ET Ducky is a cross-platform diagnostics and behavioral-security platform with first-class agents for Windows and Linux. The Windows agent uses Event Tracing for Windows (ETW); the Linux agent uses eBPF programs attached to scheduler and syscall tracepoints. Both correlate kernel events directly on the endpoint, filter out PII before data leaves the machine, and determine the root cause in simple terms so your team can act on it.

Remote desktop, alerting, scripts, automations, and fleet management are included so your team can act on the diagnosis without leaving the dashboard.

ET Ducky offers a Free tier (bring your own API key for unlimited queries), Professional at $39/month (1,000 AI queries), Business at $99/month (5,000 queries), and Enterprise at $249/month (50,000 queries). All paid plans include 20 free managed agent seats per user. Additional agent seats cost $5/month each with volume discounts down to $2/agent at scale. No credit card is required for the free tier.

Unlike general observability platforms that focus on APM, metrics, and log aggregation, ET Ducky works at the kernel boundary on every endpoint it runs on: ETW on Windows (the same telemetry source Microsoft engineers use internally) and eBPF on Linux. It provides deeper root cause analysis than RMM tools by correlating low-level kernel events and using AI to explain exactly what happened and why, with specific remediation steps. Behavioral-security rules run on the same event stream, so detection of suspicious activity does not require a separate XDR product.

Raw ETW events never leave the machine. The on-agent correlation engine filters out PII and proprietary information, then produces a structured diagnostic summary. Only this sanitized, reduced summary is sent to AI for analysis — achieving 99.6% bandwidth reduction while keeping sensitive data local. Self-hosted deployment options are also available for organizations that need full on-premises control.

The Windows agent supports Windows 10, Windows 11, and Windows Server 2016 and later, running as a Windows Service under the Local System account (required for ETW kernel access). The Linux agent supports modern distributions on the .deb (Debian, Ubuntu) and .rpm (RHEL, CentOS, Fedora) families, and ships a universal .run installer for everything else. Linux agents run as the unprivileged etducky user under a hardened systemd unit; eBPF capture is supported on kernel 5.4 and later, with a graceful no-op fallback when kernel BTF is missing. The desktop app runs in user mode and is currently Windows-only.

Yes. The free tier includes the full desktop app with unlimited local ETW monitoring and interactive troubleshooting. Bring your own API key from Anthropic, OpenAI, or Microsoft Copilot for unlimited AI queries at zero subscription cost. No credit card required.

ET Ducky offers three deployment models: Cloud Hosted (shared multi-tenant, included with all subscriptions), Cloud Hosted Dedicated (single-tenant infrastructure with tiered pricing for 100–9,999 agents), and Self-Hosted (on-premises deployment with perpetual or annual licensing). All options include the full feature set including live sessions, remote desktop, multi-agent analysis, and alerting.