Agent Types

Managed Agents (Starting at $5/month each)

Managed agents run as a Windows Service under the Local System account, starting automatically with Windows. They are the full-featured agent type designed for servers, production systems, and critical workstations.

• Deployment: Windows Service (runs as SYSTEM), auto-start with Windows
• Full ETW Event Collection with 30+ configurable kernel and user-mode providers
• Real-Time Health Metrics — CPU, memory, disk, network reported every 30 seconds
• Live Query Sessions with AI-powered diagnostics, approved script execution, and file transfers
• Browser-Based Remote Desktop — DXGI screen capture with WebSocket relay for one-click remote control from the dashboard
• Remote Configuration Management — push provider, metrics, and performance settings from the dashboard
• Alert Evaluation — health metrics evaluated against your alert rules on every heartbeat
• Multi-Agent Correlation — participate in cross-fleet diagnostic sessions
• Billing: $5/month per agent on shared infrastructure, with volume discounts at scale. 20 free per subscribed user on paid plans.
• Resource Usage: ~50 MB RAM in Health Only mode; 50–200 MB during active collection; 1–15% CPU depending on providers

Desktop Agents (Free, Unlimited)

Desktop agents run as a user-mode application that starts with the user session. They provide a lightweight footprint for on-demand diagnostic sessions.

• Deployment: User-mode application, starts with user login session
• Basic Status and Uptime Tracking with online/offline indicators
• On-Demand Diagnostics when you need deeper troubleshooting
• Billing: Free and unlimited on all tiers
• Resource Usage: ~30–50 MB RAM, <1% CPU

Collection Modes

Managed agents operate in one of three collection modes, controlled from the agent Properties modal or automatically via live sessions.

Health Only (Default)

• Data: CPU, memory, disk space, network statistics every 30 seconds
• ETW Events: None collected
• Resource Impact: <1% CPU, ~50 MB RAM, <100 MB total footprint

On-Demand Collection

• Data: Health metrics plus configured ETW providers for a time-limited window (5–60 minutes)
• Auto-Stop: Returns to Health Only when timer expires
• Resource Impact: 5–10% CPU, 50–150 MB RAM

Full Monitoring

• Data: Health metrics plus all enabled ETW providers running continuously until manually stopped
• Resource Impact: 8–15% CPU, 100–200 MB RAM

Tip: Live Sessions automatically start ETW collection when opened and stop it when ended.

ETW Event Providers

ET Ducky supports 30+ ETW providers organized into three categories. Enable them individually through Remote Configuration or via presets.

Kernel Providers

• File System I/O: File creation, deletion, read, write, rename
• File System Initialization: Volume mount, file system load
• Process & Thread: Process creation, termination, thread lifecycle
• Image Load: DLL and executable loading
• Registry: Key and value operations
• Network TCP/IP: TCP connection, send, receive
• Network UDP: UDP datagram events
• Memory Management: Page faults, memory allocation
• Driver Operations: Driver load and unload
• Object Handles: Handle creation and destruction
• Process Counters: Performance counter snapshots

User-Mode Providers

• .NET Runtime / .NET Exceptions: CLR events, JIT, GC, managed exception tracking
• DNS Client: DNS queries and responses
• WinHTTP: HTTP request and response events
• TCP/IP (User): User-mode network stack events
• Windows Error Reporting: Application crashes and hangs
• Shell Core: Windows Explorer and shell events
• LDAP Client: Active Directory queries
• Group Policy: Policy processing events
• Windows Firewall: Firewall rule evaluations
• SQL Server / PowerShell / Task Scheduler / Certificate Services / Print Service

Performance & Diagnostics

• Performance Counters: System-wide performance metrics
• Diagnostic Policy Service: Windows troubleshooting events
• Timer Events: High-precision timing
• Wait Analysis: Thread wait and contention tracking

Dashboard Overview

The ET Ducky dashboard is a single-page application (SPA) at etducky.com with client-side routing and browser history integration. Authentication is handled by Clerk, and the interface adapts based on your sign-in state.

Navigation Bar

The top navigation bar shows different items depending on whether you are signed in:

On mobile devices, the navigation collapses into a hamburger menu. Your user avatar appears on the right with a dropdown for Dashboard, Agents, Alerts, Reports, Team, Settings, Integrations, Tickets, and Sign Out.

Dashboard Home Page

After signing in, the Dashboard displays an organization selector and four summary cards:

Organization Selector

• If you belong to multiple organizations, a dropdown appears at the top of the Dashboard
• Switching organizations reloads all dashboard metrics for the selected org (subscription status, usage, agent seats)
• The + New Organization button lets you create additional organizations for different clients or environments
• Organizations scope all resources: agents, registration tokens, alerts, queries, tags, and team members

Subscription Status Card

• Shows your current tier name (Professional, Business, Enterprise, or Free Tier)
• Displays queries per month allocation and renewal date
• If no active subscription, shows an Upgrade Now button linking to Pricing

Usage Statistics Card

• Queries used vs. total allocation with visual progress bar
• Color-coded: green under 75%, yellow at 75–90%, red above 90%

Agent Seats Card

• Three-column grid: Total seats, Used seats, Available seats
• Progress bar with utilization percentage
• Breakdown of included (free) vs. purchased seats with per-seat rate
• Seat Contributors section showing per-member breakdown for multi-member orgs
• Warning banners when seats are nearly full or completely used

Quick Actions

• Manage Query Subscription — Opens Stripe billing portal for your query plan
• Manage Agent Subscription — Opens seat purchase modal or billing portal
• Manage Team Subscriptions — Opens a modal showing all organization members with their subscription status. Admins can purchase plans for unsubscribed members or cancel admin-purchased subscriptions. (Admin only; visible when you belong to an organization.)
• Download App — Downloads the agent installer
• View Documentation — Navigates here

Agents Page

The central hub for monitoring and managing your agent fleet.

Organization Switcher

If you belong to multiple organizations, a dropdown selector appears at the top. Switching organizations reloads all agent data for the selected org.

Statistics Bar

Four summary metrics above the agent table:

• Managed Agents: Count with per-agent cost ($5/mo on shared)
• Desktop Agents: Count (always free)
• Active Now: Agents with heartbeat within last 10 minutes
• Monthly Fees: Estimated total monthly cost for managed seats

Agent Table

The table auto-refreshes every 30 seconds. The Multi-Agent Session button above the table opens multi-agent sessions.

Agent Properties Modal

Click an agent name or Properties button to open the details modal with four sections:

1. Information Grid

• Server Name, Agent ID, Type, Status (with colored indicator), Last Heartbeat, Version, Environment, Mode, Tags

2. Health Metrics

• CPU and Memory usage cards with color-coded thresholds (green/yellow/red)
• Values from the latest health report (updated every 30 seconds)

3. Collection Control

• Start Full — begins continuous ETW collection
• On-Demand — starts time-limited collection
• Stop — ends all ETW collection, returns to Health Only

A status bar shows the current collection state and active provider count.

4. Interactive Query Session

• Current session ID and event count (if active)
• Begin Session / End Session buttons to control live sessions from properties

5. Delete Agent

• Requires two confirmations before proceeding
• Sends a silent uninstall command to the agent ("C:\Program Files\ETDucky\Agent\uninstall\unins000.exe" /VERYSILENT) via the existing SSE shell channel
• Modal closes immediately; a countdown toast shows the remaining time before database removal
• After 15 seconds, the agent record and all associated data are permanently deleted from the database
• The agent process self-terminates via the uninstaller; the subsequent heartbeat 401 is expected and benign

Remote Management

Collection Control

• Start Full/On-Demand/Stop buttons in Properties modal
• Agent picks up commands on next heartbeat (within 30 seconds)
• Live Sessions automatically start and stop collection

Configuration Push

• Changes in the Configure modal are saved server-side
• Agents poll for updates every 30 seconds
• Server-side config overrides local AgentConfig.json
• No agent restart required for most settings

Organization-Scoped Labels

Agent tags are color-coded labels scoped to your organization. Use them to categorize agents by function, location, team, or any custom grouping.

Creating Tags

1. Click the tag area on any agent row in the Agents page
2. In the Tag Modal, click Create New Tag
3. Enter a Name, optional Description, and pick a Color
4. The tag is created at the organization level and available for all agents

Assigning & Removing Tags

• The Tag Modal shows Current Tags and Available Tags sections
• Click a tag in Available to assign it; click × on a Current tag to remove it
• Each tag shows its usage count across all agents
• Up to 3 tags shown inline on agent rows with “+N” overflow

Using Tags in Alert Rules

Use the agent_tags metric in alert rule conditions to target specific agent groups (e.g., “agent_tags contains production”).

3-Step Installation Flow

The Agent Setup page provides a guided installation wizard. You must be signed in and belong to at least one organization.

