User guide Packetman saysThis is the DataStun user guide — your reference for everything from installing your first agent to reading the dashboard and acting on what you find. Start with section one, Getting Started: sign up, verify your email, and install an agent on one device. Data starts appearing in seconds. The guide covers fourteen topics: installing agents on Windows, Linux, macOS, and UniFi gateways; reading the dashboard's seven tabs; understanding security grades from A-plus to F; diving into destination details; identifying exposed infrastructure services; verifying executable reputation; setting alert rules and SIEM export; using the in-app support system; Hop Starvation for distance-based blocking; Advanced Packet Diagnostics for session-level forensics; SIEM integration; host diagnostics including live CPU, RAM, disk gauges and full security posture; and account management. If you have questions while reading, click any Packetman head throughout the guide — or use the in-app help from your dashboard.

1. Getting started

1. Sign up at tenant.datastun.com/signup
2. Check your email for a verification link and click it
3. Log in to see your dashboard
4. Open Agents → Install to mint your first enrollment token
5. Install an agent on at least one device to start collecting data

The Individual tier includes 10 agents and 30 days of history. Data starts appearing on the dashboard within seconds of agent install.

2. Installing agents

Inside the dashboard, head to Agents → Install and choose your platform. Install packages are pre-baked with your enrollment token — no manual API-key copying.

Windows

Download the signed installer from the dashboard and run it with administrator privileges. It installs a background service and a system-tray icon that gives every user on the machine a read-only view of their own device.

Linux

Copy the one-line curl | bash installer from the dashboard. The agent runs as a systemd service, collecting outbound connections via the kernel’s ss interface.

macOS

Download the .pkg installer. The agent runs as a LaunchDaemon with a matching menu-bar status indicator.

UniFi Cloud Gateway

Install directly on a Ubiquiti UCG to attribute traffic for every device on the network — including devices that can’t run their own agent.

All agents auto-update. New security features reach your fleet within hours of release.

3. The dashboard

Seven tabs, each answering a different question.

Overview

Your security posture at a glance: overall grade, grade distribution, top countries your data is travelling to, and online-agent count.

Map

Interactive world map with grade-coloured markers. Filter by grade, country, agent, or time window. Click any marker for full destination analysis.

Agents

Device list with per-device grade, last-seen time, software version, and online/offline status. Click any agent for its individual dashboard.

Addresses

Every destination and every source, sortable by grade, first seen, last seen, or traffic volume.

Alerts

Alert history plus the rule editor. New alerts highlight in the header pill.

Rules

Blocklist-driven blocks, Hop Starvation rules (if the add-on is enabled), flagged destinations, and packet captures.

Tests

Network test harness — latency, throughput, traceroute — between any pair of your agents. Available on Business tier and above.

4. Understanding security grades

Every destination gets a composite 100-point score, translated into a letter grade from A+ to F. The grade factors in:

• TLS — protocol version, cipher strength, forward-secrecy support
• Certificate — chain validity, expiry, self-signed detection, identity transparency
• Geographic risk — high-risk country penalties applied in consultation with regional threat intel
• Hop distance — measured network distance from the calling agent
• Blocklists — industry-leading threat-intel feeds plus curated content-category taxonomies, combined with our own active reputation scoring. Every listing carries source attribution and a dispute path, visible in your authenticated dashboard.

Grades below C− are candidates for Hop Starvation rules if you have the add-on enabled.

5. Destination details

Click any destination to see the full analysis: security grade with breakdown, TLS handshake details, certificate chain, AS owner, reverse DNS, country and city, inbound vs outbound traffic volume, first seen, last seen, and the full list of agents that have contacted it.

From the destination detail page you can flag for review, block at the agent kernel level, add a bounded Hop Starvation rule, or start an Advanced Packet Diagnostics session (if you have credits).

6. Exposed infrastructure services

Some services should stay on your private network or behind a VPN — databases, file shares, admin APIs, message queues, virtualization control planes. The agent carries a catalog of 169 such services across 8 categories (databases, file sharing & storage, directory & auth, remote management, message queues, internal web, virtualization, backup). On every outbound flow the agent checks the destination port/protocol against the catalog; if the destination is a public IP (not inside RFC1918 and not in your tenant’s configured private networks), the flow is tagged.

