Watch ET Ducky in action — from platform enrollment and agent deployment to live troubleshooting and root-cause analysis.

Real-Time Health Metrics

Every agent reports health metrics every 30 seconds, displayed in the Agents table and agent Properties modal with automatic color-coded thresholds.

• CPU Usage — System-wide utilization with green/yellow/red indicators (<60% / 60–85% / >85%)
• Memory Usage — Physical memory utilization with same color thresholds
• Disk Space — All mounted volumes with usage percentages and free space remaining
• Network — Bytes sent/received and active connection counts
• Process List & Service Status — Running processes and Windows service states (toggleable via Remote Configuration)

ETW Event Collection

30+ configurable Event Tracing for Windows providers across kernel, user-mode, and performance categories.

Kernel Providers

• File System I/O, File System Initialization, Process & Thread, Image Load, Registry, Network TCP/IP, Network UDP, Memory Management, Driver Operations, Object Handles, Process Counters

User-Mode Providers

• .NET Runtime, .NET Exceptions, DNS Client, WinHTTP, TCP/IP, Windows Error Reporting, Shell Core, LDAP Client, Group Policy, Windows Firewall, SQL Server, PowerShell, Task Scheduler, Certificate Services, Print Service

Performance & Diagnostics

• Performance Counters, Diagnostic Policy Service, Timer Events, Wait Analysis

Three Collection Modes

Live Sessions automatically start and stop collection. On-Demand mode auto-returns to Health Only when the timer expires.

Data Retention

• Raw Metrics: 30 days of detailed data points
• Aggregated Data: 90 days of hourly averages
• Long-Term Trends: 1 year of daily summaries
• Interactive time-series charts with zoom, multi-agent comparison, and CSV export

Three-Tab Diagnostic Modal

Start a live session with any online agent to open a real-time diagnostic modal with three powerful tabs, connected via Server-Sent Events (SSE).

Query Tab — AI-Powered Diagnostics

• Chat-style interface for natural language questions about the agent’s state
• Agent collects ETW events, correlates locally (filtering PII and proprietary data), and sends structured findings to Claude AI
• Responses include diagnostic findings, root cause analysis, and actionable recommendations
• Up to 10 turns of conversation context for follow-up questions
• Press Enter to send, Shift+Enter for new line

Shell Tab — Approved Script Execution

• Script-Only Execution — ad-hoc commands are disabled; all commands must reference an administrator-approved script from the organization’s script repository
• Script Approval Workflow — when a script is created or edited, a review ticket is automatically generated for ET Ducky administrators. Scripts remain in “pending review” status until approved. Rejected scripts display the rejection reason.
• Tamper Detection — approved scripts are SHA-256 hashed at approval time; any modification resets the script to pending review and requires re-approval
• Script Dropdown — browse approved scripts by category with one-click execution; unapproved scripts are visible but disabled
• Script Manager — create, edit, and organize scripts with categories and descriptions; system/global scripts are pre-approved
• PowerShell / CMD support — scripts can target either execution engine
• Terminal-style output with exit codes, stdout, and stderr
• Rate limited to 30 commands per user per organization per hour

Files Tab — Bidirectional Transfers

• Push File: Pick a file from your computer and the agent receives it. The agent always writes pushed files to C:\ProgramData\ETDucky\Agent\Downloads\<filename> — no destination prompt, no way to override the location. This is enforced by the agent for security.
• Pull File: Request a file from the agent by source path. The agent will only return files under C:\ProgramData\ETDucky\Agent\; any other path is rejected with "Source path not allowed by agent policy." A Download button appears on completion to save the result locally.
• 1 MB chunk transfers with integrity verification (FileReader-based encoding handles arbitrarily large files without browser stack limits)
• Real-time progress bars; max 2 concurrent transfers
• Broadcast Push: The Files tab defaults to All Selected — one push uploads to every agent in your selection; each agent receives its own transfer record. Pull is single-agent only.
• Transfer history is automatically cleared when the session modal is closed

Session Lifecycle

• Start: Click Live Session → ETW collection starts automatically → SSE stream connects → three-tab modal opens
• During: Query AI, execute commands, transfer files — all in parallel
• End: Click End Session → ETW stops → agent returns to previous mode
• One active session per agent at a time

Browser-Based Remote Control

Take full remote control of any online agent directly from the ET Ducky dashboard — no VNC, no RDP client, no firewall rules. Connect with one click and interact with the agent’s desktop as if you were sitting in front of it.