Step 1: Create a Registration Token & Download Installer

• Organization admins can create scoped, revocable registration tokens
• Click + New Token, give it a name, optional max-agent limit, and expiry
• Click Download next to the token to get a pre-configured installer — a single .exe with your token embedded
• Optionally check Allow Public Download Link during creation to generate a shareable URL that anyone can use to download the installer without signing in — ideal for sending to end users or embedding in deployment scripts
• Check Sign for Production Use to EV code-sign the installer with the ET Ducky certificate. Signed installers show the verified publisher name (“ET Ducky LLC”) in the Windows UAC prompt and are trusted by SmartScreen. Each organization can have up to 4 signed production tokens at a time.
• You can re-download at any time for any active token. The token itself is shown once at creation for manual/scripted use
• If you belong to multiple organizations, a dropdown lets you select which org to deploy into

Security: Tokens are scoped to a single organization and can be revoked at any time. Use separate tokens for different environments.

Step 2: Run the Installer

Double-click the downloaded .exe on the target Windows machine. The installer runs silently — it will install the .NET 9.0 runtime if needed, register the agent with your organization using the embedded token, and start the ET Ducky Agent service. No command-line arguments or manual token entry required.

Step 3: Verify

The agent should appear on your Agents page within seconds.

Manual Install (Advanced)

For scripted or bulk deployments, download the standalone installer from the Agent Setup page and provide the token on the command line:

This approach is recommended for MECM/SCCM, Intune, GPO, or PowerShell remoting deployments.

Bulk Deployment

For deploying to multiple machines, use the standalone installer with the /SILENT /REG_TOKEN flags. Download ETDuckyAgentSetup.exe from the Advanced section of the Agent Setup page, or directly from etducky.com/downloads.

Public Download Link (Simplest)

Enable Allow Public Download Link when creating a token to get a shareable URL. No sign-in required — send the link to end users or use it in scripts. The dashboard generates a ready-to-go CMD one-liner:

The public link respects all token controls: it stops working if the token is revoked, expired, or has reached its agent limit.

PowerShell Remoting with Active Directory

Enterprise Deployment Tools

The silent installer works with any deployment tool that supports command-line execution:

• MECM / SCCM: Create an Application or Package with the silent install command. Use a Device Collection to target machines. The /SILENT flag ensures no user interaction is required.
• Intune: Upload the installer as a Win32 app (.intunewin). Use the silent install command as the install command string. Set detection rules based on the ETDuckyAgent service or install directory.
• Group Policy (GPO): Deploy via a Startup Script targeting computer accounts. Place the installer on a network share accessible by machine accounts.

Tip: Create a dedicated registration token with a high max-agent limit for bulk deployments. Use separate tokens per deployment wave for tracking and revocation control.

Three-Tab Diagnostic Modal

Live Sessions provide real-time, interactive diagnostics with a single agent. Click Live Session on any online agent to open the modal, which automatically starts ETW collection and establishes an SSE (Server-Sent Events) connection.

Query Tab

Natural language chat interface for AI-powered diagnostics:

• Type questions in the input box and press Enter to send (Shift+Enter for new line)
• The agent collects ETW events, runs local correlation (filtering out PII and proprietary data), builds a structured prompt, and sends it to Cloud AI
• Responses include diagnostic findings, root cause analysis, and actionable recommendations
• Conversation history supports up to 10 turns of context
• Each question consumes 1 query from your organization pool

Shell Tab

Remote command-line interface for direct execution on the agent:

• Shell Type Toggle: Switch between PowerShell and CMD via dropdown
• Press Enter to execute; ↑/↓ arrow keys for command history
• Saved Scripts: Dropdown of pre-saved scripts with one-click execution. Script Manager to create, edit, delete.
• Terminal-style output with exit codes, stdout, and stderr
• Limits: 5-minute timeout per command, max 3 concurrent commands
• Runs under: Agent service account (Local System for managed agents)

Files Tab

Bidirectional file transfers between your browser and the agent:

• Push File: Upload from browser with a destination path on the agent
• Pull File: Download from agent by specifying a source path
• Transferred in 1 MB chunks with MD5 verification
• Real-time progress bars with percentage and byte count
• Completed pulls show a Download button
• Limits: Max 2 concurrent transfers; status refreshes every 5 seconds

Session Lifecycle

Starting

1. Click Live Session on an online agent
2. ETW collection initiates on the agent
3. SSE connection establishes with QueryResponse, QueryFailed, and SessionEnded event handlers
4. Three-tab modal opens — ready for queries

Ending

1. Click End Session
2. ETW collection stops on the agent
3. SSE stream closes; agent returns to previous mode

Only one live session per agent at a time. Session history is not retained after closing.

Effective Query Tips

• Be Specific: “Why can't user John access \\server\share?” beats “Why doesn't this work?”
• Include Context: Mention app names, file paths, service names, user accounts
• Start Broad, Then Narrow: Overview first, then drill down
• One Issue at a Time: Focus on a single problem for best correlation
• Processing Time: Most queries return in 3–10 seconds

Overview

ET Ducky’s browser-based remote desktop lets you view and control any online agent’s screen directly from the dashboard. No VPN, no VNC client, no RDP configuration, no firewall rules — just click “Remote” on any online agent and start working.

Remote desktop sessions run alongside existing features. You can have a live query session and a remote desktop session with the same agent simultaneously.

Starting a Session

1. Navigate to the Agents page
2. Click the Remote button on any online agent row (the button is disabled for offline agents)
3. A fullscreen modal opens with a connecting overlay
4. The server creates a session record and signals the agent via SSE
5. The agent initializes screen capture and connects its WebSocket
6. Once both sides are connected, frames begin streaming and the overlay disappears

Typical connect time: 1–3 seconds on LAN, 2–5 seconds on WAN.

Toolbar Controls

Input & Clipboard

Mouse

• Mouse movement, left/middle/right click, and scroll wheel are all forwarded to the remote agent
• Coordinates are normalized (0.0–1.0) and translated to absolute screen coordinates on the agent via SendInput
• Mouse move events are throttled to 60/second to prevent overwhelming the connection

Keyboard

• All key presses are captured using browser KeyboardEvent.code values and mapped to Windows virtual key codes
• Modifier keys (Ctrl, Alt, Shift, Win) are tracked independently to prevent stuck-key issues
• Enable Keyboard Grab in the toolbar to intercept browser shortcuts and forward them to the remote system
• All held modifier keys are automatically released when a session ends

Clipboard

• Text clipboard syncs bidirectionally between browser and agent
• Agent monitors clipboard changes via AddClipboardFormatListener and pushes updates instantly
• Browser clipboard access requires page focus (Clipboard API security requirement)

Performance & Limits

Adaptive quality: The encoder automatically reduces quality when bandwidth is constrained and increases it when headroom is available.

Troubleshooting

• Black screen after connecting: The agent may be in an RDP session where DXGI is unavailable. The agent automatically falls back to GDI+ capture, which may take an extra second.
• High latency or stuttering: Reduce quality to Low or Medium in the toolbar. Check network connectivity between the agent and the ET Ducky server.
• Keyboard shortcuts not working remotely: Enable Keyboard Grab in the toolbar to intercept browser shortcuts.
• Clipboard not syncing: Ensure the browser tab is focused. The Clipboard API requires page focus for security reasons.
• “Agent is not online” error: The agent must be online (green status) to start a remote desktop session. Check agent connectivity.
• “Maximum sessions” error: Your organization has 2 concurrent remote desktop sessions active. End one before starting another.

Cross-System Diagnostics

Query multiple agents simultaneously and correlate findings across your fleet for distributed application failures, load balancing issues, and fleet-wide problems.

Starting a Multi-Agent Session

1. Click Multi-Agent Session on the Agents page
2. Agent selection grid appears: online agents have checkboxes, offline agents are grayed out
3. Select All / Deselect All buttons for quick selection
4. Environment Filter dropdown: show only Production, Staging, or Development agents
5. Click Start Session — ETW collection begins on all selected agents

Query Distribution & Responses

Queries distribute to all selected agents in parallel (1 query per agent per question).

Agent Status Sidebar

• Green — Responding / completed
• Yellow — Waiting for response
• Red — Failed or timed out

Use the Agent View Selector to filter chat by specific agent or view all. Skip Waiting Agents to proceed without slow responders.

Cross-Correlation Analysis

After agents respond, click Run Correlation for cloud-side analysis that compares findings across agents:

• Common Patterns: Issues appearing across multiple systems
• Outlier Behavior: Agents behaving differently from the fleet
• Shared Root Causes: Underlying issues affecting multiple systems
• Environmental Correlations: Patterns tied to specific environments

Auto-Correlate: Toggle to automatically run correlation after each query round.

Export Results: Download the full session transcript with all queries, responses, and correlations.

Query Cost

1 query per agent per question + 1 per device for correlation. Example: querying 5 agents with correlation = 10 queries.

Fleet Tools

Fleet Tools is a unified multi-agent operations modal for executing approved scripts and transferring files across many agents at once, without opening individual sessions.

