Cyber Resilience in 2025: Practical Security for Small and Mid Firms
In 2025, cyber security is no longer a “nice-to-have” but a business survival issue. Threat actors are more advanced, insider threats are on the rise, and small-to-medium firms are increasingly targeted because attackers know they often lack the budgets for enterprise-grade security platforms.
From our work with clients, we noticed a consistent challenge: how can organizations get cyber sense in their systems without investing in expensive enterprise tools? As advised from a subject matter expert in the field, we explored Velociraptor, an open-source digital forensic and incident response (DFIR) platform that is free to use, customizable, and designed for real-time endpoint visibility.
Affordable open-source cyber security for your business
A Crash Course in Velociraptor
A free open-source platform - Velociraptor, originally developed by Google, is an endpoint visibility and response platform. It enables security teams to query, collect, and analyze forensic data from endpoints across the network. Unlike many commercial EDR platforms, Velociraptor focuses on transparency, flexibility, and forensic depth.
Here’s how it works:
Image source: https://docs.velociraptor.app/
- Server: Coordinates tasks, stores collected data.
- Assets: Assets are endpoint devices (PC, Laptop, Servers) with lightweight Velociraptor clients installed
- Web Admin UI: Analysts run "Hunts" (explained later), VQL queries, and receive alerts.
Velociraptor consists of a central server that coordinates endpoints and stores data, lightweight agents on each device that collect information and run VQL queries, and a web-based console where analysts can monitor events and investigate alerts in real time.
Insider Threat Scenario
Consider a case where the company would want to monitor employee logins during non-office hours, where their account logins might be compromised.
System admin can setup run a VQL as below via the Web Admin UI - to search for events logged by Velociraptor agents.
SELECT Username, LogonTime
FROM Windows.EventLogs.Security
WHERE LogonType = "Interactive"
AND hour(LogonTime) NOT BETWEEN 8 AND 20
VQL are then wrapped by "Hunts", which runs the VQL request across all agents and return results to the server.
Example results
Admins can then setup schedule tasks with these "Hunts" for querying such data in any timeframe e.g. daily, weekly etc. Alerts can be setup as well and sent to users to inform of the breach.
Checking USB Device Usage
Velociraptor can monitor USB device activity to detect potential data exfiltration. It tracks device names, serial numbers, and connection times, allowing analysts to flag unauthorized usage and quickly investigate suspicious activity. NOTE: If USB ports are disabled, no connection events will appear. Though admin can check on Velociraptor to ensure there are no USB connection in the VQL logs.
SELECT DeviceName, SerialNumber, LastConnected
FROM Windows.USBDevices()
WHERE LastConnected > now() - 1d
Example Results (Non JSON format)
Conclusion
There are many cyber security tools on the market, such as Wazuh, another open-source, free application that functions as a more complete SIEM (Security Information and Event Management), storing logs and providing continuous monitoring. Given today’s world, with increasing AI adoption and technology dependencies, firms should consider deploying at least one, if not multiple such tools to detect, monitor and prevent cyber security threats.