What we collect.

For every network connection a process on your endpoint opens to the outside world, the agent records the connection metadata — not the connection contents. We never see the bytes you exchanged with the destination.

• Destination IP address and port
• Protocol (tcp / udp)
• Process name and full executable path
• SHA-256 hash of the process binary
• Code-signing publisher (if signed)
• Bytes transmitted / received per session
• Session duration
• TCP retransmission and round-trip-time stats

The mirror of outbound: when something connects TO your machine, the agent records the same five-tuple metadata, plus a flag for whether the local process was a listener (a server waiting for connections) versus an ephemeral socket. Powers the exposure-policy feature.

• Source IP address and port
• Local listener IP, port, and process
• Protocol
• Bytes / duration
• Listener flag

For UDP traffic on port 443 (QUIC), the Windows agent extracts the SNI hostname and ALPN protocol identifier from the unencrypted ClientHello packet. We do not decrypt the session; we read fields the protocol places in the clear by design.

• Server Name Indication (e.g., "google.com")
• ALPN identifier (e.g., "h3", "h2")

When the agent fires low-TTL probes to characterize the network path to a destination (used by Hop Starvation diagnostics and the Sources page), routers along the path return ICMP TTL-exceeded replies. We record the responding-router IPs.

• Router IP address
• Inner destination IP (the target the probe was aimed at)
• Inner TTL value
• Receive timestamp

OS-level network-stack counters polled at heartbeat cadence — totals across the host, not per-connection. Used to detect path-loss versus host-internal problems versus encapsulation overhead.

• TCP segments out, in, retransmitted, with errors
• TCP fast-retransmits, slow-start retransmits, spurious RTOs (Linux)
• UDP packet errors, no-port-listening events
• IP fragmentation / reassembly failures
• Boot-time epoch (for counter-wrap detection)

A daily snapshot of the machine's hardware: what CPU, how much memory, which disks, which network interfaces, which USB devices. Re-collected only when something changes (mtime-gated).

• CPU model name and core counts
• Total RAM
• Disk mount points, sizes, and free space
• Network interface names, MAC addresses, IPv4 / IPv6 addresses
• Default gateway
• USB device vendor / product / serial

The OS family, version, build, and hostname. Identifies the device, locates it in the patch-currency view, and is required for any platform-specific telemetry collector to know which collector to run.

• OS name (Windows / Linux / macOS) and distribution
• OS version, build, kernel
• Machine hostname
• Last boot time
• Locale and timezone

List of installed applications on the machine, from each platform's native source (Windows Registry uninstall keys, macOS .app bundles, Linux package manager).

• Application name
• Version
• Publisher (if available)
• Install date

Pending operating-system updates and reboot-required state. Lets the patch-lag scoreboard show how far behind a fleet is.

• Pending update titles and KB / advisory IDs
• Severity classifications
• Reboot-pending flag

Whether the machine's built-in security features are turned on. Posture only — we don't read AV scan logs or read any keys / passphrases.

• Firewall enabled and provider
• Disk encryption enabled and provider
• Antivirus product names and enabled state
• TPM and Secure Boot status (Windows)
• Local administrator account list

Lightweight performance counters sampled at heartbeat cadence (~once per minute). Costs single-digit milliseconds per sample.

• CPU utilization average since last sample
• RAM and swap usage
• Disk usage per mount point
• Logged-in user count (count only — never names)
• Unix load average (Linux / macOS)

When a binary opens a network connection for the first time, the agent computes its SHA-256 fingerprint. This is identity, not contents — a hash uniquely names a binary if you have the original to compare to, but cannot be reversed back to the binary itself.

• SHA-256 hash of executable file
• File name (basename) and full path
• File size

For each hashed binary, the agent reads the embedded code signature on disk: Authenticode on Windows, codesign on macOS, package signatures on Linux. We extract the publisher name and certificate thumbprint, not the certificate's private key (we couldn't even if we wanted to — only the public chain is on the binary).

• Signer publisher name (Common Name on the certificate)
• Certificate SHA-1 thumbprint
• Signer kind (Authenticode / codesign / dpkg / rpm)
• Repository / package source (Linux)

The DNS servers the host is currently configured to use, plus diagnostic events when the agent's built-in DNS-fallback path activates (if your ISP's DNS resolver fails, the agent falls back to Cloudflare 1.1.1.1 / 1.0.0.1 to keep itself reachable).