Agent Selection & Filtering

• Visual agent grid with online/offline status indicators and tag display
• Select individual agents or use Select All / Deselect All for quick bulk selection
• Filter builder with AND/OR logic across Agent Name, Environment, Tags, Agent Type, and Status fields

Shell Tab

• Broadcast PowerShell or CMD commands to all selected agents simultaneously, or target a single agent
• Run As SYSTEM toggle for elevated execution
• Live output console with color-coded stdout, stderr, and system messages per agent

Files Tab

• Pull: Request a file from a specific agent by path; Download button appears on completion
• Push: Upload a file to a specific agent, or select Push to All Selected to broadcast to all agents simultaneously — the file is read once and distributed in parallel
• Transfer history is automatically cleared when Fleet Tools is closed

Common Scenarios

• Distributed App Failures: Select web, app, and database tier agents to trace requests and find the failing tier
• Load Balanced Services: Select all pool members to identify the problematic server and detect configuration drift
• Active Directory Issues: Correlate authentication events across domain controllers
• Security Incidents: Track lateral movement and coordinated attacks across systems
• Performance Comparison: Compare metrics across identical servers to find outliers

Alerts Dashboard

The Alerts page has three tabs for managing monitoring rules, notifications, and alert history. Auto-refreshes every 30 seconds.

Tab 1: Alert History

• Stat Cards: Counts for Critical, Warning, Info, Active Total, and Resolved Today
• Filters: By status (All/Active/Acknowledged/Resolved) and severity (All/Critical/Warning/Info)
• Alert Cards: Severity badge, status badge, time since triggered, rule name, agent name, description, AI Analysis badge

View Details opens a modal with full alert info, triggering metrics, and AI root cause analysis with recommendations.

Tab 2: Alert Rules

Define conditions that trigger alerts. Click Create Rule to open the Rule Builder.

Rule Builder Fields

• Rule Name & Description
• Severity: Critical, Warning, or Info (radio buttons)
• Conditions: One or more conditions with AND/OR logic
• Notification Channels: Select channels to notify
• Enabled Toggle: On/off without deleting

Available Metrics (11 Total)

Condition Operators

Each condition supports an optional Duration requirement (e.g., “CPU > 90% for 300 seconds”) to avoid alerting on brief spikes.

Saved rules display as cards with name, severity, evaluation interval, channel count, and edit/delete/toggle controls.

Tab 3: Notification Channels

Configure where alerts are delivered. Channels are reusable across multiple rules.

• Test: Send a test notification to verify configuration
• Enable/Disable: Toggle without deleting
• Each channel card shows type icon, name, type label, and toggle switch

AI-Powered Alert Analysis

Every alert receives automatic Claude AI analysis including root cause, impact assessment, immediate actions, long-term recommendations, and confidence level. Analysis is cached for 24 hours — similar alerts reuse cached results.

Configuration Modal

Click Configure on any agent to open the Remote Configuration modal. Changes are stored server-side and delivered within 30 seconds. Server-side config always overrides the local AgentConfig.json.

ETW Providers Tab

• Level Filter: Minimum ETW level (Verbose, Informational, Warning, Error, Critical)
• Kernel Provider Checkboxes: 30+ individual providers to toggle
• Excluded Paths: File paths to exclude (one per line, supports wildcards)

Metrics Tab

Toggle which health metrics the agent collects: CPU Usage, Memory Usage, Disk Space, Process List, Service Status, Event Logs.

Performance Tab

• Batch Size: Events to batch before processing/sending
• Timeout: Max wait before sending a partial batch

Tip: Increase batch size for high-volume environments; decrease for time-sensitive diagnostics.

Configuration Presets

Standard (Baseline)

• File I/O, Process/Thread, Registry, Network, .NET Runtime, DNS
• 100–500 events/sec; 2–5% CPU, 50–100 MB RAM

Comprehensive

• All Standard plus Memory, Handles, Drivers, WER, Shell
• 500–2,000 events/sec; 5–10% CPU, 100–150 MB RAM

Maximum

• All providers; 5,000–10,000+ events/sec; 10–15% CPU, 150–200 MB RAM
• Short-term diagnostic sessions only

Organization Overview

The Team page manages membership and access control. Info cards show Total Members, Administrators, and Pending Invites. Multi-org users see an Organization Switcher dropdown.

Members Table

Email, Role (Administrator/Member), Join Date, and Remove button (admin only).

Roles & Permissions

* Only the user who originally created the organization can delete it, even if other users have the Administrator role.

Inviting Members

1. Click Invite Member (admin only)
2. Enter email and select role (Administrator or Member)
3. Click Send Invite
4. Invitation appears in Pending Invitations table with Revoke option

Shared Resources: All org members share the same query pool, agents, alert rules, notification channels, and agent seats.

Team Subscriptions

Organization admins can purchase query subscriptions on behalf of team members. This ensures every member has access to AI diagnostics without requiring each person to manage their own billing.

How It Works

1. From the Dashboard, click Manage Team Subscriptions in Quick Actions
2. A modal displays all organization members with their current subscription status
3. For any unsubscribed member, click Buy Plan
4. Select a tier (Professional, Business, or Enterprise) and click Proceed to Checkout
5. Complete payment in Stripe — the subscription is created immediately for the target member

Subscription Ownership

• Admin-purchased: The admin who bought the subscription can cancel it. The subscription's billing is tied to the organization's Stripe customer. Shown with an “Admin-purchased” badge.
• Self-purchased: Members who buy their own subscription manage it through their personal Stripe billing portal. Shown with a “Self” badge. Admins cannot cancel self-purchased subscriptions.

Cancelling Admin-Purchased Subscriptions

Click the Cancel button next to any admin-purchased subscription. Cancellation takes effect immediately with prorated billing.

How Subscriptions Pool

Each subscribed member contributes their tier's query quota and 20 free agent seats to the organization pool. For example, if an admin purchases Professional for 3 members, the org gets 3,000 queries/month and 60 free agent seats.

Creating Organizations

Organizations are the fundamental scoping boundary in ET Ducky. Every resource — agents, registration tokens, alert rules, notification channels, queries, tags, and team members — belongs to exactly one organization.

When to Create Separate Organizations

• MSP / Multi-Client: Create one organization per client to keep agents, billing, and data fully isolated
• Environment Separation: Separate Production, Staging, and Development environments into distinct orgs for access control
• Business Units: Large enterprises can use orgs to give each team independent query pools and agent budgets

How to Create

1. Click + New Organization on the Dashboard, Team page, or Agent Setup page
2. Enter an organization name
3. Click Create Organization — the new org is created via Clerk and set as your active org immediately
4. Invite team members and set up subscriptions as needed

Multi-Org Users: Use the organization dropdown on the Dashboard, Agents, and Team pages to switch between organizations. All metrics, agents, and settings update to reflect the selected org.

Deleting Organizations

Only the original creator of an organization can delete it. Organization deletion is permanent and irreversible.

What Gets Deleted

• All agents registered to the organization
• All registration tokens
• All alert rules and notification channels
• All query history and usage data
• All team memberships and pending invitations
• All associated billing subscriptions

How to Delete

1. Navigate to the Team page
2. Select the organization you want to delete from the dropdown (if you have multiple)
3. Click the red Delete Organization button in the Organization info card (visible to admins only)
4. Type the organization name exactly as shown to confirm
5. Click Delete Organization to proceed

Creator-Only: If you are an admin but not the creator of the organization, the deletion will be rejected by the server. Only the user who originally created the organization can delete it.

Registration Tokens

Registration tokens are the secure method for authenticating agent installations. Only organization admins can create and manage tokens.

Creating Tokens

1. Navigate to the Agent Setup page
2. Click + New Token
3. Give it a descriptive name (e.g., “Production Servers”, “IT Team Deploy”)
4. Optionally set a max agent limit and expiry date
5. Check Allow Public Download Link to generate a shareable URL for the installer — no sign-in required for end users
6. Check Sign for Production Use to EV code-sign the installer with the ET Ducky LLC certificate. Signed installers display the verified publisher in the Windows UAC prompt and avoid SmartScreen warnings. Each organization is limited to 4 signed production tokens at a time — revoke an existing production token to create a new one.
7. Click Download to get a ready-to-run installer with the token embedded

One-click deployment: The Download button generates a self-contained installer pre-configured with your token. Run it on any Windows machine — no manual token entry or command-line arguments needed. You can re-download at any time for any active token.

Token Security

• Tokens are stored as SHA-256 hashes — the plaintext is never persisted
• An encrypted copy of the token is stored server-side to enable on-demand installer downloads
• Each token is scoped to a single organization
• Tokens can be revoked at any time to prevent further registrations and disable installer downloads
• Public download links return 404 for revoked, expired, or limit-reached tokens — no information is leaked about token existence
• Production (signed) installers are built and signed once at token creation, then cached on the server for instant downloads
• Use separate tokens per environment (production, staging, dev) for audit control
• Usage counters track how many agents each token has registered

Managing Tokens

The Agent Setup page lists all tokens for your organization with their prefix, name, usage count, status, and expiry. Use the Download button to get a pre-configured installer, Copy Link to copy the public download URL (if enabled), Revoke to disable a token, or Delete to remove it permanently.