Critical vs warn

Unambiguous “never on the internet” services — MSSQL 1433, MongoDB 27017, Redis 6379, RDP 3389, SMB 445, and so on — are critical. A match fires an immediate alert to your tenant admins (email, webhook, dashboard badge) the moment the flow is ingested, no 5-minute sweep wait. Services with legitimate internet use — SSH, HTTPS-served admin panels like iLO / iDRAC / vCenter / Grafana — are warn: they show up on the Exposed tab of /my-device and /agents/<id> but don’t page you.

The Exposed tab

Every agent’s detail page has an Exposed tab that lists the last 24 hours of matches for that machine, with the matched service, destination, process executable, PID, flow count, and timing. Admins see a red Block button per row; clicking it adds a per-tenant blocklist override. Every agent on your tenant picks the override up on its next poll (within 60 seconds) and the OS firewall enforces it.

No agent change for older fleets

The catalog is distributed over HTTPS from the tenant platform; agents 0.4.7 and up automatically pick up new services as we add them, with no re-install. Per-tenant blocklist overrides are unioned into the agent’s regular blocklist feed — no separate enforcement primitive to manage.

This is on every tier, free included. It’s a safety feature, not a premium one.

7. Executable reputation & publisher verification

Every outbound session on your devices has a program behind it — the .exe / binary that opened the socket. DataStun has always shown you that program’s path; now it also tells you what that program actually is.

How a binary gets a verdict

When an agent observes a new process opening a network connection, it computes a SHA-256 hash of the executable on disk, extracts the local signing metadata (Authenticode on Windows, codesign on macOS, dpkg / rpm package ownership on Linux), and sends those observations up with the flow. Our reputation pipeline then runs a three-stage investigation:

1. Trusted-publisher shortcut. If the binary is signed by a publisher on our curated trust list — Microsoft, Google, Apple, Adobe, NVIDIA, Valve, Zoom, about 40 in all — and the signature verifies cryptographically, the verdict is signed_trusted. No external database call, zero cost, instant.
2. Curated malware-sample repository lookup. Decisive on known malware — if the hash is on the catalog, the binary is verdict F.
3. Aggregated multi-engine malware-database lookup. 70+ AV engines aggregated, the definitive hash-lookup tier. The verdict maps to letter grades: F when five or more engines flag as malicious, D for two to four, C for one malicious engine or several suspicious, B when the file has been widely scanned and nobody flagged it, unknown when the database has seen the hash but not enough engines agree.

Unknown binaries

About 1–2% of binaries on a typical corporate fleet are unknown — not in any external database, not signed by a trusted publisher. These might be perfectly legitimate internal tools (scripts your devops team built, custom CLIs compiled from source), or they might be novel malware nobody’s catalogued yet. We surface every unknown binary on your tenant’s Executables tab under the Account menu, with its name, short hash, signer info, and the agents that saw it. Tenant admins can review each one and either:

• Ignore it (it’s known-internal — we’ll remember the hash across your fleet).
• Block it — pushes a one-click tenant-scoped block to every agent, enforced at the OS firewall within 60 seconds.
• Upload it to a third-party analyzer of their choice themselves, from their own machine if they want a deep analysis.

Why we don’t upload your binaries

Hash-only, never the file. Our code has no upload path to any third-party analyzer. If we send the SHA-256 and an external service knows the file, we get the verdict; if it doesn’t, we mark the file unknown and move on. The alternative — auto-uploading unknown binaries to a third-party cloud — is a privacy boundary we don’t cross. Some vendors happily ship every unrecognized executable to their analysis cloud as part of the base product; we think that’s the wrong default for a tool that runs on every machine in your fleet. If an admin decides deep analysis is worth the privacy cost on a specific binary, they can drive that upload manually, on purpose, from their own desk, to a service of their choice. That’s a rule hard-coded into the product, not a setting.

Cross-tenant reputation catalog

The verdict for a given hash is the same across every DataStun tenant. Once any customer’s agent first reports chrome.exe and we verify it, every other customer’s chrome.exe is verified too — no redundant lookups, no per-tenant API cost. The reputation database stores only the hash, publisher, and verdict — nothing that identifies which tenant first reported it, and never the contents of the binary.

Rename detection

A hash is identity; a filename is metadata. If a hash has always been seen across the fleet as chrome.exe from Program FilesGoogleChrome and it suddenly shows up on one of your agents as svchost.exe from C:UsersobTemp, that’s a strong rename-attack signal — surfaced on the Executables tab as an also seen as annotation on the row. Same hash, but now DataStun is flagging the weird pattern on your specific machine.