• Configured DNS server IP addresses
• DNS fallback events (hostname, error reason, fallback resolver, success/failure, latency)

The agent fetches a global blocklist (D / F-graded IPs from rep + curated public threat-intel feeds + tenant overrides) and pushes those into the host firewall as block rules. We record what the agent applied and any reconciliation results.

• Blocklist version applied
• Number of entries applied / added / removed
• Apply duration
• Per-CIDR attribution (source feed, reason, dispute URL — fetched on demand)

Per-tenant exceptions to the global blocklist — admin-defined "always allow" or "always block" rules, with audit trail.

• CIDR or hostname
• Action (allow / block)
• Note from the admin
• Added-by user
• Added-at timestamp

The agent reports its own errors, warnings, and lifecycle events back to ten over an outbound HTTP backchannel — installs, restarts, self-update outcomes, blocklist refresh problems, anything the agent itself thinks an operator should know.

• Event category (install / lifecycle / runtime)
• Severity (info / warn / error / critical)
• Event source (which subsystem)
• Stable error signature (for de-duplication)
• Throttled message text (≤ 4000 chars, structured)
• Structured details payload
• Agent version at time of event

Tenant admins can issue specific diagnostic commands to a specific agent (e.g., "run a network burst test against this responder," "dump current blocklist state"). Commands are pulled by the agent on its next heartbeat and the result is returned the same way. The set of allowed verbs is hard-coded into the agent — operators cannot run arbitrary code.

• Command verb (from a fixed allowlist: power_diagnostics, wt_burst, etc.)
• Verb-specific arguments
• Result payload
• Status (succeeded / failed)
• Failure reason (if any)
• Issued-by user, issued-at, deadline

The canonical record of every agent in the system: a stable identifier, a hardware-fingerprint-based machine ID for re-enrollment detection, the tenant it belongs to, and lifecycle state.

• Agent ID (server-generated UUID)
• Tenant ID
• Machine ID (stable hardware fingerprint, used to detect re-enrollment of the same physical machine)
• Hostname
• OS / architecture
• Agent software version
• IP address at enrollment time (debugging only)
• Enrolled / first-seen / last-seen timestamps
• Status (active / disabled / retired)
• Per-agent dashboard token (a single-use opaque token that lets a user open /my-device for that specific agent without a login)

Each heartbeat from each agent carries a timestamp, the public IP we observed it from (server-side, not agent-asserted), the agent version, and a status field. The metrics blob inside the heartbeat is everything cataloged in the agent-layer entries above.

• Public IP at heartbeat time (server-observed)
• Agent version (server-confirmed)
• Heartbeat status (healthy / degraded / error)
• Server-side observed-at timestamp

Periodic outbound probes from each agent to a small set of well-known anchor destinations (ten itself, Cloudflare, Google, the configured DNS resolver). Records geolocation and reachability of each anchor over time.

• Reachability flags per anchor (gateway, Cloudflare, Google, DNS)
• Geolocated country / region / city / lat-lon (from public IP at probe time)
• ISP name
• Probed-at timestamp

A daily aggregation of file-hash observations across the customer's fleet. For each unique hash: how many machines run it, what fraction of the fleet, when it was first / last seen, total sessions and bytes, what destinations it talked to, etc.

• Hash + name + signer (mirrors flow data)
• Agent count and active-agent count for the day
• First-seen / last-seen day
• Sessions per 24h, bytes out / in per 24h
• Per-destination cohort (where this binary sent traffic)
• Time-of-day histogram

The customer's organization, its users, their roles, and the permissions matrix. Required to gate access to all the other data in the system.

• Tenant slug, name, lifecycle status, tier
• User email (one per user)
• Per-user role within each tenant (owner / admin / member / staff)
• OAuth identity (provider name + provider-side user ID, when SSO is used)
• Session metadata (login times, IP, browser fingerprint hash)

How we verify users and agents. For password-based logins, we store an Argon2id hash — never the plaintext password. For OAuth-based logins, we store only the provider's opaque user ID, never the user's OAuth access or refresh tokens long-term. For agent / API access, we store hashed bearer keys.