Real-Time Metrics

Agents report health every 30 seconds. Metrics display in the agent table, properties modal, and feed alert rule evaluation.

• CPU: System-wide utilization %; color-coded green/yellow/red
• Memory: Physical memory %; same color coding
• Disk: All volumes with usage percentages and free space
• Network: Bytes sent/received, active connections

Data Retention

• Raw Metrics: 30 days of detailed data points
• Aggregated: 90 days of hourly averages
• Long-Term: 1 year of daily summaries

Interactive time-series charts with zoom, multi-agent comparison, and CSV export.

How AI Analysis Works

1. Your natural language query is sent to the agent
2. Agent collects relevant ETW events based on query context
3. Local correlation engine processes events, filtering out PII and proprietary information
4. Correlated findings are packaged into a structured prompt with system context
5. Prompt sent to Claude AI via CloudAPI
6. AI responds with diagnostics, root cause, and recommendations

Example Queries

• “Why is the SQL Server service failing to start?”
• “What processes are accessing C:\ProgramData?”
• “Show me all failed authentication attempts in the last hour”
• “Why is the system slow right now?”
• “What changed before the application started crashing?”

Query Pool System

What Consumes Queries

• Live Session Question: 1 query
• Multi-Agent Question: 1 per agent per question
• Cross-Correlation: 1 additional per device
• Alert AI Analysis: 1 per alert (cached 24 hours)

Shared across all org members. Unused queries do not roll over.

Overview

Fully-managed monitoring infrastructure with zero ops. Choose shared for small deployments or dedicated for enterprise needs.

• Zero infrastructure management
• Automatic updates and scaling
• 20 free agents per subscribed user on paid plans
• <1 hour to first agents online

Deployment Tiers

Infrastructure fees become negligible at scale. Tier migrations are automated with zero downtime.

Overview

For organizations with compliance, air-gap, or data sovereignty requirements. Run ET Ducky on your own infrastructure.

What You Get

• Custom Docker Image with embedded license
• Custom Agent Installer pre-configured for your server
• Docker Compose templates, PostgreSQL scripts, deployment guide

Requirements

• Linux Docker host (4+ vCPU, 8+ GB RAM, 100+ GB disk)
• PostgreSQL 13+ with TimescaleDB
• Anthropic Claude API key (required)

Licensing

Annual Subscription

Perpetual License

10-Year Comparison (5K agents): Cloud $3.02M | Annual $252K | Perpetual $170K

Overview

ET Ducky's Out-of-Band (OOB) management feature lets you monitor, power-cycle, and inventory hardware endpoints at the firmware level — independently of the Windows OS and the standard ET Ducky agent. OOB access works even when the machine is powered off, unresponsive, or has a crashed operating system.

OOB management is delivered through a Gateway — a lightweight Linux service (designed for Raspberry Pi) that sits on the same LAN as your managed hardware. The gateway scans the network for OOB-capable devices, maintains a cloud connection, and relays commands from the ET Ducky dashboard to the target hardware.

Supported Protocols

Note: Consumer hardware (gaming PCs, home desktops, consumer laptops) does not support AMT or DASH regardless of Intel/AMD CPU brand. OOB management requires business-class vPro or AMD PRO processors paired with enterprise-grade NICs.

Gateway Hardware Requirements

• Raspberry Pi 4 or newer (64-bit OS required)
• Wired Ethernet connection to the target LAN (recommended over Wi-Fi)
• Network access from the Pi to etducky.com on TCP 443
• Same subnet as the OOB-capable devices you want to discover

Recommended OS: Raspberry Pi OS Lite 64-bit. The gateway service runs as a systemd unit under a dedicated etducky service account.

Provisioning a Gateway Token

Gateway tokens are separate from Windows agent registration tokens. They use the etd_gateway_ prefix and are tied to a dedicated Agent record with AgentType = gateway.

1. Navigate to Agents → Install New Agent and select your organization.
2. Click Create Token.
3. Select Gateway as the token type (defaults to Windows Agent).
4. Enter a name for the gateway (e.g. Site A – Pi Gateway).
5. Click Create Token — the etd_gateway_ token is shown once only. Copy it immediately.

Gateway tokens do not have max-agent limits, expiry dates, or installer downloads. Each token provisions exactly one Pi gateway.

Deploying the Gateway

1. Build and package

From the repo root on a Windows build machine (requires .NET SDK):

.\ETDucky.Gateway\packaging\publish-gateway.ps1 `
  -Runtime linux-arm64 -Configuration Release `
  -Output .\ETDucky.Gateway\artifacts\gateway-linux-arm64

tar -czf .\ETDucky.Gateway\artifacts\ETDucky.Gateway.tar.gz `
  -C .\ETDucky.Gateway\artifacts\gateway-linux-arm64 .

2. Copy files to the Pi

scp .\ETDucky.Gateway\artifacts\ETDucky.Gateway.tar.gz [email protected]:/home/pi/
scp .\ETDucky.Gateway\install\setup.sh [email protected]:/home/pi/
scp .\ETDucky.Gateway\install\update.sh [email protected]:/home/pi/
scp .\ETDucky.Gateway\install\etducky-gateway.service [email protected]:/home/pi/

3. Install on the Pi

sed -i 's/\r//' setup.sh update.sh
chmod +x setup.sh update.sh
./setup.sh
./update.sh /home/pi/ETDucky.Gateway.tar.gz

4. Configure

sudo nano /opt/etducky-gateway/appsettings.json

Set Gateway:AgentToken to the etd_gateway_ token you provisioned from the dashboard.

5. Start

sudo systemctl start etducky-gateway.service
journalctl -u etducky-gateway.service -f

A healthy startup shows: config validation passing, WebSocket connected, heartbeat active, and a discovery scan starting.

Discovery

On startup the gateway immediately runs a discovery scan of the local network. By default it auto-detects the Pi's subnet and pings all host addresses. Live hosts are probed for AMT (ports 16992/16993) and DASH (port 623). Discovered devices appear in the Discovered / OOB tab on the Agents page.

Updating the Gateway

After building and packaging a new version, copy the tarball to the Pi and run:

./update.sh /path/to/ETDucky.Gateway.tar.gz

The update script stops the service, extracts the package, sets the executable bit, fixes ownership, and restarts the service automatically.

Troubleshooting

Query Subscription Tiers

Agent Seat Pricing

Annual billing: Save 15% on both query subscriptions and agent seats.

Subscription Management

Personal Subscriptions

• Upgrade: Immediate with prorated billing
• Downgrade: Takes effect at next billing cycle
• Cancel: Full access until period end; data retained 30 days

All billing via Stripe. Access your personal billing portal from Dashboard → Manage Query Subscription.

Team Subscriptions (Admin-Purchased)

Organization admins can purchase subscriptions for team members who don't have their own. This is useful for onboarding new staff or ensuring every team member has access to AI diagnostics.

• Purchase: Dashboard → Manage Team Subscriptions → click Buy Plan next to an unsubscribed member → choose tier → complete Stripe checkout
• Billing: Charged to the organization's Stripe customer account, managed by the admin who purchased it
• Cancel: Admins can cancel any admin-purchased subscription immediately with prorated billing. Self-purchased subscriptions can only be managed by the subscriber.
• Pooling: Each admin-purchased subscription contributes its tier's query quota and 20 free agent seats to the organization pool, just like self-purchased subscriptions

Overview

ET Ducky supports both native ticketing (ET Ducky tickets stored in your organization) and third-party integrations (Jira, ServiceNow). You can use one or both: create and view native tickets from the dashboard and Run Troubleshooting, and optionally connect Jira or ServiceNow so automated troubleshooting can link to and update external tickets. End users on any agent-installed machine can submit a support ticket without opening the full desktop app via the ET Ducky Support shortcut.

Integrations Page

Available from the user menu (avatar dropdown): Integrations. Only organization admins can add or edit integrations.

Ticketing (Jira, ServiceNow)

• Add integration — Choose provider (Jira or ServiceNow), enter base URL, credentials (API token or Basic), and optional project/table, host field, and query template.
• One active integration per organization — When you run troubleshooting or view tickets by agent, the active integration is used to list and update tickets.
• Credentials are stored securely; only metadata (URL, project) is shown in the UI.
• Use Edit to change settings; leave password/token blank to keep the existing credential.

Once configured, you can select tickets from the integration when using Run Troubleshooting and push the resulting report back to the ticket.

Tickets Page

Available from the top nav or user menu: Tickets. Shows two views:

All tickets (ET Ducky)

Lists all native ET Ducky tickets for the current organization: title, device (agent), status, assigned to, submitted by, and created date. Tickets appear here when created from the dashboard or when end users submit via the ET Ducky Support shortcut on an agent.

