The sensor is the lightweight software component installed on the endpoint that collects telemetry and monitors behavior in real-time.
Hooks API calls and system functions.
Captures process creation, file access, registry changes, memory injections, etc.
Collects logs and sends data to backend/cloud.
May run in both user and kernel mode.
Often built for stealth and resilience.
Typically the first point of contact for attackers.
Target of DLL unhooking and API redirection.
Use of syscall-level evasion to bypass sensor logic.
Last updated 8 months ago