• One-Click Connect — Click “Remote” on any online agent row to launch a fullscreen remote desktop session
• GPU-Accelerated Capture — DXGI Desktop Duplication API for high-performance screen capture with dirty-region tracking; automatic GDI+ fallback for RDP sessions or older GPUs
• WebP & JPEG Encoding — Adaptive encoding via SkiaSharp with configurable quality (Low / Medium / High / Ultra); dirty regions sent individually to minimize bandwidth
• Full Input Control — Mouse movement, clicks, scroll, and full keyboard injection via Win32 SendInput API with proper modifier key tracking
• Bidirectional Clipboard Sync — Copy text on either end and paste on the other; uses Windows AddClipboardFormatListener for instant change detection
• Smart Cursor Rendering — Agent detects cursor shape changes (pointer, text, resize, wait, etc.) and sends CSS cursor names; custom application cursors sent as PNG images
• Multi-Monitor Support — Display selector in the toolbar when the agent has multiple monitors; switch between displays mid-session

Viewer Interface

The remote desktop viewer is a fullscreen modal with a collapsible toolbar providing real-time session controls and performance readouts.

• Canvas Renderer — Hardware-accelerated HTML5 Canvas with offscreen compositing for dirty-region rendering at native resolution
• Scale Modes — Fit (maintain aspect ratio), Stretch (fill viewport), or Native (1:1 pixel mapping with scrolling)
• Quality Slider — Adjust encoding quality on the fly; changes take effect immediately
• Keyboard Grab — Toggle to capture all keyboard shortcuts (Ctrl+Tab, Alt+F4, etc.) and forward them to the remote system instead of the local browser
• Fullscreen Mode — True browser fullscreen for an immersive remote experience
• Live Stats — Real-time FPS counter and bandwidth readout (KB/s or MB/s) in the toolbar
• Connection Status — Color-coded indicator: amber (connecting), green (connected), red (disconnected)

Architecture & Performance

Remote desktop uses a WebSocket relay through the ET Ducky server. The server never decodes frame data — it forwards binary frames from agent to browser with zero processing overhead.

• Data Flow: Agent captures screen → encodes to WebP/JPEG → sends binary frames over WebSocket → server relays unchanged → browser decodes on Canvas
• Input Flow: Browser captures mouse/keyboard → sends JSON input messages → server relays → agent injects via SendInput
• Latency: <50 ms on LAN, <150 ms on WAN
• Frame Rate: 1–5 FPS idle, 15–30 FPS during active interaction, adaptive to bandwidth
• Bandwidth: 0.5–2 Mbps (low quality) to 2–5 Mbps (high quality at 1080p)
• Security: WSS (TLS-encrypted WebSocket), Clerk JWT authentication for browser, Agent ID + Org Key for agents, 15-minute idle timeout
• Limits: 2 concurrent remote desktop sessions per organization

Fleet-Wide Diagnostics

Query multiple agents simultaneously to diagnose distributed issues, compare fleet health, and identify outliers.

• Agent Selection Grid — Visual grid showing all org agents; online agents have checkboxes, offline agents are grayed out
• Select All / Deselect All buttons for quick selection
• Environment Filter — Show only Production, Staging, or Development agents
• Parallel Query Distribution — Questions sent to all selected agents simultaneously
• Agent Status Sidebar — Real-time status per agent: green (responding), yellow (waiting), red (failed)
• Agent View Selector — Filter chat by specific agent or view all responses together
• Skip Waiting Agents — Proceed without slow or unresponsive agents

Cross-Correlation Engine

After agents respond, trigger cloud-side analysis that compares findings across your fleet:

• Common Patterns — Issues appearing across multiple systems
• Outlier Behavior — Agents behaving differently from the rest
• Shared Root Causes — Underlying issues affecting multiple systems simultaneously
• Environmental Correlations — Patterns tied to specific environments or configurations
• Auto-Correlate Toggle — Automatically run correlation after each query round
• Export Results — Download the full transcript with all queries, responses, and analyses

Query Cost: 1 query per agent per question + 1 per device for correlation. Example: querying 5 agents with correlation = 10 queries.

Fleet Tools

Fleet Tools is a unified multi-agent operations modal for executing approved scripts and transferring files across many agents at once, without opening individual sessions.

