Protect servers, workstations, and deployed machines.
Endpoint Agents monitor processes, files, system behavior, and execution patterns on servers and workstations. They detect malware activity, lateral movement, persistence attempts, privilege abuse, and suspicious command execution.
Request early access →The Ollandi defense loop
Every agent follows the same cycle, producing auditable, coordinated response.
Observe
Ingest domain-specific signals in real time with full telemetry fidelity.
Reason
Correlate local evidence with the shared threat model and adjacent agents.
Validate
Check policy boundaries, blast radius, and consensus before acting.
Act
Execute bounded, reversible actions through approved control interfaces.
Evidence
Record every observation, decision, and action in an auditable bundle.
What it protects
- •Servers and virtual machines
- •Developer workstations
- •Containers and micro-VMs
- •Sensitive production hosts
- •Remote access endpoints
What it monitors
- •Process creation and command-line arguments
- •File system and registry activity
- •Network connections from endpoints
- •User and privilege context
- •Behavioral baselines and anomalies
What it detects
- •Malware execution and script abuse
- •Persistence mechanisms and scheduled tasks
- •Privilege escalation and token manipulation
- •Lateral movement from compromised hosts
- •Data staging and exfiltration attempts
What it can do
- •Isolate host from network while preserving access logs
- •Terminate malicious processes and remove persistence
- •Capture memory and disk artifacts for forensics
- •Correlate with Identity and Network agents
- •Generate incident evidence bundle
What evidence it generates
- •Process tree and command-line history
- •File and registry modification timeline
- •Memory and disk artifact references
- •Network connections from host
- •Agent reasoning and action audit trail
One working agent experience
See how an endpoint agent moves through the defense loop on a real incident.
Observe
Host prod-web-03 spawned a reverse shell from a temporary directory.
Reason
Behavior deviates from baseline; command pattern matches post-exploitation activity.
Validate
Network Agent confirms C2 beaconing; Identity Agent shows privileged service account usage.
Act
Isolate host, terminate shell, preserve forensic snapshot.
Evidence
Process tree, network connections, and cross-agent consensus captured.
Part of a coordinated defense
Endpoint Agents contribute host-level behavior to the shared model, enabling Identity and Network agents to confirm or refute cross-domain hypotheses.