• Filter bar — Search by title or device name, filter by status (Open, In Progress, Resolved, Closed), or filter by assignee. Filters apply instantly without a network request.
• Inline status — Change a ticket’s status directly from the Status dropdown in the row; the change is saved immediately.
• Inline assignment — Assign a ticket to any org member from the Assigned to dropdown in the row.
• View notes — Click any ticket title to open the ticket detail modal, where you can read all notes and add new ones. Notes are appended in chronological order.
• Start live session — Click Start live session next to a ticket to open a live agent session. The session modal opens directly to the Guided Troubleshooting tab with that ticket pre-selected, ready to run diagnostics.

By agent (includes Jira / ServiceNow)

Select an agent from the dropdown to load tickets for that device. The list includes native ET Ducky tickets for that agent and, if an integration is configured, tickets from Jira or ServiceNow that match the agent (e.g. by host name). Columns: title, source (ETDucky/Jira/ServiceNow), status, updated, link (for integration tickets), and a Start live session button.

Native ET Ducky Tickets

• Create from dashboard — When running Guided Troubleshooting, you can create a new ET Ducky ticket (title, optional description) instead of linking to a Jira/ServiceNow ticket. The ticket is associated with the agent and appears on the Tickets page.
• Ticket notes — Click any ticket title on the Tickets page to open the detail modal. Add notes (e.g. steps taken, findings, follow-up actions) and view the full note history in chronological order. Notes also get added automatically when you push a troubleshooting summary to a native ticket.
• Status lifecycle — Update status directly from the Tickets page table (inline dropdown) or from the Guided Troubleshooting result step (select ticket and new status, then click Apply to ticket). Statuses: Open, In Progress, Resolved, Closed.
• Native tickets are permanent — Unlike ETW event data, native tickets are stored indefinitely with no automatic retention policy. They accumulate until you close or manually delete them.
• Reportable — Tickets and ticket notes are available as data sources in the Data Explorer and Smart Reports. Filter by status, group by device, or chart ticket volume over time. Built-in templates: “Ticket Status Breakdown” and “Tickets by Device.”

End-User Support Shortcut

Users on a machine where the ET Ducky agent is installed can submit a support ticket without opening the full desktop app or having dashboard access.

How it works

• The installer creates an ET Ducky Support shortcut on the Desktop and in the Start Menu (under the ET Ducky Agent folder).
• Launching the shortcut runs the agent with --support: a small form opens (subject, description, optional name). Submitting the form sends the ticket to your organization via a local listener on the agent; the agent then forwards it to the cloud API using its own credentials.
• No full desktop app UI and no technician login required. Tickets appear in the dashboard under Tickets (All tickets) and under the corresponding agent in By agent.

Security

The support listener runs only on 127.0.0.1; the agent bearer token is not exposed to the form. Only the organization that owns the agent receives the ticket.

Overview

The Automations page lets you define rules that fire when events happen across your fleet. Each rule combines a trigger (what starts it), an action (what it does), and a target scope (which agents it affects). Rules are scoped to the current organization and require an org admin role to create or edit.

Navigate to Automations in the top nav bar (visible when signed in). The page has three tabs: Rules, Org Scripts, and Run History.

Stats Overview

Four stat cards at the top of the page provide a real-time summary:

Tab 1: Rules

Lists all automation rules for the organization. Each rule card shows the rule name, enabled/disabled status, trigger → action summary, and last run time. Actions: Edit, Delete, and Run Now (for manual trigger rules).

Creating a Rule

Click + New Rule to open the rule editor modal.

Triggers

Actions

Template Variables

Webhook body templates, notification messages, and ticket summaries support these placeholders:

• {{ruleName}} — The automation rule name
• {{triggerType}} — The trigger that fired (e.g. alert_fired, agent_enrolled)
• {{agentName}} / {{agentId}} — The triggering agent's name or ID
• {{alertName}} — The alert rule name (when trigger is alert_fired)

Tab 2: Org Scripts

View and manage the organization's shared script repository. This is the same script library used by Live Session's Shell tab (the "Select Script" dropdown) and Fleet Tools. Scripts created here appear everywhere, and vice versa.

Script Properties

System scripts are read-only and shared across all organizations. They provide common diagnostics (Get CPU and Memory Usage, Get Disk Space, Get Event Log Errors, etc.), inventory (Get Installed Software, Get Hardware Info), and maintenance tasks (Clear DNS Cache, Flush Print Queue). Custom scripts can be created, edited, and deleted by org admins.

Tab 3: Run History

A chronological log of all automation executions across all rules. Each entry shows:

Failed runs include error messages to help diagnose issues (e.g. "Script not found", "Webhook returned 403", "No valid agents found").

Automation Scheduler

Cron-based rules are evaluated by a background service that runs every 60 seconds. When a scheduled rule's next run time has passed, the rule is executed and the next run time is recalculated from the cron expression. Common patterns:

All times are evaluated in UTC. If a scheduled run fails, the next run time still advances so the scheduler doesn't retry the same failed execution repeatedly.

Example Workflows

Auto-remediate high CPU

Create an alert rule for CPU > 95% for 300 seconds. Create an automation rule with trigger "Alert Fired" (min severity: Critical), action "Run Org Script" (select a script that restarts the offending service), target "Triggering Agent".

Onboarding script for new agents

Create a script that configures Windows Update settings, installs monitoring prerequisites, or sets local policy. Create an automation rule with trigger "New Agent Enrolled", action "Run Org Script", target "Triggering Agent".

Slack notification on agent offline

Create an automation rule with trigger "Agent Went Offline", action "Fire Webhook" pointed at your Slack incoming webhook URL, with a body template like {"text": "Agent {{agentName}} went offline"}.

Daily fleet health report ticket

Create an automation rule with trigger "Scheduled" (0 8 * * 1-5), action "Create Ticket" with summary "[Auto] Daily fleet health check - {{triggerType}}", target "All Agents". Review the ticket each morning for overnight issues.

The ET Ducky Diagnostic Method

1. Identify: What system? What problem? When?
2. Prepare: Enable relevant ETW providers via Remote Configuration
3. Capture: Start a Live Session (ETW starts automatically)
4. Reproduce: Trigger the issue while ETW is collecting
5. Query: Ask AI specific, targeted questions
6. Analyze: Review root cause and recommendations
7. Remediate: Apply fixes via Shell tab or manually
8. Verify: Confirm resolution
9. Monitor: Set up alert rules to detect recurrence

Common Scenarios

Application Not Starting

Live Session → Attempt to start app → Ask “Why did [app] fail to start?” → AI analyzes Process, File I/O, Registry events.

Performance Degradation

Check health metrics → Live Session → “What is causing high CPU?” → Use Shell tab to terminate problematic processes.

Service Start Failures

Live Session → Start service → “Why did [service] fail to start?” → AI analyzes dependencies and errors.

Multi-System Issues

Multi-Agent Session → Select all affected agents → “Trace this request through all tiers” → Run Correlation.

Guided Troubleshooting (Automated)

For ticket-driven or described-issue workflows, use the Guided Troubleshooting tab instead of opening a live session manually. ETW collection starts and stops automatically with the session.

1. Start from the Agents page — Click an agent to open its details modal, then click Run Troubleshooting. The live session opens to the Guided Troubleshooting tab.
   Or start from the Tickets page — Click Start live session next to any ticket. The session opens directly to Guided Troubleshooting with that ticket already selected.
2. Optionally select a ticket from the dropdown. When a ticket is selected, a preview panel shows the title, status, assignee, and full description. You can also create a new native ET Ducky ticket using Open support ticket, or leave “No ticket” and describe the issue in the text area.
3. Click Analyze & Suggest Actions. The AI proposes one diagnostic action at a time; approve (optionally editing the command), skip, or stop at each step. Nothing runs on the agent until you approve it.
4. When the job completes, review the summary. If the run was linked to a ticket (integration or native ET Ducky), the result panel shows a ticket selector (pre-set to the linked ticket) and a status dropdown. Select a new status if appropriate, then click Apply to ticket to push the summary as a note and update the status in one action.

A configured Jira or ServiceNow integration is required only for selecting and pushing to integration tickets. Native ET Ducky tickets and “Describe issue” work without any ticketing integration.

Agent Deployment Strategy

Production Servers

• Managed agents in Health Only mode by default (<1% CPU, ~50 MB RAM)
• On-Demand for maintenance windows; Full Monitoring only during active incidents
• Standard (Baseline) provider configuration; alert rules for CPU, memory, disk

Dev/Test Systems

• Managed for AI diagnostics, desktop for basic visibility
• Comprehensive config for debugging sessions

User Workstations

• Desktop agents (free) fleet-wide; managed only for VIP/critical workstations
• On-Demand collection only when troubleshooting

Cost Optimization

• Desktop agents for non-critical systems (free, unlimited)
• Health Only mode when not troubleshooting
• Right-size subscription tier to actual query usage
• Consolidate agents in single org for volume discounts
• 15% savings with annual billing
• BYOK tier for heavy AI users
• Delete inactive agents promptly

Security

• Use registration tokens for all agent installations; never share tokens in plaintext outside secure channels
• Create separate tokens per environment (production, staging, dev) and per deployment wave
• Revoke tokens immediately when a deployment is complete or a token is compromised
• Set max-agent limits and expiry dates on tokens to limit blast radius
• Separate orgs for production vs. non-production
• Review team access regularly; remove departed employees and cancel their admin-purchased subscriptions
• Exclude sensitive paths from ETW collection
• Route critical alerts to security team channels

Alert Tips

• Use duration requirements to avoid false positives on brief spikes
• Test notification channels immediately after creation
• Multiple channels for critical alerts (email + Slack + webhook)
• Tag agents to target rules at specific groups
• Review rules monthly based on alert frequency

Getting Help

• Email: [email protected]
• Phone: 817-880-1336
• Status: status.etducky.com

Response Times: Professional 24hr | Business 8hr | Enterprise 2hr

Roadmap

Near-Term (3 months)

• Enhanced alert templates, alert analytics, agent group management, multi-agent timeline UI

Mid-Term (3–6 months)

• Mobile app with push notifications, extended retention, custom dashboards, AD auto-discovery, integration marketplace

Long-Term (6–12 months)

• ML anomaly detection, predictive alerting, automated remediation, Linux/macOS agents, Kubernetes monitoring, public API

Timelines subject to change based on customer feedback.

