Safeguard.sh Documentation Center

Endpoint Security (EDR/EPP)

Roadmap — a lightweight cross-OS endpoint agent for EDR telemetry, behavioral detection, gated response, and (later) NGAV prevention, feeding the SecOps SIEM/XDR.

Endpoint Security (EDR/EPP)

Roadmap — not yet available. Endpoint Security is a planned capability. This page documents the intended design so you can evaluate direction; it is not a shipping feature and should not be planned against as one. It sequences after the SecOps event store, which is its telemetry sink.

Endpoint Security is planned as a single lightweight, cross-OS agent (EDR, EPP/NGAV, and device control in one) that feeds the SecOps SIEM and XDR. The guiding constraint is safety: the agent must never take down the host, so the design builds the lowest-risk pieces first and gates kernel-level components behind proven safety guarantees.

Planned capabilities

AreaWhat it will do
Telemetry (EDR)Stream process, file, network, module, and auth events with full process-tree context; Linux eBPF and user-mode collectors first
Behavioral detectionRun the existing detection-rule engine plus Sigma endpoint packs (reverse shell, LOLBin, credential dumping, persistence) with ATT&CK tagging
IOC sweep + huntingSweep endpoints for known-bad hashes/paths/registry/network indicators, live and retrospective
Response (gated)Isolate, kill, quarantine, block-hash, and rollback — policy-gated, with high-impact actions requiring human approval
Device controlUSB, host-firewall, application allow/block, and disk-encryption posture
InventoryEndpoint and installed-software inventory (feeding vuln management) plus unmanaged-device discovery
Prevention (NGAV/EPP)Later phase — pre-execution ML classification, exploit mitigation, and ransomware protection with a strict false-positive guard

Safety model (planned)

Because an endpoint agent runs everywhere, six guarantees are designed in as non-negotiable before any telemetry ships on a real OS:

  • Safe-fail — a failed collector, enforcement, or response never crashes the host.
  • Resource governor — hard CPU and memory caps; shed telemetry before the hard cap.
  • Watchdog — a supervisor that restarts the agent on crash and disarms (telemetry-only) after repeated crashes, so it never becomes a boot loop.
  • Global kill-switch — a server-pushed control that halts all enforcement and response fleet-wide instantly.
  • Tamper protection — self-protection for the agent process and config.
  • Signed / notarized binaries — Authenticode, macOS notarization, and Linux package signing, enforced in the build pipeline.

Kernel components (Windows minifilter, macOS EndpointSecurity, Linux eBPF/LSM enforcement) are the highest-risk items and land last, only after these guarantees are proven in staged rollout. The endpoint agent is deliberately distinct from the Runtime Protection workload agent — shared detection concepts, different form factor.

Response actions (planned, gated)

Response will be delivered through the SecOps SOAR connector registry as well as directly:

  • Isolate / release — host network isolation, allowing only the agent-to-server channel.
  • Kill — terminate an offending process (approval-gated unless a specific high-confidence rule is tenant-opted into auto).
  • Quarantine / block-hash / rollback — contain files and restore journaled changes, approval-gated.

Every action is tenant-scoped, audit-logged, and safe-fail; the kill-switch overrides all policy.

When it ships

Endpoint findings and detections will flow into the unified findings model, and each endpoint event will also land in the SecOps event store as a SecEvent (source edr), making it SIEM-queryable and XDR-correlatable. The engine will be gated by the ff.endpoint feature flag.

On this page