The Threat Stack Agent

Full stack security observability starts by aggregating low-level security signals from your operating system — whether that’s Linux or Windows Server — and then, seeing into everything else above it.



Supported Systems

At a high level, the agent collects security audit data from the operating system, handles file integrity monitoring (FIM), and captures user-space events. Threat Stack currently supports various versions of the following operating systems:


  • Amazon Linux
  • CentOS
  • CoreOS
  • Debian
  • RedHat Enterprise Linux
  • Ubuntu
  • Windows Server

See the documentation for specific versions and minimum kernel requirements.

The Building Block for a Strong Cloud Security Posture

Rapid Agent Deployment to Hosts or as Containers

Rapid Agent Deployment to Hosts or as Containers

The Threat Stack Agent offers multiple deployment options, so you can add security without slowing DevOps velocity. Install the agent in minutes, with no additional infrastructure, via the following methods:

Deep Telemetry Across Workloads

Deep Telemetry Across Workloads

The agent captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Agent data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat-hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.

Streamlined Data Processing

Streamlined Data Processing

Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off of the platform and into your own S3 bucket.

Host context gives you the data needed to eliminate false negatives and drive security alerting that's data-rich and actionable.

Why Host Context Matters

Host context gives you the data needed to eliminate false negatives and drive security alerting that's data-rich and actionable. Here are some common examples that the Threat Stack Agent is well positioned to capture:

  • User privilege escalations
  • Modification of the kernel at run time
  • Processes running from /tmp or other special system directories
  • Audit trails of critical filesystem changes
  • Monitoring of host system network services