Skip to main content

Agent Overview

The Infracast Agent is a lightweight, cross-platform binary that provides deep host-level visibility for security monitoring, compliance, and vulnerability detection. Where agentless discovery sees what's visible from the network, agents see what's actually running on the host.

What Agents Do

Agents run continuously on target hosts and report:

Discovery AreaWhat's Collected
Software packagesInstalled packages from all major package managers + versions
Running processesPIDs, names, users, command lines, resource usage
Network portsListening ports, bound addresses, associated processes
Network connectionsActive TCP/UDP connections, remote endpoints, states
Firewall rulesiptables / Windows Firewall rules and chains
User accountsLocal users, sudo/administrator access
CVE exposurePackages correlated with NVD CVE database

Architecture

┌─────────────────┐         HTTPS (443, outbound)         ┌─────────────────┐
│  Infracast      │ ◄───────────────────────────────────► │  Infracast      │
│  Agent          │    Register / Heartbeat / Reports     │  Server         │
│  (on host)      │    Commands (scan, revoke)            │  (SaaS or ECS)  │
└─────────────────┘                                        └─────────────────┘
        │                                                          │
        ▼                                                          ▼
  Host Discovery                                           Asset Graph
  - Process list                                           - Node enrichment
  - Listening ports                                        - CVE findings
  - Installed software                                     - Compliance rules
  - Firewall rules                                         - SBOM artifacts
  - Active connections                                     - Reports

Key characteristics:

  • ~5 MB compiled binary — minimal footprint
  • Outbound HTTPS only (port 443) — no inbound firewall rules needed
  • Non-root preferred — some collectors require elevated access for full visibility
  • Heartbeat every 30 seconds — real-time online/offline status
  • Full scan every 5 minutes (configurable) — fresh data without manual triggering

Agent vs. Agentless Discovery

Infracast supports both modes. They are complementary, not mutually exclusive.

CapabilityAgentlessAgent-based
Cloud infrastructure (EC2, VPC, S3, IAM)
Network topology (Cisco, Palo Alto, Juniper)
VMware / hypervisor inventory
Running processes and open ports
Installed software packages
CVE / vulnerability detectionPartial✅ Full
SBOM generation
Firewall rule audit
Config drift detectionLimited
STIG compliance checksLimited
Works without network access to targetN/A
Works in air-gapped environmentsNoYes
Requires software on hostNoYes

When to Use Agents

Deploy agents when you need:

Software Vulnerability Detection (CVE / SBOM)

Agents enumerate all installed packages and correlate them against the NVD CVE database. This catches vulnerabilities in software that cloud APIs don't expose (custom apps, language packages, libraries).

apt package: openssl 3.0.2 → CVE-2023-0286 (HIGH, CVSS 7.4)
pip package: requests 2.28.0 → CVE-2023-32681 (MEDIUM, CVSS 6.1)

STIG Compliance

Defense Information Systems Agency (DISA) STIG checks require host-level access to audit:

  • Filesystem permissions
  • Service configuration
  • User account settings
  • Audit policy
  • Password complexity

Configuration Drift Detection

Detect when host configuration deviates from baseline:

  • New listening ports opened
  • New services started
  • Package versions changed without change control
  • New user accounts created

Deep Host Visibility for GRC

Auditors require evidence of actual system configuration, not just API assertions. Agents provide:

  • Point-in-time SBOM snapshots (signed for integrity)
  • Real running process inventory
  • Confirmed firewall posture

Supported Platforms

PlatformArchitectureNotes
Linux (Ubuntu, Debian, RHEL, CentOS, Amazon Linux)x64, arm64Full package manager support
Windows Server 2016/2019/2022x64WMI-based collection
Windows 10/11x64Supported but server-focused
macOS 12+x64, arm64Community supported
Kubernetes (DaemonSet)x64, arm64Sidecar or privileged DaemonSet

Quick Start

  1. Go to Settings → Agents → Generate Token
  2. Copy the enrollment token (shown once)
  3. On the target host: 
    curl -fsSL https://get.infracast.io/agent | sudo bash -s -- \
      --server https://api.infracast.io \
      --token YOUR_TOKEN
  4. The agent appears in the Agents page within 60 seconds

See Agent Installation for platform-specific instructions, mass deployment options, and air-gapped installs.