Agent Selection & Filtering

• Visual agent grid with online/offline status indicators and tag display
• Select individual agents or use Select All / Deselect All for quick bulk selection
• Filter builder with AND/OR logic across Agent Name, Environment, Tags, Agent Type, and Status fields

Shell Tab

• Broadcast PowerShell or CMD commands to all selected agents simultaneously, or target a single agent
• Run As SYSTEM toggle for elevated execution
• Live output console with color-coded stdout, stderr, and system messages per agent

Files Tab

• Pull: Request a file from a specific agent by path; Download button appears on completion
• Push: Upload a file to a specific agent, or select Push to All Selected to broadcast to all agents simultaneously — the file is read once and distributed in parallel
• Transfer history is automatically cleared when Fleet Tools is closed

Common Scenarios

• Distributed App Failures: Select web, app, and database tier agents to trace requests across tiers
• Load Balancer Issues: Compare identical servers in a pool to find the problematic one
• Active Directory: Correlate authentication events across domain controllers
• Security Incidents: Track lateral movement and coordinated attack patterns
• Performance Comparison: Identify outlier servers with degraded metrics

Intelligent Monitoring

Automated alert system with AI-powered analysis monitors your infrastructure 24/7. The Alerts page provides a three-tab interface with auto-refresh every 30 seconds.

Alert History

• Stat cards for Critical, Warning, Info, Active Total, and Resolved Today counts
• Filter by status (Active/Acknowledged/Resolved) and severity (Critical/Warning/Info)
• Alert cards with severity badge, time since triggered, rule name, agent name, and AI Analysis badge
• Actions: Acknowledge, Resolve, View Details (with AI root cause analysis)

Alert Rule Builder

• 11 Available Metrics: CPU %, Memory %, Disk %, Network Bytes Sent/Received, Active Connections, Agent Name/ID/Type/Tags/OS
• 10 Operators: > ≥ < ≤ = != contains not_contains starts_with ends_with
• AND/OR Condition Logic — Combine multiple conditions in a single rule
• Duration Requirements — e.g., “CPU > 90% for 300 seconds” to avoid alerting on brief spikes
• Severity Levels: Critical, Warning, Info
• Enable/Disable Toggle without deleting rules

Notification Channels

• Email, Slack, Microsoft Teams, Custom Webhooks
• Test notifications to verify channel configuration
• Enable/disable toggle, reusable across multiple rules

AI-Powered Alert Analysis

Every triggered alert receives automatic Claude AI analysis including:

• Root cause identification and impact assessment
• Immediate mitigation steps and long-term prevention recommendations
• Confidence level for the analysis
• Results cached 24 hours — similar alerts get instant insights

Event-Driven Automation Engine

Define rules that fire automatically when events happen across your fleet. Combine triggers, actions, and target scopes to build workflows that respond to infrastructure changes without manual intervention.

Trigger Types

• Alert Fired — Runs when an alert rule triggers, with optional severity filter (Critical, Warning, Info)
• New Agent Enrolled — Runs when a new agent registers with the organization
• Agent Went Offline / Came Online — Runs on connectivity state changes
• Scheduled (Cron) — Runs on a recurring UTC schedule using standard 5-field cron expressions
• Manual — Triggered on demand from the Automations page via the Run Now button

Action Types

• Run Org Script — Execute a script from the shared org script repository on target agents via the same SSE command channel used by Fleet Shell
• Fire Webhook — Send HTTP requests (POST/PUT/GET) with custom headers and a JSON body template supporting variables like {{agentName}}, {{ruleName}}, {{triggerType}}
• Send Notification — Notify org admins via email or fan out through configured alert webhook channels
• Create Ticket — Automatically create an ET Ducky native ticket with a customizable summary template

Target Scopes

• Triggering Agent — The specific agent that caused the event
• All Agents — Every active agent in the organization
• Tagged — Only agents matching a specific tag (integrates with the Agent Tags system)

Org Script Repository

The Automations page shares the same script library used by Live Sessions and Fleet Tools. Scripts are stored at the organization level with categories (Diagnostics, Maintenance, Security, Inventory, Compliance, Imported, Custom), and support PowerShell and CMD. System scripts are read-only; custom scripts can be created, edited, and deleted from any entry point.

Ticket-Driven Automated Diagnostics

Run automated troubleshooting for an agent using a linked ticket (ET Ducky, Jira, or ServiceNow) or a free-text description of the issue. The system starts a short live session, generates targeted ETW queries from the ticket or description, collects agent responses, and produces a consolidated report with optional push-back to the ticket.