Executable reputation — the per-binary verdict and the per-agent Executables view — is included on every tier; same reasoning as the exposed-services detector, it’s a safety feature, not a premium one. Enterprise tier adds an org-wide rollup on top: which executables appear on what fraction of your fleet, when they first showed up, where they’re drifting (a hash signed by Acme on 95% of your machines is suddenly running unsigned on five), and which devices are the outliers. The base reputation lookup is per-hash and the same for everyone; the analytics layer is what scales with fleet size.

8. Alerts and rules

Set email alerts when specific destinations are accessed, when a new country appears in your traffic profile, when an agent’s overall grade drops, or when an exposed-service match fires. Rules are evaluated every telemetry cycle — typically every 30 seconds. Critical exposed-service matches fire directly from ingest so the notification hits your inbox inside 60 seconds rather than waiting for the sweep.

Block rules run locally on the agent kernel. Alerts never depend on the dashboard being open.

9. Getting help & the support system

DataStun has an in-tenant support system so you never have to re-explain a problem across email chains. The flow has three tiers: end user → tenant admin → DataStun central. AI triage tries first at every level; humans step in when needed.

Opening a ticket (end user)

Click Help… in your DataStun tray icon (Windows today; macOS and Linux next). It opens /support in your browser, authenticated to your specific device. Type a short subject and describe what’s happening. Before your message leaves the machine, DataStun’s secret scrubber strips patterns that look like credit cards, API keys, private-key PEM blocks, password-field values, Basic/Bearer auth headers, and database connection-string passwords. Anything stripped is shown to you as a [REDACTED:<kind>] marker so you know what did and didn’t leave your device.

Every ticket has a globally-unique id

Tickets are numbered DT-XXXXXXXX (eight Crockford-base32 characters). Short enough to read over the phone, globally unique so you can reference one ticket across tenants if support needs to. Your open tickets are listed on your support surface and you can reopen any conversation from there.

AI triage, on by default

Your question goes to an AI assistant trained to emit concise answers with commands you can copy into your own elevated shell. The AI never runs anything on your machine — every command is text you review and execute yourself. If the AI can’t solve your problem, or you already know it won’t, click Skip AI, send to admin on any message to route straight to your tenant admin.

Escalation to tenant admin

Click Escalate in the ticket thread. The entire conversation — including everything the AI tried — becomes visible in your tenant admin’s support inbox. Admins get an email ping with the ticket ID, your agent name, and a link to the admin console. Replies from the admin appear back on your /support surface.

The admin inbox

For tenant owners and admins, the inbox lives at account menu → Support inbox. Every admin on your tenant sees every conversation — no per-admin claims, no assignment, last-write-wins on replies. Filter by status (open / escalated / resolved), click into a thread, reply in the same composer, or mark resolved when you’re done. An amber topbar pill appears across the dashboard whenever there’s an escalated conversation waiting on an admin reply, so you don’t miss one.

Identity & privacy

Support conversations are scoped to agents (at the endpoint) and tenants (at the admin level) — never to individual email addresses or person names. Messages carry agent names (e.g. PAPA-BEAR-LAPTOP) and tenant names (e.g. Acme Corp). The goal is to keep support scope focused on the machines and the tenants, not the humans.

DataStun central support

DataStun only corresponds with admins. Non-admin end users flow to their tenant admin; the tenant admin is the one who reaches us if central support is needed. This keeps the communications line simple and keeps your tenant’s escalation policy intact.

10. Hop Starvation

Hop Starvation is a per-agent add-on that enables TTL-based packet lifetime enforcement. Enable it per-agent from the fleet dashboard. Each protected agent then exposes three zones in Rules → Hop Starvation:

• Data Center — TTL 1–2, reaches local switches and nothing else
• Organisation — TTL 3–5, reaches campus-wide resources
• Bounded Internet — TTL 10–20, reaches specific external endpoints via bounded exceptions

See the Hop Starvation marketing page for more detail.

11. Advanced Packet Diagnostics (APD)

APD credits let you capture up to 10,000 packets on any destination IP from any agent — Windows, macOS, Linux, or gateway. Packet contents are captured headers-only by default; full-packet capture can be enabled per-session for your own infrastructure.

