Agentless vs agent-based
What "agent-based" means and why we don't do it
Older cloud security platforms required you to install an agent on every workload. The agent ran inside the VM or as a sidecar in the pod, watched syscalls or files, and shipped findings to the vendor.
Reasons agent-based breaks down at scale:
- Compatibility. Agents have to support every kernel, every OS version, every container runtime. The matrix never converges.
- Stability. Agents crash, agents leak memory, agents fight other security software. Production teams have stories.
- Performance overhead. Even "lightweight" agents consume CPU, memory, and disk on busy nodes. On dense Kubernetes nodes, the cost is non-trivial.
- Maintenance. Agents themselves have CVEs to patch. Rolling out an agent update across a fleet is its own incident-class operation.
- Trust surface. A compromised host can tamper with the agent and silence detections.
How agentless works in Ctadel
| Telemetry source | How we read it |
|---|---|
| Cloud configuration | Read-only API calls (CSPM, KSPM, CIEM) |
| Workload contents | Read-only disk snapshot mounted offline in our scanner |
| Container images | Pulled and analysed in our scanner, never touched on your host |
| Audit logs | Streamed from the cloud's audit-log service |
| Kubernetes state | Read-only API queries against your cluster |
The snapshot is the key part. Every cloud provider exposes an API to take a point-in-time snapshot of a block volume, that is how cloud-native backup works. Ctadel uses the same API, mounts the snapshot read-only in our scanning environment, walks the filesystem, and discards the snapshot when done. Your workload never knows.
Trade-offs
| Agentless (Ctadel) | Agent-based | |
|---|---|---|
| Coverage | 100% from day one | Partial, depends on team adoption |
| Performance impact on workload | Zero | Non-zero |
| Detect file changes | On the daily scan | Real-time |
| Tamper resistance | Snapshot is independent of host | Host can tamper with agent |
| Tracking agent CVEs | None | Yes |
The single thing agentless cannot do is real-time process-level detection inside the workload. For most cloud-native threats, the cloud audit log (CDR) provides enough runtime visibility without requiring an agent.
What's next
- How Ctadel scans, the operational view
- HCR, the most agent-flavoured detector, done agentless
- CDR, runtime detection without a workload agent