Quick Reference

Overview

Data retention controls how long ET Ducky keeps your cloud-stored data — ETW events, event batches, health metrics, health records, correlation analyses, detected patterns, and live session data. All organizations start with 14-day retention at no cost. You can extend retention with the per-agent add-on.

Retention Tiers

Annual billing: Save 15% on retention costs, same as all other subscriptions.

How Billing Works

Per-Agent Pricing

Retention is billed per registered managed agent in your organization. Desktop agents that sync to the cloud are included. The quantity on your Stripe subscription updates automatically when agents are added or removed — no manual adjustments needed.

Example Costs

What Gets Retained

All data types share the same retention window set by your tier:

• ETW Events & Event Batches — Raw diagnostic events from agents
• Agent Health Metrics & Records — CPU, memory, disk, and performance data
• Correlation Analyses & Detected Patterns — Multi-agent analysis results
• Live Sessions & Session Events — Interactive diagnostic session data

Data older than your retention window is permanently purged during the daily maintenance window (3:00 AM UTC).

Managing Retention

Purchase or Upgrade

From the Dashboard, use the Data Retention card or the Manage Data Retention button in Quick Actions. Select your desired tier and complete checkout via Stripe. Upgrades take effect immediately.

Downgrade or Cancel

Use Manage Billing / Cancel in the retention modal to open your Stripe billing portal. Downgrades and cancellations take effect at the end of the current billing period. After cancellation, retention reverts to the free 14-day default.

Custom Overrides

Enterprise customers can request per-data-type retention overrides (e.g., 365 days for events but 90 days for session data). Contact support to configure custom retention policies.

Self-Hosted Deployments

Data retention add-ons apply only to cloud-hosted (etducky.com) deployments. Self-hosted instances manage their own database storage and retention policies — there is no automatic purge service or per-agent billing for self-hosted data.

Overview

Data Explorer gives you direct, flexible access to your organization's collected telemetry data. Build custom queries against health metrics, events, event batches, correlations, patterns, and live sessions without writing SQL. Results are displayed as interactive charts and sortable data tables.

Access Data Explorer from the Reports page by clicking the Data Explorer tab in the sub-navigation bar. Requires a paid subscription (Professional tier or higher).

Query Builder

The query builder has three tabs:

Templates

Pre-built queries for common scenarios. Click any template to populate the query builder with a ready-to-run configuration. Templates are organized by data source (health metrics, events, correlations, etc.) and cover use cases like CPU trends over time, top error providers, event volume by agent, and fleet health comparisons.

Custom Query

Build queries from scratch using the visual query builder:

• Data Source — Select which table to query: Agent Health Metrics, Events, Event Batches, Correlation Analyses, Detected Patterns, ETW Event Correlations, or Live Sessions
• Time Range — Choose preset ranges (1 hour to 30 days) or specify custom start/end dates
• Interval — Bucket results by time period (1 minute, 5 minutes, 1 hour, 1 day, 1 week) for trend visualization
• Group By — Aggregate results by a dimension. Available fields vary by data source and include: Agent ID, Server Name, Agent Type, Environment, OS Version, Agent Version, Provider Name, Event ID, Level, Status, Session Type, and more
• Metrics — Choose which numeric columns to aggregate. Supported aggregations: AVG, MIN, MAX, SUM, COUNT
• Filters — Narrow results with conditions. Operators include: equals, not equals, greater than, less than, LIKE (pattern matching), IN, and NOT IN

My Views

Save query configurations for quick re-use. Saved views store the full query definition (data source, time range, metrics, filters, group by) along with the preferred chart type. Shared views are visible to all members of your organization.

Chart Types

Results can be visualized as:

• Line Chart — Best for time-series trends (CPU over time, event counts by hour)
• Bar Chart — Best for comparisons (top agents by CPU, events by provider)
• Area Chart — Stacked area for cumulative trends
• Table — Raw data with sortable columns

Charts are rendered using Chart.js and support hover tooltips showing exact values. Switch between chart types at any time without re-running the query.

Virtual Columns via JOIN

Some data sources like Agent Health Metrics store only the Agent ID. The Data Explorer automatically joins to the Agents table to provide additional grouping and filtering options:

These fields are available for both grouping and filtering, enabling queries like "average CPU by Environment" or "event count grouped by Server Name."

Security

All queries are executed through a hardcoded allowlist in the QueryEngine. No arbitrary SQL is accepted. Organization scoping is injected server-side from the authenticated JWT — the client cannot override or access data from other organizations. All filter values use parameterized queries to prevent SQL injection.

Overview

Historical AI Analysis is a conversational interface that lets you ask natural language questions about your fleet's historical data. Powered by Claude, it translates your questions into database queries, analyzes the results, and provides narrative insights with optional inline charts.

Access it from the Reports page by clicking the AI Analysis tab. Requires a paid subscription (Professional tier or higher). Each analysis uses 1 AI query from your subscription pool.

How It Works

1. Ask a question — Type a natural language question like "Which agents had the highest CPU usage last week?" or "What are the most common error events in the past 24 hours?"
2. Query planning — Claude examines your question and your organization's data schema to determine which database queries are needed. It may run multiple queries to gather the information required for a complete answer.
3. Streaming response — Results stream back in real-time via Server-Sent Events (SSE). You'll see the narrative text appear progressively as it's generated.
4. Charts and follow-ups — If the data warrants visualization, an inline chart is automatically generated. Follow-up question suggestions appear at the bottom of each analysis to help you explore further.

Example Questions

• "Which agents had the highest CPU usage last week?"
• "What are the most common error events in the past 24 hours?"
• "How does this week's fleet health compare to last week?"
• "Show memory usage trends across all agents for the past month"
• "Are there agents that consistently have both high memory and high disk I/O?"
• "Which ETW providers generate the most events?"
• "How many diagnostic sessions were run last month?"
• "Which agents are most likely to need hardware upgrades based on current trends?"

The system has access to the same data sources as the Data Explorer: health metrics, events, event batches, correlation analyses, detected patterns, and live sessions.

Follow-Up Chains

Each analysis can lead to follow-up questions. When you ask a follow-up, the previous analysis context (your original question and a summary of the findings) is sent along with the new question. This enables deeper, multi-step exploration like:

1. "Show me CPU trends for the past week" →
2. "Which specific agents are driving the spikes?" →
3. "What events were happening on AGENT-05 during the spike at 2 PM Tuesday?"

Analysis History

Switch to the History tab to view past analyses. Each entry shows the question asked, a summary of the findings, when it was run, and key metrics (data points analyzed, execution time). Click any history entry to reload the full analysis with its chart and follow-up suggestions. History is paginated with 10 entries per page.

Suggested Questions

When you first open AI Analysis, the system generates contextual question suggestions based on your organization's actual data. If you have active agents, it may suggest agent-specific questions. These suggestions update to reflect your fleet's current state.

Overview

ET Ducky is built with security as a core design principle. Every layer of the platform — from agent authentication to data storage to AI processing — is engineered to protect your organization's data and minimize your attack surface. This page covers the security controls most relevant to IT administrators and security reviewers. For a comprehensive technical deep-dive, see the Security & Compliance Whitepaper.

Agent Authentication

Every agent is issued a unique, cryptographic bearer token during registration. This token is the agent's sole credential for all API communication.

New agents are onboarded using registration tokens created by organization administrators. These are short-lived, usage-limited tokens used only during initial registration. Upon successful registration, the server issues a permanent bearer token to the agent and the registration token is consumed. Registration tokens can be revoked at any time from the dashboard. Agents use their bearer token for all subsequent API communication — no shared secrets or organization-wide credentials.

User Authentication

Dashboard authentication is handled entirely by Clerk, a dedicated identity provider. ET Ducky does not store passwords, manage sessions, or handle MFA directly.