One credit = one diagnostic session. Credits don’t expire. Download .pcap files directly from the Rules & Actions dashboard for analysis in Wireshark.

12. SIEM integration

Available on Business tier and above. Export alerts, destination records, and agent events to:

• Syslog over TCP or UDP
• Webhook POSTed as JSON with HMAC signature
• Email digest with customisable frequency

Configure destinations in Settings → Integrations.

13. Host diagnostics

The Host tab on any agent's detail page gives you an endpoint inventory view — the same data enterprise tools like CrowdStrike, MDE, and Tanium collect, built into the agent you're already running. Requires agent 0.5.21 or later; agents update automatically.

Live gauges

Three stat cards at the top of the Host tab refresh on every heartbeat (about every 60 seconds): CPU utilization as a percentage of all cores, RAM in use (physical RAM in use as a fraction of installed — defined as total minus what the kernel says is available without swapping), and primary disk fill at / on Linux/macOS or C: on Windows. Colors follow a simple threshold: green below 75%, amber at 75–90%, red above 90%.

The Hardware card also shows load average (1m / 5m / 15m), swap total, and logged-in user count when available.

Identity and hardware

The Identity card shows hostname, OS name and version, kernel build string, architecture, last boot time, uptime, and both the running agent version (what the heartbeat reports — tracks the latest self-update) and the installed agent version (what the OS package manager recorded at install time). These two versions legitimately diverge after a self-update — the note "self-updated since install" is normal, not an error.

The Hardware card shows CPU model, logical and physical core count, and installed RAM.

Network interfaces

Every active NIC the OS exposes (loopback excluded) is listed with its IPv4 addresses, IPv6 addresses, MAC address, and link status. Default gateways for IPv4 and IPv6 are shown above the table.

Security posture

The Security posture card shows:

• Disk encryption — BitLocker (Windows), LUKS (Linux), FileVault (macOS)
• Host firewall — Windows Firewall, ufw/iptables (Linux), pf (macOS)
• TPM — presence and version (Windows; not exposed cheaply on Linux/macOS)
• Secure Boot — enabled or disabled (Windows)
• Antivirus — registered AV products with real-time protection state. Defender is detected via registry; third-party products via Windows Security Center. Not available on Linux/macOS.
• Local admins — members of the local Administrators group at snapshot time
• Pending updates — count of OS updates waiting to install
• Reboot pending — whether the OS is waiting for a restart to apply changes

Fields show "—" or "not reported" when the OS doesn't expose that signal cheaply — this is accurate, not an error. No field defaults an absence of data to a failed-check state.

Power plan (Windows)

The Power card appears on Windows agents only. It shows the active power scheme name and GUID, the sleep mode (Traditional S3 vs Modern Standby / S0ix), the sleep-after-AC timeout, and hibernate state. Modern Standby is the most important field for diagnosing heartbeat gaps: S0ix machines suspend the agent service when the lid closes or the idle timer fires, causing gaps in heartbeat history that look like crashes but are actually sleep cycles.

Installed software

A collapsible table of user-visible applications, filtered to exclude OS plumbing, libraries, and fonts. Collection method per platform:

• Windows — Uninstall registry keys in HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall and the equivalent HKCU path. Never Win32_Product, which triggers an MSI self-heal scan and burns CPU for minutes.
• Linux — dpkg/apt package list with auto-installed dependencies excluded
• macOS — /Applications/*.app/Contents/Info.plist scan

USB devices

Every USB device the OS reports as attached at snapshot time, with VID:PID, vendor name, product name, and serial number where the OS provides them. The snapshot refreshes at most once per 24h — a device unplugged 6 hours ago may still appear.

Snapshot cadence and overhead

Live gauges (CPU, RAM, disk, load, logged-in users) arrive on every heartbeat. The full inventory snapshot (OS, hardware, NICs, USB, installed apps, security posture) is read at most once per 24h and only resent when its content hash changes. A steady machine with no software installs or network changes adds essentially zero overhead per heartbeat beyond the live gauges.

14. Account management

Change your password, enable two-factor authentication, manage API keys, and configure tenancy from Settings → Account. If you manage multiple tenants (MSSP), use the header dropdown to switch between them; the “+ New tenant” button creates a child tenant under your current parent.

To upgrade your tier or change billing details, use Billing → Upgrade. Downgrades take effect immediately; upgrades take effect after payment confirmation.