Skip to main content


This notebook showcases the key use cases of VAST in an interactive manner.

Work in Progress

This page is work in progress. It is the first example of a notebook-based approach of writing user guides, but the content and CI-workflow is not fully fleshed out. Stay tuned.

Install VAST

First, let's get a VAST binary to play with. The easiest way to setup VAST is downloading a static binary on Linux.

Coming soon: the VAST installer

The easiest way to obain VAST is through our installer script:

/bin/bash -c "$(curl -fsSL"

On Linux, the script downloads a static build. On macOS, the script clones the repo and creates a release build.

Following the instructions to add /opt/vast/bin to your PATH, test whether you are ready to use VAST:

vast version

Start a VAST node

Begin with starting a VAST node:

vast start
[14:12:09.207] VAST v2.1.0 is listening on localhost:42000

This command creates a listening socket at localhost:42000 that you can now interact with client commands from other terminals.

Test the connection with a new command:

vast status | jq .system
"current-memory-usage": 10322685460480,
"database-path": "/tmp/vast",
"in-memory-table-slices": 0,
"peak-memory-usage": 645167841280

Ingest data

After we have a VAST node to interact with, let's ingest some data.

We prepared a dataset derived from one day of the M57 recording and injected with malicious traffic from, adjusting timestamps such that the malware activity occurs in the same day as the background noise.

cd /tmp
curl -OL TODO
vast import pcap < dataset/PCAP/*.pcap
vast import zeek < dataset/Zeek/*.log
vast import suricata < dataset/Suricata/eve.json

Run queries

With a loaded VAST node, we can now answer some questions.