• From the Agents page — Open an agent’s details and click Run Troubleshooting next to Begin Query Session
• From the Tickets page — Click Start live session next to any ticket; the live session opens directly to the Guided Troubleshooting tab with that ticket pre-selected
• Ticket preview — When you select a ticket from the dropdown, a preview panel shows the ticket title, status, assignee, and full description so you have context before running
• Describe issue — No ticket? Type or paste the issue (e.g. “High CPU,” “Login failures,” “Disk full”)
• Run — AI proposes diagnostic actions one at a time; approve, edit, or skip each before it runs on the agent
• Apply to ticket — When the job completes, select a ticket (pre-set if one was linked), optionally change its status (In Progress, Resolved, Closed), and click Apply to ticket to push the summary and update the status in one action

Manual vs. Run Troubleshooting

Manual troubleshooting uses the existing Live Session: you open the four-tab modal (Query, Shell, Files, Guided Troubleshooting) and ask questions yourself. The Shell tab executes administrator-approved scripts from your organization’s script repository. Guided Troubleshooting (the fourth tab) is ticket-driven: you provide context and the system proposes and runs diagnostics with your approval at each step. Both use the same agent session and AI pipeline; choose manual for interactive exploration or Guided Troubleshooting for ticket-driven audits.

Natural Language Query Interface

Ask questions about your fleet in plain English and get instant visualizations. Smart Reports translates natural language into database queries, generates interactive Chart.js visualizations, and provides contextual follow-up suggestions.

• Ask Anything — Type questions like “Show CPU usage over the past 24 hours” or “Which server has the highest memory usage?” and receive instant chart visualizations with data tables
• AI-Powered Query Planning — Claude translates your question into optimized database queries across health metrics, events, agents, and sessions
• Automatic Visualization — Results are rendered as line charts, bar charts, doughnut charts, stat cards, or tables based on the data shape. Switch between chart types with one click
• Contextual Follow-Ups — After each query, the system suggests relevant follow-up questions based on the data pattern (e.g., identifying the server with the highest spike, comparing across the fleet)

Follow-Up Analysis with Cross-Source Correlation

Ask deeper follow-up questions about any chart and receive a detailed AI-powered narrative analysis. The system automatically runs 2–5 correlation queries across multiple data sources before streaming a professional technical analysis.

• Multi-Source Correlation — When you ask “What was happening on that server when CPU spiked?”, the engine queries health metrics, event activity, top event providers, and fleet-wide comparisons
• Streaming Analysis — Claude’s narrative streams token-by-token via SSE with live markdown rendering, so you see results as they are generated
• Professional Reports — Analysis follows a structured format: Summary, Detailed Analysis, Root Cause, and Recommendations with specific timestamps and server names
• Export to PDF — Export charts, data tables, and analysis narratives together as a print-ready PDF report

Data Sources & Exports

• Health Metrics — CPU, memory, disk queue length, network throughput, and disk usage across all agents
• Events — ETW events by provider, severity level, event ID, and keyword with time-series bucketing
• Agents — Agent status, version, OS info, uptime, and registration details
• Export Options — PNG chart images, CSV data downloads, and PDF reports with charts + analysis

Behavioral Ransomware Detection

Every managed agent runs an always-on behavioral security monitor in a dedicated ETW kernel session (ETDucky_Security), completely separate from diagnostic sessions. It processes kernel events entirely in memory — no events are stored or transmitted — and only acts when behavioral patterns cross a detection threshold.

• File Encryption Tracker — Watches FileIORename kernel events in real time. A single process renaming files to known ransomware extensions (.locked, .enc, .crypto, etc.) triggers detection at Medium confidence (10+ renames) escalating to Critical (50+)
• Shadow Copy Deletion Detector — Any command matching vssadmin delete shadows, wmic shadowcopy delete, or PowerShell equivalents fires immediately at Critical confidence — there is no legitimate reason to silently delete all shadow copies
• Backup Sabotage Detector — Monitors sc.exe, net stop, and PowerShell commands targeting backup services (VSS, WBEngine, Veeam, Acronis), and registry writes that disable those services. Fires at Critical
• Process Ancestry Detector — Maintains a live parent-child process map via the Process ETW provider. Detects suspicious spawn chains like winword.exe → cmd.exe or excel.exe → powershell.exe — signatures of macro-delivered loaders and living-off-the-land attacks
• Per-Type Cooldown — Each detector has an independent cooldown (default: 5 minutes) to suppress alert storms while an incident is active
• Kill Switch — Set SecurityMonitoring.Enabled = false in AgentConfig.json to disable the monitor without restarting the agent. Takes effect within 30 seconds

