All features The agent

Zero-touch internal monitoring at fleet scale

Deploy once and the SBCMSP Agent reports continuously — per-host scoring, public-IP exposure scanning and identity fingerprints for auto-enrollment.

Get started Run a free scan
324checks / host
Zerotouch enroll
24/7reporting
sbcmsp-agent 324
PER-Per-host scoringPASS
PUBLPublic-IP exposureCHECK
IDENIdentity fingerprintsFAIL
TOKEToken rotationPASS
What it does

Inside the coverage

Per-host scoring

Every endpoint gets its own internal score and trend.

Public-IP exposure

25 port checks on the public IP each agent reports from.

Identity fingerprints

Zero-touch auto-enrollment for new devices.

Token rotation

Force-rotate, move or revoke any agent.

Deploy once, everywhere

One agent, one enrollment flow, every host

The SBCMSP Agent is the product and deployment layer for internal monitoring — you ship one installer, fingerprint-driven auto-enrollment brings the host online, and every agent rolls up to the same per-host scoring, token rotation, and fleet view.

Windows (primary)

The deepest coverage — 324 internal checks across 18 core + 16 advanced modules on Windows endpoints and servers. See the Windows Internal Agent for the full module list.

Also available for Linux & macOS

The same agent ships for Linux and macOS, running cross-platform internal scanning — per-host scoring and public-IP exposure — so mixed fleets report through one console.

Fingerprint auto-enrollment

Identity fingerprints match new hosts to the right client automatically — no per-machine codes to distribute or manage.

Every OS, one console

The same agent runs everywhere your fleet does

Windows, Linux and macOS all run internal compliance checks — not just a per-host score — share one report shape, and every platform supports zero-touch fingerprint auto-enrollment.

Windows

324internal checks · 18 modules

The deepest coverage — workstation and server hardening, Active Directory, patch/CVE, encryption, backup, services and registry. See the Windows Internal Agent for the full module list.

Linux

140internal checks · LNX-001–140

SSH and access control, firewall state, sudo and SUID exposure, disk encryption, brute-force detection and patch posture — the same finding stream as every other host.

macOS

110internal checks · MAC-001–110

Disk encryption, firewall, software-update posture and access controls — cross-platform internal scanning so a Mac in the fleet reports through the same console as everything else.

  • All three run internal compliance checks mapped to your frameworks — not just a per-host score
  • One shared report shape across every OS, so a mixed fleet rolls up to a single fleet view
  • Zero-touch fingerprint auto-enrollment on all three platforms — no per-machine codes
What an external scan can't see

Active Directory & identity attack paths

Run the agent on a domain controller and it walks the same routes an attacker would after a single foothold — the internal identity weaknesses no outside-in scan can ever reach.

AD Certificate Services (ADCS)

Detects enrollee-supplied-subject and permissive-EKU certificate templates — the ESC1, ESC2/ESC3 and ESC6 escalations where any authenticated user can mint a certificate for a Domain Admin and take the whole domain.

Kerberoasting & AS-REP roasting

Flags service accounts carrying SPNs with non-expiring passwords, plus accounts with Kerberos pre-authentication disabled — both crackable offline into valid domain credentials.

KRBTGT / golden-ticket exposure

Surfaces a stale KRBTGT password that leaves golden-ticket forgery possible even after incident response — the persistence backdoor most audits miss entirely.

Known-vulnerable software, per host

Software inventory meets CVE intelligence

The agent inventories the third-party software on every host. The platform matches each product and version against the National Vulnerability Database and raises a finding for what is actually exploitable — not a raw patch list.

Per-host inventory

Every endpoint reports the third-party software and versions it actually has installed — not just the OS build number.

Matched against NVD

Each product and version is looked up against the National Vulnerability Database, then aggregated per host — total CVEs, highest CVSS and a breakdown by severity.

Ranked by real-world risk

Results land as SOFT-* findings in the same Findings and Assignments workflow, ordered by KEV / EPSS so you fix the software attackers are exploiting first.

Beyond the public IP

Network discovery for the whole LAN

Point one agent at a site and it maps the internal network — every live device on the LAN, not just the single public IP the site reports from.

ARP sweep + port fingerprint

Discovers live hosts across every local subnet using an ARP sweep and a targeted port probe — one agent per site, multiple internal ranges supported.

Classifies what it finds

Each device is classified by its open ports and hardware vendor — servers, printers, cameras, VoIP handsets and network gear — into a Discovered Devices table.

Shadow devices surfaced

Unmanaged and unexpected hosts on the LAN show up alongside the endpoints you already monitor — the inventory gap that lets attackers hide in plain sight.

Deploy once, trust it

One signed connector, no per-machine codes

The agent ships as a Universal Connector — one signed binary per tenant, identical on every host. Fingerprint auto-enrollment brings each machine online and the whole token lifecycle is managed from the console.

Signed Universal Connector

A single signed installer per tenant — the same identical binary on every machine, so there are no per-host builds to track or verify.

Fingerprint auto-enrollment

Identity fingerprints match each new host to the right client automatically. Nothing to type on the machine, and no per-machine enrollment codes to distribute or manage.

Managed token lifecycle

Tokens carry a default TTL and rotate themselves before expiry with a grace window — watch the EXPIRES pill turn amber and it is already rotating. Force-rotate, move or revoke any agent from the console at any time.

Self-updating agent

The underlying agent keeps itself current — no manual redeploys, no version drift across the fleet. New checks reach every host on the next run with no operator action required.

Part of one platform

One finding, one fix, one report

SBCMSP Agent is one piece of SBCMSP’s unified loop — every finding is prioritized by real-world risk, paired with AI remediation guidance, mapped to your frameworks and re-verified on the next scan.

  • KEV / EPSS-ranked severity
  • AI remediation guidance
  • Mapped to 10 frameworks
  • White-label client reporting
See the full platform
82
+27 pts
projected after top fixes

Run your first scan free

See a client’s real posture in minutes — then unlock all 1,658 checks.