Endpoint Security (EDR/EPP)
Roadmap — a lightweight cross-OS endpoint agent for EDR telemetry, behavioral detection, gated response, and (later) NGAV prevention, feeding the SecOps SIEM/XDR.
Endpoint Security (EDR/EPP)
Roadmap — not yet available. Endpoint Security is a planned capability. This page documents the intended design so you can evaluate direction; it is not a shipping feature and should not be planned against as one. It sequences after the SecOps event store, which is its telemetry sink.
Endpoint Security is planned as a single lightweight, cross-OS agent (EDR, EPP/NGAV, and device control in one) that feeds the SecOps SIEM and XDR. The guiding constraint is safety: the agent must never take down the host, so the design builds the lowest-risk pieces first and gates kernel-level components behind proven safety guarantees.
Planned capabilities
| Area | What it will do |
|---|---|
| Telemetry (EDR) | Stream process, file, network, module, and auth events with full process-tree context; Linux eBPF and user-mode collectors first |
| Behavioral detection | Run the existing detection-rule engine plus Sigma endpoint packs (reverse shell, LOLBin, credential dumping, persistence) with ATT&CK tagging |
| IOC sweep + hunting | Sweep endpoints for known-bad hashes/paths/registry/network indicators, live and retrospective |
| Response (gated) | Isolate, kill, quarantine, block-hash, and rollback — policy-gated, with high-impact actions requiring human approval |
| Device control | USB, host-firewall, application allow/block, and disk-encryption posture |
| Inventory | Endpoint and installed-software inventory (feeding vuln management) plus unmanaged-device discovery |
| Prevention (NGAV/EPP) | Later phase — pre-execution ML classification, exploit mitigation, and ransomware protection with a strict false-positive guard |
Safety model (planned)
Because an endpoint agent runs everywhere, six guarantees are designed in as non-negotiable before any telemetry ships on a real OS:
- Safe-fail — a failed collector, enforcement, or response never crashes the host.
- Resource governor — hard CPU and memory caps; shed telemetry before the hard cap.
- Watchdog — a supervisor that restarts the agent on crash and disarms (telemetry-only) after repeated crashes, so it never becomes a boot loop.
- Global kill-switch — a server-pushed control that halts all enforcement and response fleet-wide instantly.
- Tamper protection — self-protection for the agent process and config.
- Signed / notarized binaries — Authenticode, macOS notarization, and Linux package signing, enforced in the build pipeline.
Kernel components (Windows minifilter, macOS EndpointSecurity, Linux eBPF/LSM enforcement) are the highest-risk items and land last, only after these guarantees are proven in staged rollout. The endpoint agent is deliberately distinct from the Runtime Protection workload agent — shared detection concepts, different form factor.
Response actions (planned, gated)
Response will be delivered through the SecOps SOAR connector registry as well as directly:
- Isolate / release — host network isolation, allowing only the agent-to-server channel.
- Kill — terminate an offending process (approval-gated unless a specific high-confidence rule is tenant-opted into auto).
- Quarantine / block-hash / rollback — contain files and restore journaled changes, approval-gated.
Every action is tenant-scoped, audit-logged, and safe-fail; the kill-switch overrides all policy.
When it ships
Endpoint findings and detections will flow into the unified findings model, and each endpoint event will also land in the SecOps event store as a SecEvent (source edr), making it SIEM-queryable and XDR-correlatable. The engine will be gated by the ff.endpoint feature flag.
Related
- SecOps (SIEM) — the event store and detection the endpoint agent feeds.
- Runtime Protection (CWPP & CNAPP) — the distinct workload-protection agent, available today.
- Vulnerability & Exposure Management — consumes endpoint software inventory (roadmap).
- Unified Findings & Feature Flags — where findings land and how engines are toggled.
Unified Findings & Feature Flags
Every security engine reports into one unified findings model, discriminated by type, with each engine independently admin-toggleable via server-enforced feature flags.
CTEM & EASM
Roadmap — external attack-surface management plus a Gartner-style continuous threat exposure management program that unifies every engine's findings into one prioritized, exploitability-validated exposure list.