Getting Started

Quick guide to install and start using HeartSuite Core Secure.

HeartSuite Core Secure uses a 7-phase guided model to take your system from initial observation to full enforcement. The Dashboard tracks your progress and suggests each next step.

Overview: This guide covers both the Cloud Path and the Local Path for getting HeartSuite Core Secure running, verified, and ready for allowlisting.

The 7-Phase Model

HeartSuite Core Secure guides you through seven phases:

System Verification — confirm HeartSuite Core Secure is active and in Setup Mode
Program Allowlisting — approve the programs your system needs
Script Launchers (if applicable) — configure Secure Script Launchers for interpreted scripts
File Access Allowlisting — approve file read and write access
Internet Access Allowlisting — approve internet destinations
Alert Configuration — set up at least one notification channel
Secure Mode — locked until phases 2-6 are complete

The Dashboard displays your current phase, pending event counts, and a Suggested Next Step at all times.

Cloud Path Quick Start

Users launching a pre-installed HeartSuite Core Secure cloud instance (AWS AMI, GCP image) boot directly into Setup Mode.

Launch your cloud instance and log in.

The Dashboard appears automatically on first login with a welcome message:

HeartSuite Core Secure is active.
Current mode: Setup Mode — events are logged, nothing is blocked.
Suggested: Review 1 pending program event → [p] Programs

Phase 1 (System Verification) completes automatically — no manual steps required.
Follow the Suggested Next Step on the Dashboard to begin Phase 2: Program Allowlisting.

Local Path Quick Start

Users installing HeartSuite Core Secure on bare-metal or custom VMs follow a longer installation sequence before reaching the Dashboard.

Download and Install

Download the tar file from heartsecsuite.com.

Extract and run the installer (as root):

tar xvf 6.18-HeartSuite-1.6.4.tar -m
sudo bash heartsuite-install-bundle.sh

Reboot, then select the HeartSuite Core Secure kernel from the GRUB menu:
```
reboot
```
At GRUB: Advanced options for Debian GNU/Linux → Linux 5.19.6-HeartSuite-1.0
If the GRUB menu does not show the HeartSuite Core Secure kernel, run update-grub and reboot again. See Installation for details.

OS Boot Setup

After booting into the HeartSuite Core Secure kernel, the management UI appears on the console automatically. The System Setup screen opens.
Press [a] to run the setup step. The UI reboots the system when the step completes — select the HeartSuite Core Secure kernel from GRUB each time and repeat until the setup screen shows Setup Complete (usually 3–5 cycles). This builds the initial allowlist for startup programs, preventing boot issues when Secure Mode is activated later.

Verify and Proceed

Once the Installation screen confirms completion, the Dashboard shows your current phase. From here, the Cloud Path and Local Path merge — follow the Suggested Next Step to begin allowlisting.

The Dashboard

The Dashboard is your orientation point throughout the entire HeartSuite Core Secure journey. It displays:

Safety Banner — current protection state (Setup Mode, Secure Mode, or Non-HS kernel)
Phase Progress — which of the 7 phases are complete, in progress, or not started
Pending/Denied counts — events grouped by category (Programs, File reads, File writes, Network)
Suggested Next Step — one clear, actionable recommendation
System Info Strip — kernel type, current mode, time in mode, lockdown status

The Suggested Next Step is always the recommended action. Follow it to proceed through each phase.

The Review Queues

The Dashboard organizes allowlisting into three review queues, each presented as a screen within the Dashboard:

Programs queue ([p]) — review pending program execution events (Phase 2)
File Access queue ([f]) — review pending file read and write events (Phase 4)
Internet Access queue ([i]) — review pending network connection events (Phase 5)

The Suggested Next Step directs you to the queue that needs attention. Select it to navigate directly to the review screen. For browsing or editing existing allowlist entries, use the Allowlist screen ([a]).

Switching to Secure Mode

When phases 2-6 are complete, the Dashboard unlocks Phase 7 and shows Secure Mode activation as the Suggested Next Step. Activation requires typing YES (case-sensitive) to confirm. After confirmation, the Dashboard offers two reboot options:

[r] Reboot — enforcement active, configuration remains editable
[l] Reboot + Lockdown — enforcement active, configuration sealed with filesystem immutability

Both are valid configurations depending on your threat model. If the system does not boot correctly, reboot into the Non-HS kernel — the Dashboard resumes there and guides you through recovery.

Next Steps

For full allowlisting guidance: Allowlisting
For alert configuration (Phase 6): Alert Configuration
For Lockdown after Secure Mode: Mode Switching
For troubleshooting: Troubleshooting

Before You Begin

System requirements and prerequisites for installing HeartSuite Core Secure.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified April 14, 2026: Update installation docs for heartsuite-install-bundle.sh and TUI flow (6174c69)