Automatic Network Isolation

When a behavioral detection reaches or exceeds the configured minimum confidence (default: High), the agent immediately sets the Windows Firewall default outbound action to Block across every profile (Domain, Private, Public) and adds Allow rules for the agent process, etducky.com, DNS, loopback, and any operator-configured EDR vendors. The combined effect is that everything outbound is denied except those explicit exceptions, so the dashboard keeps reaching the agent while everything else loses connectivity. Isolation happens before the security ticket is submitted so the ticket records the isolation state as part of the evidence.

What triggers auto-isolation. Five behavioral detectors continuously analyze kernel ETW events; any of these raising an alert at High+ confidence will trip isolation:

• File encryption sweeps — Mass extension-change renames in a short window (configurable threshold, ~20 in 30 s by default). Classic crypto-locker pattern.
• Shadow copy deletion — vssadmin delete shadows, wmic shadowcopy delete. Anti-recovery moves.
• Backup service sabotage — Registry writes setting Start=4 on backup-service keys (disabling Veeam, Acronis, Windows Server Backup, etc.).
• Suspicious process ancestry — Office-macro-style execution chains like winword.exe → cmd.exe → powershell.exe.
• Mass file deletion — Bulk delete activity at scale.

• Instant response — Profile default flip and allow rules applied within milliseconds of detection, before an encryption sweep can complete or lateral movement can begin
• Dashboard-visible — The SSE channel to the agent remains active through the etducky.com firewall exception, so the agent stays reachable from the dashboard even while fully isolated
• Automatic security ticket — A ticket is submitted to your organization with the alert type, triggering process, PID, confidence level, and event timeline
• Manual isolation — Proactively isolate any agent from the Agent Details modal (“Isolate” button) without waiting for automatic detection — useful during incident response or investigation
• Stale rule recovery — On startup, the agent reconciles against a persisted isolation state file: legitimate isolation survives reboot, accidental leftover rules from a crash are cleaned up, and a stuck Block default with no rules is recovered to the original outbound policy automatically
• Configurable — Set SecurityMonitoring.AutoIsolateOnHighConfidence = false to disable auto-isolation entirely (alerts still fire, an operator must isolate manually). Set SecurityMonitoring.AutoIsolateMinConfidence = Critical to raise the bar without disabling.

Isolation Lifecycle & Dashboard State

The dashboard tracks each agent's isolation as a small state machine so operators see what's actually happening, not just what was clicked:

• Normal — No badge. Outbound traffic flows under your firewall's pre-isolation policy.
• Isolating (pulsing amber) — Cloud has pushed the isolate command; awaiting the agent's acknowledgement that rules are applied. Typically resolves in 1–2 seconds.
• Isolated (solid red) — Agent has confirmed isolation. Network is locked down; only the explicit allow list reaches the outside.
• Unisolating (pulsing amber) — Lift command sent; the agent is showing the on-device approval prompt to the logged-in user. Up to 5 minutes for the user to decide.
• Command timeout toast — If an isolating or unisolating state hasn't resolved within 5 minutes the cloud-side reaper reverts it (back to normal if the isolate never landed, back to isolated if the unisolate approval was never returned) and surfaces a notification to the dashboard. Operator can retry the command.

Hardening: Restricted Operations While Isolated

When an agent is in any non-normal isolation state, the cloud refuses admin-initiated commands that could be used to bypass the dual-party lift flow. This is the primary defense against a compromised dashboard admin account routing around isolation by simply telling the agent to undo it.

The following actions are blocked on an isolated agent (the dashboard returns a 409 Conflict with a clear “agent is currently isolated” message):

• Shell commands (ad-hoc and through an interactive shell session)
• Script execution (single-agent and multi-agent — isolated targets skipped from a fleet run)
• Live troubleshooting sessions (single and multi-agent)
• Remote desktop sessions
• File push to agent / file pull from agent
• ETW collection start (collection stop remains allowed for cleanup)
• Configuration push, agent restart, configuration reset
• Agent uninstall

The agent itself also refuses the same SSE events (defense-in-depth) — even if a command reached the agent through a future bug or message-bus race, NetworkIsolationService.IsIsolated == true would cause the dispatcher to drop it. Heartbeats, isolation lift commands, and operational telemetry continue to flow normally.