• Password hash (Argon2id, salted, never the plaintext)
• API keys (hashed; the plaintext is shown to the user once at creation and is never persisted)
• Enrollment tokens (single-use, expiring; hashed at rest)
• Per-agent dashboard tokens (UUID; bound to that agent only)

The tier and plan a tenant is on, simulated billing events (today; real billing integration is future), referrals, and the audit trail of any tier changes.

• Subscription tier and plan
• Billing events (tier changes, agent counts, prorated charges — simulated until real PSP integration ships)
• Referral relationships (who referred whom)
• Earnings ledger (referral payouts, in DT-internal accounting)

Conversations a user opens about an agent or a tenant — subject, message bodies, AI-triage output, status. Every inbound message is run through a multi-pattern scrubber before storage that strips PEM key blocks, vendor-specific tokens (GitHub, Slack, AWS, Stripe, Anthropic, etc.), key-value secret fields, database connection strings, HTTP authorization headers, credit cards (Luhn-validated), social-security numbers, email addresses, and high-entropy unstructured strings. The pre-scrub text is never written to disk.

• Ticket subject (≤ 200 chars)
• Message body (post-scrub)
• List of redacted secret kinds (so the UI can show "we stripped 1 credit-card pattern")
• AI triage output (suggested category, priority, action)
• Author kind (user / staff / agent)
• Created-at timestamps and lifecycle state

When an agent is installed (or attempts to install), it phones home with a snapshot of the install outcome — installer version, OS, architecture, success or failure, and any error text from the installer log.

• Installer version
• OS, architecture
• Success or failure flag
• Error text from the installer log (if any)

Rules a tenant defines for their own environment — what destinations to allow / block, what flow patterns to alert on, what processes to flag.

• Rule name, scope, criteria, action
• Alert configuration (notification destinations, severity thresholds)
• Created-by, created-at, last-modified

The authoritative reputation record for every IP rep has investigated. Keyed solely by IP. There is no tenant identifier on this record. One verdict serves every customer who asks about that IP.

• IP address (primary key)
• Letter grade (A+/A/A-/B+/B/B-/C+/C/C-/D/F) and numeric score
• Findings array (blocklist hits, category hits, AI assessment, certificate observations)
• Service identity (name, category — e.g. "Slack", "Cloudflare CDN")
• Reverse DNS, ASN, ISP, organization, hosting-provider flag
• Geolocation (country, region, city, lat / lon)
• TLS certificate details (CN, SAN, issuer, expiry, self-signed flag)
• Domain category tags (e.g. "advertising", "malware-c2", "social-media")
• First-seen, last-analyzed, cached-at, expires-at timestamps

The authoritative reputation record for every file hash rep has investigated. Same anonymity property as the IP cache: keyed solely by hash, no tenant identifier.

• SHA-256 hash (primary key)
• Verdict (signed_trusted / A / B / C / D / F / unknown)
• Numeric score
• Findings array (CVEs, trusted-publisher matches, VirusTotal detections, MalwareBazaar hits)
• Signer metadata (publisher, certificate thumbprint — observed from the first-reporting agent)
• External-DB raw responses (VT and MBZ, cached)
• Sample-name array (e.g., "this hash is normally named chrome.exe; on one machine it appeared as svchost.exe")
• Cached-at, expires-at

When a customer first asks about an IP or hash that rep has not yet investigated, the lookup is queued. The queue records the *first asker* for accountability — but this trail is intentionally not used in the verdict and does not appear on the cached result that other tenants see.

• Lookup target (IP or hash)
• first_requested_by_tenant + first_requested_by_agent (audit trail only)
• Priority, status, attempt count, last error
• Queued-at timestamp

rep mirrors several public threat-intelligence sources locally so it can serve verdicts without per-lookup external API calls. These are bulk imports from upstream sources, not data collected from customers.

• Spamhaus DROP list
• IPsum aggregated feed
• UT1 / Hagezi domain category lists
• MalwareBazaar daily malware-sample mirror
• NSRL local SQLite (NIST known-good corpus, ~12 GB of hashes)

For files not in the local mirrors, rep queries VirusTotal and MalwareBazaar by SHA-256 hash. We never upload binaries. The hash is a 32-byte fingerprint — sufficient to identify the file if you already have the original, but cannot be reversed back to the binary itself.

• SHA-256 hash sent in the lookup query
• Response from the external service, cached locally