”.

Built for Linux users, not adapted from elsewhere

BastionGuard is designed for Linux, not ported from another ecosystem:
GTK-based native UI
systemd-native service management
Filesystem-aware scanning
Network and DNS control aligned with Linux workflows
It integrates with the system instead of fighting it.

If you want security you can understand — not just install —
BastionGuard is built for you.

Explore the source code, documentation, and architecture.
Security should be something you can reason about.

DOWNLOAD

BastionGuard is fully open source.

Every component — from real-time scanning to ransomware detection, phishing enforcement, sandboxed browsing, and system services — is implemented as auditable code, not opaque binaries.
There are no hidden cloud decisions, no silent automation, and no proprietary black boxes.
What BastionGuard does is visible, traceable, and verifiable.

BastionGuard™A security control plane for Linux desktop endpoints.