# Endpoint Agent

The **Lattice Agent** is the foundation of endpoint and cloud security within Secure Lattice. It operates as a **background service**, constantly observing processes, network behavior, and system calls in real time.

####  **Design Philosophy**

Modern organizations operate in heterogeneous environments. Windows servers, Linux containers, developer laptops, cloud workloads, and IoT endpoints. Traditional endpoint detection tools often fail to scale across these environments due to heavy footprints and intrusive scanning methods.

The Lattice Agent solves this by adhering to four core design principles:

* **Lightweight Execution** — Built in Rust for security and low memory overhead (<50 MB typical).
* **Deterministic Performance** — Event processing is handled asynchronously via non-blocking queues.
* **Privacy by Default** — No payload data leaves the device unless specifically permitted.
* **Resilience and Self-Healing** — Each agent maintains cryptographically signed update snapshots to guarantee tamper-resistance.

#### **Functionality and Telemetry**

The Lattice Agent collects *behavioral telemetry*, not content.\
Key data points include:

* Process lineage (parent/child graphs, execution frequency, privilege use).
* File system mutation rates (especially entropy spikes that suggest encryption or tampering).
* Network egress patterns (burst volume, DNS frequency, and unusual domain entropy).
* Identity telemetry (MFA prompts, privilege escalation events).
* Kernel-level hooks for detecting driver injection or unauthorized system calls.

All telemetry is hashed locally with SHA3-512, signed with the device keypair, and forwarded through a secure, ephemeral tunnel to the Lattice Core.

#### **Real-World Example**

A remote worker’s device begins uploading encrypted files to an unknown domain. The Lattice Agent detects a burst of non-standard TLS handshakes and isolates the connection automatically. Within 2 seconds, the AI Engine cross-references the pattern and confirms a potential ransomware exfiltration. The process is terminated locally, while the event hash is anchored on-chain for compliance.

This makes post-incident verification immediate and indisputable, a stark contrast to legacy EDR tools that depend on centralized logs prone to alteration or delay.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.securelattice.net/product-modules/endpoint-agent.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.