Software Agents: A Partial Solution to Cybersecurity Threats | Blog | ThreatWarrior

Software Agents: A Partial Solution to Cybersecurity Threats


When we entered the world of cybersecurity a couple of years ago, we considered software agents as a method of delivery for our solution. However, we quickly rejected this approach for a number of reasons and we believe it’s an unsuitable technique for effective cyber defense. But while we see it as flawed, other companies continue to offer these solutions.

What are agent-based solutions?

Basically, a software solution that must be installed on every device that needs protecting. A cybersecurity company creates this type of solution with the intent that their customers will install it on all the devices they care about. These software agents then detect “bad things” happening on that device and notify users of threat events.

It’s not that they are bad solutions, it’s that they are partial solutions. These solutions can only protect machines on which they’ve been installed. But marketing speak makes unaware customers assume they have better protection than they’re really getting. While this approach works for software like antivirus programs and therefore may feel familiar to the buyer, it’s an inadequate approach to protecting a company from cybersecurity threats.

Why did you go with a different approach?

There are a number of serious flaws to this approach. The vendor assumes that all the machines you care about are the ones that they’ve made software agents available for. Of course, these agents exist for devices like desktops and servers. But there are many more devices that can exist with or without your knowledge on your network.

So where are the software agents for these devices? The answer is there aren’t any, and there isn’t a way to install the agents (how would you install on a vending machine? A thermostat?) even if they existed. These devices were never designed to accommodate third-party software being installed on them. Many were never designed with adequate security in mind.

Therefore, they are vulnerabilities – opportunities for exploitation. And if they are compromised, the software agents running on other devices would be oblivious.

Cybersecurity Using the Honor System

Even with the desktop and server software agents, is it reasonable to assume that every device connected to your wifi or plugged into the network outlet has elected to install the software agent? And do you want to take that risk?

How do you know every device that could run the software is running it? How can you enforce that? A bad actor already inside your environment is not going to install an agent on their devices to be compliant with your company policy. Even with automatic policy enforcement using systems like Active Directories’ Group Policy, a bad actor would have to elect to join the domain to have the policy enforced.

Software Agents Use Device Resources (CPU & Memory)

Any installed software agent will consume resources on the device in the form of memory and CPUs. Vendors work hard to explain that their software agents take up little memory and processing power, but of course, that also limits the capabilities of the software to arrive at a perceived acceptable balance. Many also, like every piece of software now, claim machine learning, which is a reach at best. (More on the overuse of terms like machine learning and AI in cybersecurity here.)

Agents Need To Be Trusted

The vendor assumes that its software is bug-free and perfectly secure. But what if it isn’t? This software has privileges to watch everything that happens on a computer. It talks to the internet. Agents get VIP access to the systems they monitor, and that makes them tempting hacking targets all on their own. All it takes is one coding error and the watchdog becomes the inside man.


It’s flawed (and frankly a bit naïve) thinking to assume the IT department in every organization has root/administrator access to every device on the network in a way that would allow them to install a software agent… if one was even available.

Unfortunately, that’s the foundation of this approach to cybersecurity. If a threat occurs via a machine with a software agent installed on it, there’s a chance the agent would detect it. However, there are so many ways to circumvent detection that qualified CISOs would only consider this approach as a complement to other cybersecurity solutions.

This is type of solution can be considered first-generation and has been superseded by next-generation solutions like ThreatWarrior.

You need to be monitoring all traffic flowing over the network to offer real security, and we do this without installing software on any of the network-connected devices. We allow you to observe any device on your network, how they communicate and use data. We enable a pervasive view of your network and deliver the whole picture, and we do it all passively without any impact on your business.

If our advanced cybersecurity seems to fit the bill for your organization, contact us today to see just how powerful ThreatWarrior truly is.

Related Insights