Get Shield running in a few minutes.
Shield self-hosts via Docker. One command stands up the backend; the Shield Chrome extension reports to it. Here is the whole thing, start to finish — including Docker setup per OS, automatic HTTPS, and troubleshooting.
The whole install is one command.
Run this on your server (a Linux box, a Mac, or Windows via WSL — see Docker setup below). Use the license key from your trial page in place of the placeholder.
curl -fsSL https://install.cinderlabs.ai/shield/install.sh | bash -s -- SHIELD-YOUR-LICENSE-KEY-HERE That pulls the installer, fetches your image-registry credentials from the license server using your key, writes the Docker Compose stack, and brings it up. In ~2 minutes Shield is reachable at http://<your-server-ip>/.
Want HTTPS? Add a domain that already points at the box as a second argument and TLS is automatic (see HTTPS):
bash install-shield.sh SHIELD-YOUR-LICENSE-KEY-HERE shield.yourcompany.com
Shield's Visibility (log-only) vs Defend (visibility + blocking) tier is set by your license — same install either way; the backend self-configures. Free trials run Defend with blocking on.
PrerequisitesWhat you need.
- A host with Docker + the docker compose plugin. Minimum 2 vCPU, 4 GB RAM, 20 GB disk. Linux, Mac (Docker Desktop), or Windows (Docker Desktop + WSL2).
- Outbound HTTPS to
ghcr.io(image pulls) andlicense.cinderlabs.ai(license validation, every few hours). - Your Shield license key — from your free-trial page or your rep.
Install Docker.
Ubuntu 22+ / Debian 12+
curl -fsSL https://get.docker.com | sh sudo usermod -aG docker $USER # Log out and back in so the docker group takes effect
Amazon Linux 2023 / RHEL / Rocky / AlmaLinux
sudo dnf install -y docker sudo systemctl enable --now docker sudo usermod -aG docker $USER # compose plugin isn't bundled with the dnf package: sudo mkdir -p /usr/libexec/docker/cli-plugins sudo curl -SL https://github.com/docker/compose/releases/download/v2.29.7/docker-compose-linux-x86_64 \ -o /usr/libexec/docker/cli-plugins/docker-compose sudo chmod +x /usr/libexec/docker/cli-plugins/docker-compose # Log out and back in
Mac
Install Docker Desktop, then run the install command in Terminal. The compose plugin ships with Docker Desktop.
Windows
The installer is a bash script — it does not run in PowerShell or CMD. You need WSL2 + Ubuntu + Docker Desktop:
- In PowerShell as Administrator:
wsl --install -d Ubuntu, then reboot and set a Linux username/password. - Install Docker Desktop with the default WSL2 backend.
- Docker Desktop → Settings → Resources → WSL integration → enable your Ubuntu distro → Apply & restart.
- Open the Ubuntu app and run the install command there. Verify with
docker versionfirst.
Install the Shield browser extension.
Shield captures activity through the Shield by Cinder Labs Chrome extension on each user's browser, reporting to the backend you just stood up. It auto-updates from the Web Store.
- Single user / pilot: add it from the Chrome Web Store, then open it and point it at your server URL.
- Org-wide (recommended): force-install via Chrome enterprise policy (GPO, Intune, Jamf, Workspace ONE). Add extension ID
bcflmbmmfjddkkepanocompdapokcgdlto ExtensionInstallForcelist, and push the server URL + API key through managed storage so users can't disconnect it.
Optional: the shield-id-helper companion lets SOC analysts attribute events to a specific machine name / LAN IP / OS user. Install it only if you need that level of attribution.
Step 3 · First loginCreate your admin account.
Open Shield in your browser (http://<your-server-ip>/ or your HTTPS domain) and Register the first user — that account becomes the org owner. Blocking is on from first boot on Defend.
Add a domain for automatic TLS.
The stack ships a built-in Caddy reverse proxy. Pass a domain as the second argument and Caddy fetches and auto-renews a free Let's Encrypt certificate — no cert files, no renewal cron.
bash install-shield.sh SHIELD-YOUR-LICENSE-KEY-HERE shield.yourcompany.com
Two prerequisites for the cert to issue:
- The domain's DNS A record already points at this server.
- Inbound ports 80 and 443 are open (Let's Encrypt validates over port 80).
Behind Cloudflare? Set that DNS record to DNS-only (grey cloud) so Let's Encrypt can validate the origin. Already on HTTP and want HTTPS later? Re-run the installer with the domain argument — it flips to HTTPS without touching your data.
Day-2 operationsRun, update, and back out.
docker compose ps # stack status docker compose logs -f api # tail API logs docker compose down # stop (data persists) bash update-shield.sh # update to the latest version docker compose down -v # stop + WIPE all data (destructive)
Email (recommended): password resets and invites need SMTP. Add to .env then docker compose up -d:
SMTP_HOST=smtp.yourprovider.com SMTP_PORT=587 SMTP_USER=your-smtp-user SMTP_PASS=your-smtp-password SMTP_FROM=noreply@yourcompany.com
Without SMTP, a forgotten admin password can't be self-recovered — keep it safe.
TroubleshootingCommon snags.
docker: command not found— Docker isn't installed or isn't on PATH. On Windows, use a WSL terminal, not PowerShell.permission deniedon docker — runsudo usermod -aG docker $USER, then log out and back in.compose' is not a docker command— the compose plugin isn't installed (see the AL2023 steps above).- Pull fails with 401/403 — the registry token expired; email your rep for a refreshed install script.
- API never healthy — license rejected; run
docker compose logs apiand check the key isn't expired/revoked. - License server unreachable — allowlist
license.cinderlabs.aion egress. - Port 80/443 in use — set
HTTP_PORT=8080(andHTTPS_PORT=8443) in.env, thendocker compose up -d.
Each install runs entirely on your infrastructure — Cinder Labs has no remote access. Stuck? Email support@cinderlabs.ai with your docker compose logs api output.