What is Agent-based security?

Agent-based security is a protection model in which a lightweight software application, known as an agent, is installed locally on an endpoint to help monitor, manage, and protect the device from security threats.

Understanding Agent-based security

In this architecture, the security agent resides directly within the host operating system. This proximity allows the software to monitor local system activity, such as file changes, process behavior, configuration status, and other endpoint events, depending on the agent’s capabilities.

Unlike network-level security tools, an endpoint agent can continue collecting local telemetry when the device is outside the corporate network or behind a firewall, then report findings once connectivity is restored.

Core mechanisms

Continuous Monitoring

The agent tracks local endpoint activity such as configuration changes, application execution, system events, and network activity, depending on the platform and security solution.

Autonomous Response

Some endpoint protection or EDR agents can perform predefined response actions, such as isolating a host or terminating a malicious process, depending on product capabilities and configuration.

Resource Consumption

Because the agent runs locally, it uses host system resources such as CPU, memory, and storage to perform security-related functions.

Agent-based vs. Agentless Security

Why does Agent-based security matter?

Modern workforces are increasingly decentralized, making traditional perimeter-based defenses less effective for remote endpoints. Agent-based security can provide granular endpoint telemetry that helps organizations detect suspicious activity and monitor device behavior beyond what network-only visibility can provide.

This approach is especially useful for identifying sophisticated “living-off-the-land” techniques, where attackers misuse legitimate system tools to evade detection. Endpoint agents can help security teams observe abnormal process behavior, configuration changes, or unauthorized activity occurring directly on the device.

Additionally, it can support compliance initiatives by helping organizations enforce security policies at the operating system or endpoint-management level. This consistency is important for organizations handling sensitive data under regulatory or internal security requirements.

How Hexnode supports Agent-based security

Hexnode helps administrators manage enrolled endpoints through centralized policies, compliance checks, app management, and device management controls.

Posture and Compliance

Hexnode compliance policies help administrators evaluate enrolled devices against defined compliance criteria, including device encryption, password compliance, application compliance, OS attributes, and agent version where supported.

Policy-based Access Support

By integrating Hexnode with Microsoft Entra Conditional Access, Hexnode can share device compliance status with Microsoft Entra ID, enabling Conditional Access policies to enforce access decisions based on compliant devices.

Visibility and Compliance

Hexnode provides device information and compliance status, helping administrators identify devices that do not meet defined compliance criteria and take appropriate management actions.

Identity Integration

With Microsoft Entra Conditional Access, Hexnode can provide device compliance status so access policies can be enforced based on compliant devices.