• Multi-Factor Authentication (MFA) — Configurable via your organization's Clerk settings (TOTP, SMS, passkeys)
• Single Sign-On (SSO) — SAML and OIDC enterprise SSO supported through Clerk
• Session Management — Configurable session lifetime and idle timeout
• Role-Based Access — Admin and Member roles managed through Clerk Organizations

Encryption

Multi-Tenant Isolation

ET Ducky enforces strict organization isolation at every level:

• Database-Level — Every query includes organization ID filtering. No API endpoint can return data from another organization.
• Agent-Level — Bearer tokens are scoped to a single agent within a single organization. A compromised token cannot access other agents or organizations.
• Billing-Level — Subscription quotas, agent seats, and data retention are pooled and enforced per organization.
• No Cross-Tenant Admin Access — There is no global admin view that spans organizations.

Data Collection & Privacy

ET Ducky collects system telemetry only. The platform does not collect personal user data, browsing history, keystrokes, file contents, or employee activity.

What Is Collected

• Health Metrics — CPU, memory, disk, and network utilization
• ETW Events — Windows kernel and user-mode trace events (process, file I/O, registry, network, services) — configurable per-agent, disabled by default
• System Identity — Hostname, OS version, agent version

What Is NOT Collected

• User credentials or passwords
• File contents or document data
• Browser history or keystrokes
• Email, chat, or personal communications
• Screenshots (remote desktop frames are relayed in real time and never stored server-side)

AI Data Handling

AI-powered features (root cause analysis, Smart Reports, alert enrichment) use Anthropic's Claude API. Key safeguards:

• User-Initiated Only — No telemetry is sent to AI providers automatically. Analysis is always triggered by a user action.
• Aggregated Data Only — Only summarized telemetry (CPU trends, event patterns, error summaries) is sent. No PII, credentials, or raw file data.
• No AI Training — Anthropic does not train on API data per their commercial terms of service.
• Server-Side Only — AI requests originate from the cloud API, never from the agent or browser.

Network Requirements

The ET Ducky agent requires only outbound HTTPS (TCP 443) to etducky.com. No inbound ports need to be opened on the endpoint.

• Works behind NAT, proxies, and standard corporate firewalls
• Agent never opens inbound listeners or accepts incoming connections
• All communication is agent-initiated over HTTPS
• If your firewall requires explicit allowlisting, allow outbound TCP 443 to etducky.com

Incident Response

Compromised Agent Token

If an agent or its bearer token is suspected to be compromised:

1. Deactivate the agent from the dashboard — immediately revokes all API access
2. Investigate using the agent's historical telemetry for anomalous behavior
3. Reinstall the agent with a fresh registration token to issue a new bearer token

Credential Rotation

All platform credentials are rotatable via their respective provider dashboards without application downtime.

Compliance

ET Ducky's security controls map to common compliance framework requirements:

For the full compliance matrix including vulnerability management, incident response, and third-party risk controls, see the Security & Compliance Whitepaper.

Key Terms

Scope of License

Subject to your compliance with this EULA, we grant you a:

• Limited - Specific uses only as described
• Non-exclusive - We may license to others
• Non-transferable - Cannot be transferred without consent
• Revocable - May be terminated if you breach terms

Permitted Uses

You may:

• Install the Software on systems you own or control
• Use the Software for monitoring and diagnostics
• Deploy agents up to your licensed limit
• Make backup copies for archival purposes
• Use the Software in accordance with documentation

License Models

Depending on your deployment type, different license terms apply. See the following sections for details:

• Cloud Deployments - Subscription-based licensing
• Self-Hosted Annual - Annual renewable license
• Self-Hosted Perpetual - One-time purchase, own forever

Subscription-Based License

For cloud-hosted agents, your license is tied to an active paid subscription.

What You Can Do

• Install agents on Windows systems you own or control
• Deploy up to the number of agents allowed by your subscription
• Access the cloud-hosted Service through the web dashboard
• Use multi-agent correlation features
• Receive automatic agent updates

Subscription Tiers

Billing Terms

• Billed monthly or annually (15% discount on annual)
• Charges based on highest agent count during billing period
• Automatic renewal unless cancelled
• Payment required in advance
• Failed payments may result in service suspension

Cancellation

• Cancel anytime through dashboard
• Access continues through end of billing period
• Agents stop reporting after subscription ends
• No refunds for partial months
• Data retained 30 days after cancellation

License Validation

Agents periodically validate subscription status with our servers. This requires internet connectivity. Invalid subscriptions result in agents stopping new data collection (health metrics continue).

License Types

Self-hosted deployments use one of two license models:

Annual License

• Term: One year from purchase
• Renewal: Required annually to continue use
• Best For: 1-3 year deployments, OpEx budgets

Perpetual License

• Term: Indefinite - you own the software forever
• Maintenance: Optional (10% annually) for updates and support
• Best For: 5+ year deployments, CapEx budgets

Annual License Details

Pricing

What's Included

• Custom Docker image with embedded license
• Custom agent installer pre-configured for your infrastructure
• Digitally signed license key
• Docker Compose templates and deployment scripts
• Quarterly software updates
• Security patches and bug fixes
• Business hours email support (24-hour response)
• Deployment assistance

Renewal

• License expires one year after purchase date
• Automatic renewal via Stripe subscription
• 30-day expiry warnings via email and in CloudAPI logs
• After expiry: CloudAPI stops accepting new agent connections
• Existing agents continue health metrics only

Perpetual License Details

Pricing

What's Included

• Everything in Annual License
• Perpetual right to use the software
• No expiration date
• Software continues working even if maintenance lapses
• Setup fee included in purchase price

Maintenance (Optional)

With Active Maintenance:

• Quarterly software updates
• Security patches and bug fixes
• Business hours email support
• License key rotation if needed

Without Maintenance:

• Software continues to function (you own it)
• No updates or security patches
• No support access
• Can resume maintenance anytime

Agent Limits

• License enforces maximum concurrent agent connections
• CloudAPI validates agent count at startup and continuously
• When limit reached: CloudAPI rejects new connections
• Existing agents continue functioning normally
• Contact [email protected] to upgrade agent tier

License Validation

Self-hosted CloudAPI validates license key:

• At startup (required)
• Periodically during operation
• Requires internet connectivity to licensing server
• License file digitally signed with RSA-2048
• Tampering with license file voids license

Your Responsibilities

For self-hosted deployments, you must provide and maintain:

Infrastructure

• Docker host (Linux server with Docker 20.10+)
• PostgreSQL 13+ database with TimescaleDB extension
• Minimum: 4 vCPU, 8 GB RAM, 100 GB storage
• Network connectivity for agents and AI APIs

Services

• Anthropic Claude API key (required)
• OpenAI API key (optional)
• Backups and disaster recovery
• Security and access controls

Operations

• Installing software updates (provided quarterly)
• Database maintenance and optimization
• Monitoring and troubleshooting
• Scaling infrastructure as needed

Deployment Package

Upon purchase, you receive:

• Custom Docker image (tarball or registry access)
• Custom Windows agent installer (.exe)
• License key file (digitally signed)
• Docker Compose configuration files
• PostgreSQL schema and setup scripts
• Environment variable templates
• Deployment documentation
• Troubleshooting guide

No Refunds

Self-hosted licenses are non-refundable after delivery of software package and license key. We offer 30-day trial licenses for evaluation upon request.

Prohibited Actions

You agree NOT to:

Technical Restrictions

• Reverse Engineer: Decompile, disassemble, or reverse engineer the Software
• Modify: Modify, adapt, translate, or create derivative works
• Copy: Copy the Software except as necessary for authorized use and backups
• Remove Notices: Remove, alter, or obscure any proprietary notices, labels, or marks
• Circumvent Protection: Bypass license validation, usage limits, or security measures
• Extract Components: Separate components for use in other applications

Distribution Restrictions

• Distribute: Distribute, sell, rent, lease, or sublicense the Software
• Share Credentials: Share account credentials, API keys, or license keys with unauthorized parties
• Transfer: Transfer license to another entity without written consent
• Service Bureau: Use the Software to provide services to third parties (unless authorized)

Usage Restrictions

• Exceed Limits: Deploy more agents than your license allows
• Unauthorized Monitoring: Monitor systems without proper authorization
• Competitive Use: Use the Software to develop, test, or support competing products
• Benchmarking: Publish benchmark results without written permission

Installation Restrictions

Authorized Systems Only

You may only install agents on:

• Systems you own or have legal control over
• Systems where you have explicit authorization to monitor
• Systems within your organization's infrastructure
• Systems where you have obtained necessary user consents

Prohibited Installations

• Personal devices without explicit owner consent
• Systems you don't have authorization to monitor
• Third-party or customer systems (without written agreements)
• Systems in violation of applicable laws or regulations

Compliance Requirements

You agree to:

• Comply with all applicable laws and regulations
• Obtain necessary permissions for monitoring
• Provide required privacy notices to monitored users
• Respect intellectual property rights
• Follow export control regulations
• Maintain security and confidentiality

Consequences of Violations

Violations of these restrictions may result in:

• Immediate termination of license
• Requirement to uninstall all Software
• Legal action for damages
• Injunctive relief
• No refund of fees paid

