Posts on cross-platform kernel-level diagnostics, behavioral security monitoring, AI-powered analysis, and operator-driven privilege elevation
NinjaOne is quote-only. Most MSPs report $2.50 to $4.50 per endpoint per month for core RMM, near $5 to $6 under 50 endpoints and below $2 at 1,000+. Full breakdown and RMM comparison.
Atera publishes per-technician pricing with unlimited endpoints. IT department plans run $149 to $219 per tech per month billed annually, MSP plans about $129 to $209. What is included, what costs extra, and how it compares.
Syncro publishes per-user pricing with unlimited endpoints. Core is $129 per user per month ($107.50 billed annually) and Team is $179 ($149.17 annually), RMM and PSA included. Full breakdown and RMM comparison.
RMMs reach a machine's hardware controller in one of two ways. They integrate a separate Intel management console such as Intel EMA, or they drive Intel AMT from the RMM's own agent and gateway. A factual comparison of what each requires, where provisioning happens, and the control-mode tradeoff.
How ET Ducky reaches business-class hardware below the operating system using the RMM agent already on the host. Covers the proxy-gateway relay model and a native host-based Intel AMT activation stack over the Management Engine Interface (HECI transport, AMTHI, the LME port-forwarding tunnel, and the WS-Man setup call) that configures dormant vPro without an external tool.
ET Ducky manages business-class hardware below the operating system, over Intel AMT, DASH, and IPMI, through a gateway on the local network. Covers the WS-Man discovery probe and what makes a device eligible, firmware-level power and console relayed over a cloud WebSocket, just-in-time credentials, and the dual-role model in which a regular agent serves as the gateway.
The gateway that manages out-of-band hardware also inventories the operating-system hosts on the local network and identifies which are not running the ET Ducky agent. Covers the opt-in, admin-triggered sweep of ping, ARP, and a short TCP port probe, correlation against enrolled agents by MAC and hostname, and the current discovery-only scope.
How ET Ducky finds any third-party application by name. winget and Linux fleet search come first, AI web search finds the official vendor download as a fallback, and fail-closed verification runs before anything deploys.
How the agent hashes each approved application's primary binary on Windows and Linux, how the cloud elects a per-organization trusted reference by agent prevalence rather than arrival order, and how a divergent hash produces exactly one detection. Covers shadow mode, failure semantics, and the limitations of trust on first use.
Two ways to catch malicious behavior from kernel telemetry. Signature and threshold rules match known-bad shapes, and behavioral baselines learn what is normal and flag deviation. How each works, why a per-app fleet baseline complements rules, and the tenant-isolation constraint that shapes the design.
When an application works on one Windows machine and fails on another, the difference is usually environmental. Record what the app touches on a working machine with ETW, diff it against the broken machine, and read the short list of differences. Covers the method and ProcDelta, a free open-source tool that implements it.
The same question, which process owns this connection, is answered very differently on Windows and Linux. A comparison of eBPF syscall tracepoints on Linux and ETW providers on Windows, why process attribution is direct on one and a correlation problem on the other, and what each approach misses.
A reference for the ETW providers that see network activity on Windows. Covers what Microsoft-Windows-Kernel-Network, Microsoft-Windows-TCPIP, and NDIS-PacketCapture each emit, how to attribute an event to a process, and how to correlate a packet back to a connection.
A maintained reference of RMM pricing across eight platforms (NinjaOne, ConnectWise, Datto, Kaseya, Atera, Syncro, Barracuda, and ET Ducky) in one table, with per-device and per-technician rates, pricing transparency, sources, and methodology. Updated quarterly.
Kaseya VSA does not publish pricing. Community-reported rates run $3 to $6 per device per month plus $1,000 to $10,000+ implementation, with the Kaseya 365 bundle around $299 to $399 per technician. Full breakdown and RMM comparison.
Datto RMM is one of the few RMMs with a published base rate, around $2.99 per endpoint per month and billed all-inclusive. Here is what that covers, the mid-2026 move off high-watermark billing, how it relates to Kaseya, and how it compares to six other platforms.
ConnectWise RMM is quote-only across three tiers, community-estimated at $1.50 to $3.50 per agent per month. Here is what each tier includes, what ScreenConnect now bundles, where the add-on costs hide, and how it compares to six other platforms.
A walkthrough of an ET Ducky multi-agent session that diagnosed a host-to-VM ping failure across four machines. It lists the commands it ran, the host and VM configuration it changed, and the verification that confirmed the result.
ET Ducky's diagnostic engine now lets an AI pick ETW providers per round of a live troubleshooting session, captures evidence in a separate session with engine-enforced safety caps, and never ships raw events to the cloud. A walkthrough of the architecture, the two-session isolation model, and why nobody else (that we're aware of) is orchestrating the ETW session layer with an AI in the loop.
ET Ducky's signed remote-desktop helper now crosses the Windows secure-desktop boundary, so technicians can see and click UAC prompts from the browser viewer without anyone at the target machine. A walkthrough of the Windows uiAccess chain and the dual-engine capture path that makes it work.
Four cross-platform behavioral rules cover shadow copy deletion, mass file rename to ransomware extensions, ransom note creation, and cryptominer execution, plus a meta-rule that fires when two or more kill-chain stages occur on the same process within five minutes.
The agent maintains an inventory channel covering installed software, running services, scheduled tasks, kernel modules, listening sockets, and persistence artifacts. It collects a snapshot at boot and every 24 hours on both Linux and Windows, with on-demand refresh from the dashboard.
What ETW is to Windows, eBPF is to Linux. The Linux agent compiles a small set of eBPF programs that attach to scheduler and syscall tracepoints, normalises events into the same shape the Windows agent uses, and feeds the rest of the pipeline unchanged. Same dashboard, same AI live sessions, same behavioral rules.
A walkthrough of the ten cross-platform detection rules that ship with the agent, from suspicious exec chains and mass file access to ransom-note patterns, shadow-copy deletion, and a ransomware kill-chain meta-rule. Same rule definition fires on Windows and Linux.
RDP relay on Windows, Wayland portal or x11vnc on Linux, with H.264 over WebCodecs when the host has hardware encoding available. Bounded resource use on the host, no VPN required, no firewall rules.
The Linux agent installs as an unprivileged user. Privileged actions require an operator password at the moment of the action, captured in an immutable audit row with the operator's identity, source IP, command summary, and exit code.
A side-by-side pricing and feature comparison of ET Ducky, NinjaOne, ConnectWise RMM, Datto RMM, Atera, and Kaseya VSA, with an interactive cost calculator to estimate your monthly spend.
Threat actors signed up for our platform, deployed agents to victim machines, and used our remote shell as a C2 channel to install ScreenConnect RATs across 120+ endpoints. Here's how we caught them, what we built to prevent it, and what every RMM vendor should learn from this.
A practical guide to using Event Tracing for Windows (ETW) to diagnose performance problems, identify root causes, and resolve issues faster than traditional tools allow.
Traditional RMM tools rely on WMI polling and event logs. ETW provides real-time kernel-level telemetry that reveals root causes these tools can't detect.
How AI-powered analysis of ETW telemetry can turn thousands of kernel events into plain-language root cause explanations, replacing hours of manual investigation.