What this protects against. A compromised dashboard admin (phishing, session theft) wanting to lift isolation without the on-device user's knowledge has no path to do so — every system-level action they could have used to bypass the agent's local firewall enforcement is blocked at the cloud edge.

EDR & Vendor Allowlist During Isolation

By default, isolation blocks all outbound traffic except connections to etducky.com and loopback. If you run a third-party EDR — CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos, Carbon Black, Cortex XDR, etc. — its agent will lose contact with its cloud the moment isolation engages, so your SOC loses visibility on the very device that just tripped a ransomware detection. To keep those tools connected, configure SecurityMonitoring.IsolationAllowedHosts in AgentConfig.json.

Each entry generates a paired inbound and outbound firewall rule named ETDucky-Isolation-Allow-Vendor-{label}-In/Out, applied at the moment isolation activates and removed automatically when isolation lifts.

Accepted formats: IPv4 address, IPv4 CIDR range (e.g. 10.0.0.0/24), IPv4 start-end range, or IPv6 address. Hostnames are not resolved — the value is passed straight to the Windows Firewall remoteip parameter, which only accepts IP literals. Look up your EDR's current cloud IP ranges in its admin console (CrowdStrike publishes them through the Falcon support portal under Documentation → Network Communication; Microsoft Defender for Endpoint ranges are listed in the Microsoft 365 service URL/IP documentation).

Example:

"SecurityMonitoring": {
  "IsolationAllowedHosts": [
    "203.0.113.50",
    "203.0.113.51",
    "198.51.100.0/24",
    "192.168.10.5"
  ]
}

The allowlist is empty by default — this is an opt-in safeguard. You can configure it per-agent locally or push the same list fleet-wide via remote configuration. Changes take effect on the next isolation event; entries are not retroactively applied to an already-isolated host. Review and refresh the IP list periodically: vendor cloud ranges drift, and a stale entry will silently leave your EDR offline during the next incident.

Lifting Isolation

Isolation removal requires approval from both the dashboard operator and the logged-in user on the device. This dual-approval model ensures that even a compromised ET Ducky org account cannot silently de-isolate a device without the knowledge of the person sitting at it.

• Remote lift (dashboard + device approval) — Click Lift Isolation in the Agent Details modal. An agent.unisolate SSE command is sent to the agent, which immediately spawns a popup on the active user’s desktop asking them to approve or deny. The user has 5 minutes to respond; closing the window or letting the timer expire automatically denies the request. Only an explicit Approve click lifts isolation
• No logged-in user — If no interactive user session exists when the command arrives, the unisolate request is permanently rejected. The agent reports back to the dashboard and the org is notified that the agent must be deleted from the org and re-installed after physical access to the device is restored. There is no remote fallback path
• Local lift code (offline endpoints) — If the endpoint cannot reach etducky.com, generate a one-time Lift Code from the Agent Details modal. The 8-character Crockford Base32 code is valid for ±10 minutes, single-use, and derived from HMAC-SHA256(key: SHA256(bearer_token)) — so neither the raw token nor the internet is required to verify it on-device. This path requires a technician to be physically present at the machine

Approval popup: The on-device popup displays a security alert with the ET Ducky branding, a clear description of what is being requested, and support contact information (682-464-3186 / [email protected]) so the device owner can verify the request is legitimate before approving.

Threat-model note. The dual-party approval model defends against a compromised dashboard admin account — that admin cannot lift isolation without the on-device user's explicit consent. A separate threat — a local Windows attacker who has already escalated to SYSTEM privileges on the device — can disable local enforcement by deleting the firewall rules and resetting the profile default. ET Ducky's cloud state will continue to show the agent as isolated until a legitimate lift POST arrives, so an operator reviewing the dashboard sees the discrepancy. The cloud's view of isolation cannot be modified without on-device user consent or a valid lift code; the local Windows firewall enforcement is best-effort against an already-SYSTEM-privileged attacker. This is consistent with how every endpoint security product handles the “SYSTEM is already pwned” scenario — the design goal is to make the cloud-side state authoritative even when local enforcement is bypassed.

Security Posture Monitoring

Every agent heartbeat includes a real-time security posture snapshot of the host, surfaced in the dashboard without requiring a separate scan or agent action.

