Tracing OSSEC’s Evolution From HIDS Framework to Commercial Atomic OSSEC EDR
Created in 2004 by Daniel B. Cid, OSSEC is an open-source host-based intrusion detection system (HIDS) that continues to provide a foundation for cybersecurity and compliance more than two decades later. The following OSSEC timeline traces OSSEC from creation through its development and enhancement, to the expansion of OSSEC’s core features into commercial EDR solutions such as Atomicorp’s Atomic OSSEC.
| Date | Milestone |
|---|---|
| January 2025 | OSSEC 3.8.0 is released, strengthening ossec-authd (chroot + privilege separation by default), running under the “ossec” user, and adding official support for AIX 7.x on Power8/9/10.¹ |
| April 2024 | Changelog updates include better handling of logs lacking the event_source field (e.g., in ossec-testrule and ossec-analysisd), improving integration flexibility. |
| January 2024 | OSSEC 3.7.0 adds systemd journald support for seamless integration with modern Linux ecosystems. |
| April 2023 | OSSEC Foundation (via Atomicorp) hosts OSSECCON 2023, featuring talks on PCRE2 rule modernization and community-driven decoder expansions. |
| March 2023 | OSSEC+ is launched as a free “plus” offering: expanded rule sets, threat intelligence integration, and a read-only UI that augments (but does not replace) the open core.² |
| February 2020 | OSSEC 3.6.0 debuts, with ongoing rule tuning, platform updates, continued regex modernization (PCRE2), and independent security audit by Daniel McCarney. |
| October–Nov. 2019 | OSSEC 3.4.0 and 3.5.0 are released back-to-back, emphasizing rapid Iteration, enhanced decoders, multi-line parsing, and improved cross-platform support—including Snap packaging for universal Linux distros. |
| April 2019 | OSSEC 3.3.0 is published, continuing improvements in packaging, decoders, and platform compatibility—including PCRE2 for advanced pattern matching. |
| February 2019 | OSSEC 3.2.0 (“the great JSON-in-ing”) expands JSON output support across control commands and alerting workflows. |
| October 2018 | OSSEC 3.1.0 launches with upgrades to auditing, networking, and internal scalability. |
| July 2018 | OSSEC 3.0.0 introduces major new features: SQLite-based syscheck whitelisting, PagerDuty integration, SELinux module for agents, and library upgrades. |
| 2018 | Control of OSSEC transitions away from Trend Micro / Third Brigade to being actively maintained by the OSSEC Foundation and Atomicorp / Scott Shinn. (Trend Micro releasesd domain and source code.) |
| December 2017 | OSSEC 2.9.3 is released, delivering one of the largest rule/decoder updates to date, plus improved GeoIP support. |
| February–Aug. 2017 | OSSEC 2.9.0 – 2.9.2 roll out: JSON alert output, ZeroMQ-based routing, enhanced syscheck directory tracking, and expanded rules. |
| 2016 | Multiple betas and release candidates are circulated ahead of the OSSEC 2.9.0 launch, involving community testing and feedback. |
| June–Nov. 2015 | 2.8.2 and 2.8.3 provide timely CVE fixes (e.g., CVE-2015-3222) and stability improvements. |
| October 2014 | 2.8.1 addresses CVE-2014-5284 and other vulnerability patches. |
| June 2014 | OSSEC 2.8 is released with enhanced detection, performance tuning, and community-vetted improvements; OSSEC issues guidance during the Heartbleed period. |
| January 2014 | OSSEC migrates its source and issue infrastructure to GitHub, boosting transparency and community contributions. |
| April 2009 | Trend Micro acquires Third Brigade (and with it, OSSEC) and pledges to keep the project open source. Separately, by this time, use of the original OSSEC “backronym” of “Open Source HIDS SECurity,” has largely disappeared. |
| June 2008 | Third Brigade acquires OSSEC from Daniel B. Cid, formalizing investment in its open-source roadmap. |
| 2004–2006 | OSSEC is created by Daniel B. Cid with real-time log analysis, FIM, registry monitoring, rootkit detection, and active response features. The OSSEC name originally stands for ‘Open Source HIDS SECurity.” |
Built on OSSEC, Atomic OSSEC combines the platform-agnostic versatility and modularity of open source technology in an advanced commercial endpoint detection and response (EDR) and cloud workload protection solution. The following Atomic OSSEC timeline traces the foundation of the Atomicorp company, the evolution of the Atomic OSSEC commercial product, the development of Atomic ModSecurity Rules and Atomic WAF solutions, new security and compliance features and feature enhancements, and more.
| Date | Milestone |
|---|---|
| October 2025 | Atomicorp adds real-time file integrity monitoring (FIM) support for Solaris OS environments. |
| October 2024 | Atomicorp provisions its Atomic OSSEC agents with endpoint firewall protection, also referred to as on-device firewall protection. |
| August 2024 | Atomicorp adds malware memory analysis to Atomic OSSEC v.6.0.61+, a capability that enables customers to detect fileless malware hiding in memory. |
| July 2024 | Atomicorp and Varnish Software, a leader in content delivery software solutions, announce they will partner to provide Atomic ModSecurity Rules web application firewall (WAF) capabilities in Varnish Enterprise software. |
| June 2024 | Atomicorp releases Atomic OSSEC 6.0.61+, a commercial endpoint detection and response (EDR) solution based on the latest OSSEC, including proprietary features like machine learning, compliance auditing, and commercial support. |
| February 2023 | Atomicorp hosts OSSEC Conference 2023, a three-day virtual event during the COVID-19 pandemic. The conference highlights getting the most out of detection and response, and virtual training, OSSEC certification, and tutorials. |
| November 2021 | Atomicorp announces continued support and development of commercial ModSecurity WAF Rules after Trustwave’s announcement to end support led to false assumptions that ModSecurity had died, become obsolete, or was no longer available. |
| October 2021 | Atomicorp hosts OSSEC Conference 2021, which highlights NIST 800-171 compliance controls, OSSEC false positive and false negative reduction, cloud API protection, and enhanced security features for legacy OS environments such as Solaris and HP-UX, AIX, and end of life Linux and EOL Windows versions. |
| February 2021 | Atomicorp launches Atomic OSSEC as a SaaS-delivered commercial product, simplifying deployment and adding expert configuration, advanced policing, cloud workload protection, and compliance capabilities. |
| September 2020 | Atomicorp diversifies and rebrands its product family: Atomic Secured Linux becomes Atomic Protector; the Atomicorp OSSEC solution is named Atomic Enterprise OSSEC, which will eventually be shortened to Atomic OSSEC. The company also introduces a commercial WAF product called Atomic WAF. |
| November 2017 | Atomicorp adds ModSecurity-based web application firewall (WAF) functionality to its Atomic OSSEC product. |
| April 2017 | Atomicorp hosts OSSEC Conference 2018 in Washington, D.C. Topics such as file integrity monitoring (FIM), PCI DSS compliance, and OSSEC GUI support are discussed. |
| January 2017 | Atomicorp announces release of Atomic Secured Linux 5.0.2, an Atomic OSSEC and Atomic Protector predecessor still supported in some customer environments. |
| March 2015 | Michael Shinn and Scott Shinn found Atomicorp to commercialize and extend OSSEC into a lightweight, DevOps-friendly security platform. |