The Threat Stack AgentFull stack security observability starts by aggregating low-level security signals from your operating system — whether that’s Linux or Windows Server — and then, seeing into everything else above it.
The Threat Stack Difference
Built for Cloud-Native Environments
Threat Stack is purpose-built for security in the cloud — where there is no network perimeter — requiring deep visibility into host operating systems and operator behaviors.
Security Observability for Diverse Infrastructure Stacks
The Threat Stack Agent instruments the range of infrastructure in the modern cloud, including Linux, Windows, Docker, and Kubernetes.
Host Context Matters
Many modern security threats are visible only by establishing a presence on the host operating system and observing the behavior of the people and processes using it.
At a high level, the agent collects security audit data from the operating system, handles file integrity monitoring (FIM), and captures user-space events. Threat Stack currently supports various versions of the following operating systems:
- Amazon Linux
- Red Hat Enterprise Linux
- Windows Server
See the documentation for specific versions and minimum kernel requirements.
The Building Block for a Strong Cloud Security Posture
Rapid Agent Deployment to Hosts or as Containers
The Threat Stack Agent offers multiple deployment options, so you can add security without slowing DevOps velocity. Install the agent in minutes, with no additional infrastructure, via the following methods:
Deep Telemetry Across Workloads
The agent captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Agent data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat-hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.
Streamlined Data Processing
Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off of the platform and into your own S3 bucket.
Why Host Context Matters
Host context gives you the data needed to eliminate false negatives and drive security alerting that's data-rich and actionable. Here are some common examples that the Threat Stack Agent is well positioned to capture:
- User privilege escalations
- Modification of the kernel at run time
- Processes running from /tmp or other special system directories
- Audit trails of critical filesystem changes
- Monitoring of host system network services