• Windows Defender — Real-time protection status and definition age
• Windows Firewall — Enabled/disabled state across all profiles (Domain, Private, Public)
• BitLocker — Encryption status for all fixed drives
• UAC — Current User Account Control configuration level
• Secure Boot — Firmware-level Secure Boot enabled/disabled state

Platform-Level Security

• Per-Agent Bearer Tokens — Each agent authenticates with a unique token issued at registration. Tokens are stored DPAPI-encrypted on disk and only decrypted in memory; the server stores only the SHA-256 hash
• TLS Certificate Pinning — Agent validates the cloud API's TLS certificate against baked-in SPKI pins. A compromised CA cannot be used to intercept agent traffic
• Shell Allowlist — Optionally restrict remote shell execution to a configurable set of regex patterns. Commands not matching the allowlist are rejected before execution
• PII Filtering — ETW events are sanitized locally before transmission. Email addresses, UPNs, IP addresses, and file paths are scrubbed or redacted before any data leaves the agent
• Workspace + Organization Isolation — Two-level tenancy enforced by PostgreSQL Row-Level Security in the database (rejects any query without an explicit tenant context) plus EF Core query filters at the application layer. Org enumeration in the dashboard is sourced from a workspace-scoped server endpoint so cross-workspace org names never reach the browser. Cross-tenant data access is architecturally prevented, not just policy-controlled
• Clerk Authentication — OAuth, SAML 2.0 SSO, SCIM directory sync, and MFA for all dashboard users

LAN-Local File Hub

Nominate one agent at a site as a Distribution Server and it becomes a LAN-local file hub: installers, packages, scripts, and shared files are served to its neighbors over HTTPS on the local network instead of every machine pulling them down from the cloud over the WAN. Large transfers stay on the LAN, where they are fast and don’t consume internet bandwidth.

• Cloud is the control plane — the cloud stores the file catalog and access rules and issues short-lived signed tokens; the file bytes move directly between the requesting machine and the hub agent on your LAN, never through the ET Ducky cloud on the normal path.
• Content-addressable cache — blobs are deduplicated by SHA-256 with a per-hub quota (scale with free disk, or a fixed size) and least-recently-used eviction that re-populates on demand.
• Mount as a network drive — map the hub over WebDAV on Windows, macOS, and Linux using revocable, per-path mount keys; the mapped drive reports accurate free/used space.

Scripts, Transfers & Data Residency

• Hub-backed script repository — publish scripts to a hub and run them fleet-wide; agents pull the script body straight from the hub at run time.
• Hub-routed file transfers — push a file to an agent, or copy agent-to-agent, with the bytes moving agent → hub → agent and never touching the cloud.
• Strict mode — an org-level toggle (Configuration → Workspace) that requires a reachable hub for transfers and hub-backed scripts and fails rather than falling back to the cloud — for data-residency-sensitive sites.

Reach & Security

• Off-LAN access — optional WAN reach (STUN, UPnP, or a manual endpoint, over IPv4 and IPv6) with cert-pinned connections, plus a peer-hub relay for sites behind CGNAT.
• Self-signed, pinned TLS — each hub serves a self-signed certificate that clients trust once; agent-managed machines trust it automatically.
• Connection guard — a WAN source allowlist (CIDRs), connection-rate limiting, and temporary IP bans drop scanner and brute-force traffic before the TLS handshake; the Reach state panel shows a running count of blocked attempts.

Manage Machines That Are Off or Unresponsive

Out-of-band (OOB) management reaches a device’s hardware management controller — below the operating system — so you can power it on, off, or cycle it even when it is powered down, hung, or has no working OS. A small LAN gateway bridges the cloud to the management controllers on your network.

• Vendor protocols — speaks Intel AMT / vPro, DASH, and IPMI, covering business desktops, workstations, and servers across the major vendors.
• Power control — remote power on / off / reset for machines that are off the network or won’t boot, with nobody physically at the device.
• LAN gateway — runs on inexpensive hardware (a Raspberry Pi 4 or newer) on the same network as the managed devices, provisioned with a one-time gateway token from the dashboard.
• Discovery — the gateway discovers OOB-capable devices on the LAN and surfaces them in the dashboard alongside your agents.

Remote Configuration

Push configuration changes to agents without local access. Changes apply within 30 seconds via server-side polling.

• ETW Providers Tab: Level filter, 30+ kernel provider checkboxes, excluded paths
• Metrics Tab: Toggle CPU, memory, disk, process list, service status, event logs
• Performance Tab: Batch size and timeout tuning
• Server-side config overrides local AgentConfig.json automatically

Agent Tags

Organization-scoped, color-coded labels for categorizing agents by function, location, team, or any custom grouping.