Data Collected by Agents

Agents collect and transmit the following data:

Always Collected (Health Metrics)

• CPU usage percentage
• Memory usage (total, available, used)
• Disk usage (total, free, used per volume)
• Network bandwidth (sent/received bytes)
• System uptime
• Agent version and configuration
• Windows version and build number
• Hostname and IP addresses

Collected During Live Sessions

• Event Tracing for Windows (ETW) events
• Process information (name, PID, path, command line)
• File system operations
• Network connections and traffic
• Registry operations
• User authentication events
• Application errors and crashes
• Performance counters

Cloud-Hosted Data Handling

Transmission

• All data encrypted in transit using TLS 1.3
• Sent to ET Ducky cloud infrastructure (DigitalOcean)
• Compressed to minimize bandwidth
• Intelligent local correlation filters PII and proprietary data before transmission

Storage

• Data stored in PostgreSQL with TimescaleDB
• Encrypted at rest
• Retention: 30-180 days based on tier
• Automatic deletion after retention period
• Backups encrypted and retained 30 days

Processing

• AI analysis using Anthropic Claude API
• Optional OpenAI API integration
• Queries sent to AI providers on-demand only
• AI providers do not use your data for model training
• Correlation and analysis performed server-side

Your Data Rights

• You retain all ownership rights to your data
• We claim no ownership over collected data
• We do not sell or share your data with third parties
• You can export data anytime through dashboard
• You can delete your account and data anytime

Self-Hosted Data Handling

• Your Infrastructure: All monitoring data stays on your infrastructure
• No Access: We do not have access to your collected data
• Your AI Keys: You provide your own AI API keys
• Your Responsibility: You accept AI provider terms directly
• License Validation Only: Only license validation data sent to our servers
• Data Sovereignty: Complete control over data location and retention

Privacy Compliance

You are responsible for:

• Complying with applicable privacy laws (GDPR, CCPA, HIPAA, etc.)
• Obtaining necessary consents for monitoring
• Providing privacy notices to monitored users
• Implementing appropriate security measures
• Handling data subject rights requests
• Maintaining records of processing activities

Sensitive Data

Warning: The Software may collect sensitive information depending on ETW providers configured. You are responsible for:

• Configuring appropriate filters to prevent collection of sensitive data
• Ensuring compliance with data protection regulations
• Not collecting passwords, credit card numbers, or PII without proper safeguards
• Implementing encryption for sensitive data

Telemetry and Analytics

The Software may collect anonymous usage statistics to improve the product:

• Feature usage (which features are used most)
• Performance metrics (query response times)
• Error reports (crashes, exceptions)
• Agent version distribution

This data is anonymized and does not include your monitoring data.

Cloud Service Updates

CloudAPI Platform

• Updates applied automatically to cloud infrastructure
• Zero downtime during most updates
• Major updates announced 48 hours in advance
• Scheduled maintenance windows (if needed)

Agent Updates

• New agent versions released quarterly
• Download from dashboard
• Deploy via SCCM, Intune, GPO, or manual installation
• Agents typically backward compatible with older CloudAPI versions
• Critical security updates released as needed

Self-Hosted Updates

With Active License/Maintenance

• Quarterly software releases
• Security patches between releases
• Bug fixes
• New features and improvements
• Agent installer updates

Update Process

1. Receive email notification of new version
2. Download new Docker image and agent installer
3. Review release notes for breaking changes
4. Backup database before upgrade
5. Deploy new Docker image: docker-compose down && docker-compose up -d
6. Run database migrations if required
7. Update agents as needed

Without Maintenance (Perpetual Only)

• Software continues to function
• No updates provided
• No security patches
• No bug fixes
• No support access

Support

Cloud Service

Self-Hosted Standard

• Business hours (9am-5pm ET, Mon-Fri)
• Email/ticket support
• 24-hour response time
• Deployment assistance during initial setup
• Bug reports and troubleshooting

Self-Hosted Premium (+$15,000/year)

• 24/7 email and phone support
• 4-hour response time for critical issues
• Dedicated Slack channel
• Monthly check-in calls
• Priority bug fixes

Self-Hosted Enterprise (+$25,000/year)

• Everything in Premium plus:
• 1-hour response time for critical issues
• Dedicated Customer Success Manager
• Quarterly business reviews
• On-site visits (1-2 per year)
• Custom SLAs

Support Scope

Covered

• Software installation and configuration
• Bug reports and troubleshooting
• Feature questions and guidance
• Best practices and recommendations
• Deployment assistance

Not Covered

• Infrastructure management (self-hosted)
• Custom development or integrations
• Training beyond documentation
• Issues caused by modifications to Software
• Third-party software or services

Documentation

All license types include access to:

• Online documentation at etducky.com/docs
• Deployment guides
• API reference
• Troubleshooting guides
• Best practices
• Video tutorials (coming soon)

Intellectual Property

The Software and all intellectual property rights are owned by ET Ducky and protected by:

• Copyright laws
• Trademark laws
• Patent laws (pending)
• Trade secret laws

This EULA grants you a license to use the Software, not ownership.

Trademarks

"ET Ducky" and associated logos are trademarks of ET Ducky. You may not:

• Use our trademarks without written permission
• Register confusingly similar trademarks
• Register domain names containing our marks
• Suggest affiliation or endorsement without authorization

Warranties and Disclaimers

THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND.

We Disclaim All Warranties Including:

• MERCHANTABILITY
• FITNESS FOR A PARTICULAR PURPOSE
• NON-INFRINGEMENT
• ACCURACY OR RELIABILITY
• UNINTERRUPTED OR ERROR-FREE OPERATION
• SECURITY OR FREEDOM FROM VIRUSES

We Do Not Warrant That:

• The Software will meet your requirements
• Results will be accurate or reliable
• AI analysis will detect all issues
• AI recommendations will be correct or safe
• Errors or bugs will be corrected
• The Software is suitable for critical applications

CRITICAL: You are solely responsible for validating all AI-generated recommendations before implementing them on production systems. Always test in non-production environments first.

Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

We Are Not Liable For:

• INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES
• LOSS OF PROFITS, REVENUE, DATA, OR USE
• LOSS OF GOODWILL OR REPUTATION
• BUSINESS INTERRUPTION
• SYSTEM FAILURES OR DOWNTIME
• DATA LOSS OR CORRUPTION
• SECURITY BREACHES
• ERRORS IN AI ANALYSIS
• DAMAGES FROM FOLLOWING AI RECOMMENDATIONS
• THIRD-PARTY CLAIMS

Maximum Liability

Our total liability shall not exceed the greater of:

• Amounts paid by you in the 12 months prior to the claim, OR
• $100

This limitation applies even if we have been advised of the possibility of such damages.

Indemnification

You agree to indemnify, defend, and hold harmless ET Ducky from any claims, damages, losses, liabilities, and expenses (including legal fees) arising from:

• Your use or misuse of the Software
• Your violation of this EULA
• Your violation of applicable laws
• Unauthorized monitoring or data collection
• Infringement of third-party rights
• Data you collect or process

Termination

By You

You may terminate by:

• Ceasing all use of the Software
• Uninstalling all agents and applications
• Cancelling your subscription or license
• Deleting all copies of the Software

By Us

We may terminate immediately if:

• You breach any term of this EULA
• You exceed licensed agent limits
• Your payment fails
• We detect fraudulent or abusive use
• Required by law

Effect of Termination

• All licenses immediately terminate
• You must cease all use of the Software
• You must uninstall all agents
• You must delete all copies
• Exception: Perpetual licenses continue to function (you own the software)

Export Compliance

The Software is subject to U.S. export control laws. You agree to:

• Comply with all applicable export and import laws
• Not export or re-export to prohibited countries
• Not provide to prohibited entities or persons
• Not use for prohibited purposes (e.g., weapons development)
• Comply with sanctions and embargoes

Prohibited Destinations: Cuba, Iran, North Korea, Syria, Russia (partially), and other sanctioned countries or entities.

Governing Law

This EULA is governed by the laws of the State of Washington, United States, without regard to conflict of law principles.

Dispute Resolution

Informal Resolution

Before filing a claim, contact [email protected] to attempt informal resolution.

Binding Arbitration

Disputes shall be resolved through binding arbitration administered by the American Arbitration Association in Washington State.

Class Action Waiver

You agree to resolve disputes individually and waive any right to participate in class actions.

Entire Agreement

This EULA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding the Software and supersedes all prior agreements.

Modifications

We may modify this EULA with 30 days' notice. Continued use after changes constitutes acceptance.

Severability

If any provision is found invalid, the remaining provisions remain in effect.

No Waiver

Failure to enforce any provision does not waive our right to enforce it later.

Assignment

You may not assign this EULA without our written consent. We may assign without restriction.

Contact Information

For questions about this EULA:

Legal: [email protected]
Support: [email protected]
Sales: [email protected]

Acknowledgment

BY INSTALLING OR USING THE SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS EULA.

If you do not agree, do not install or use the Software.