• Create tags with name, description, and color at the organization level
• Assign/remove via Tag Modal with current and available tag sections
• Up to 3 tags shown inline on agent rows with “+N” overflow count
• Use tags in alert rule conditions (e.g., “agent_tags contains production”)

Team Management

Role-based access control with Clerk-powered organization membership.

• Invite members by email with role selection
• Pending invitations table with Revoke option
• All org members share query pool, agents, alerts, and seats

Subscription & Billing

• Stripe Integration — Secure checkout for subscriptions and agent seats
• Billing Portal — Self-service plan changes, invoice history, payment methods
• Agent Seat Purchase Modal — Interactive calculator with volume pricing breakdown and savings display
• Instant Upgrades with prorated billing; downgrades at next cycle
• Usage Monitoring — Real-time query and seat usage on Dashboard

Agent Setup Wizard

Guided 3-step installation flow built into the dashboard:

1. Create & Download — Create a registration token, then click Download to get a single-file installer with the token embedded. Optionally enable Public Download Link for a shareable URL, or check Sign for Production Use to EV code-sign the installer (up to 4 per organization)
2. Run — Double-click the downloaded EXE on the target machine. No manual token entry or command-line arguments needed
3. Verify — sc query ETDuckyAgent confirms the service is running

Bulk Deployment

For scripted or mass deployment, use the standalone installer with command-line flags:

• Public Download Link — Enable on any token to get a shareable URL. Deploy with a single CMD line: curl.exe -L "https://etducky.com/api/agent-tokens/{id}/installer/public" -o installer.exe
• PowerShell Remoting — Built-in template using Get-ADComputer and Invoke-Command for AD-based mass deployment
• SCCM/MECM — Silent install flag works with Configuration Manager task sequences
• Intune — Deploy as a Win32 app with the /SILENT /REG_TOKEN parameters
• GPO — Startup script deployment using the silent install command

Cloud Hosting Tiers

Self-Hosted Option

• Custom Docker image and pre-configured agent installer for your infrastructure
• Annual licensing from $10K/year or perpetual from $35K one-time
• Full data sovereignty, air-gap support, and 80% cost savings at 5,000+ agents
• PostgreSQL + TimescaleDB with your own Anthropic API keys

Scale

• Architecture designed for 100,000+ agents
• Volume pricing dropping to $2/agent/month at 10K+ agents
• Automated tier migrations with zero downtime and no agent reconfiguration
• Dedicated infrastructure with load balancing, Redis caching, and HA database clusters
• Local correlation with PII filtering — minimal sensitive data exposure and low network overhead even at scale

Security

• Clerk Authentication — OAuth, SSO (SAML 2.0), SCIM provisioning, and MFA support for all user accounts
• Workspace + Organization Isolation — Two-level tenancy: a workspace owns the URL and seat pool; organizations inside the workspace own agents, alerts, scripts, tickets, and integrations. PostgreSQL Row-Level Security policies enforce per-org isolation in the database itself, with EF Core query filters as a second line of defense. Org dropdowns are filtered to the current workspace from a server-side endpoint, so cross-workspace org names never reach the browser
• TLS 1.3 Encryption — All agent-to-cloud and browser-to-cloud communication encrypted, including WSS for remote desktop sessions
• Certificate Pinning — Agent validates the cloud API's TLS certificate against baked-in SPKI pins; MITM attacks are blocked even with a trusted CA compromise
• Local Event Processing — ETW events correlated on-agent before transmission; minimal data leaves the system
• Behavioral Threat Detection — Always-on ETW monitor detects ransomware patterns and auto-isolates compromised hosts via Windows Firewall before damage spreads
• Compliance Ready — SOC2 and HIPAA compliance on Dedicated Tier 1 and above
• Self-Hosted Option — Complete data sovereignty for air-gapped and regulated environments

Support

Integration Ready

• Notification Webhooks — Connect alerts to any ITSM, automation, or monitoring tool via custom HTTP webhooks
• Slack & Microsoft Teams — Native webhook integration for team chat notifications
• Email Notifications — Direct delivery to individuals or distribution lists
• Stripe Billing — Self-service subscription management with billing portal
• Active Directory — Bulk deployment via AD-based PowerShell remoting
• SCCM/MECM, Intune, GPO — Compatible with all major enterprise deployment tools