Agentless First, Agents When Needed: A Hybrid Approach to Security Telemetry

Security data collection has become a first-class architectural concern for modern SOCs. Once collection is treated as a dedicated layer, separate from analytics and detection, the next question becomes practical: how should telemetry be collected in a way that aligns with this architecture? 

In the previous article, we examined why this shift occurred. Here, we focus on how different collection models (agent-based, agentless, and hybrid) fit into modern security data collection architectures. 

Agent-based collection relies on software deployed directly on endpoints, servers, or workloads. Because agents operate locally, they can access detailed system context and capture telemetry that is difficult or impossible to obtain remotely. 

This makes agents well-suited for scenarios that require deep visibility, such as detailed process activity, behavioral telemetry, or environments with limited or unreliable network connectivity. Agents can also provide local buffering and processing, which is valuable in isolated or segmented networks. 

However, these advantages come with operational tradeoffs. At scale, agent-based collection introduces ongoing responsibilities: deployment coordination, version management, compatibility testing, credential handling, and lifecycle maintenance. In regulated or tightly controlled environments, installing and updating software across large fleets can require lengthy approval cycles. 

When agents are treated as the default collection mechanism everywhere, operational complexity often grows faster than the visibility benefits they provide. 

Agentless collection takes a different approach. Instead of deploying software on every system, telemetry is gathered using native protocols and remote access mechanisms already present in operating systems, platforms, and devices. 

This model significantly reduces operational overhead. There are fewer components to manage, onboarding is faster, and change management is simpler. Agentless collection is particularly effective in environments where installing third-party software is restricted or slow. 

However, agentless approaches are constrained by what remote interfaces expose. Certain low-level or behavioral signals are difficult to capture without local execution. As a result, agentless collection may not provide sufficient depth in every scenario. 

Agentless models excel at breadth and simplicity, but they are not universally sufficient. 

Historically, many platforms and tools have favored one collection model over the other. Some architectures assume agents everywhere; others avoid agents entirely. In practice, both assumptions create friction. 

Agent-only strategies struggle to scale operationally and introduce unnecessary complexity where deep visibility is not required. Agentless-only strategies simplify operations but can leave gaps in scenarios that demand local context or resilience. 

The problem is not the models themselves, but the expectation that one model should be applied everywhere.

As SOCs separate data collection from analytics, a different pattern emerges: hybrid collection, where agentless methods are used by default and agents are deployed selectively where they provide clear additional value. 

In this model, agentless collection handles the majority of telemetry acquisition, providing broad coverage with minimal operational overhead. Agents are reserved for specific use cases: systems that require deep behavioral insight, operate in isolated networks, or benefit from local processing and buffering. 

A hybrid collection is an architectural response to the reality where different systems, environments, and data types have different requirements. 

By aligning collection methods with actual needs rather than enforcing a single approach everywhere, SOCs reduce operational friction without sacrificing visibility.

Hybrid collection aligns naturally with the broader architectural shift described in this article. When collection is treated as its own layer, different acquisition methods can coexist behind a consistent processing and routing framework. 

From the perspective of downstream analytics platforms, data arrives in a consistent structure, regardless of how it was collected. This allows SOCs to optimize for coverage, cost, and governance without coupling detection logic to collection mechanics. 

One example of this hybrid approach in practice is VirtualMetric DataStream. Its architecture is designed to support agentless-first collection while allowing agents to be deployed selectively where deeper visibility or local processing is required. 

DataStream enables agentless collection from operating systems, network devices, cloud platforms, and security tools using native protocols and APIs. This allows SOCs to onboard large parts of their environment quickly, without installing software on every system. 

Where additional depth or resilience is needed, lightweight agents can be introduced to collect detailed telemetry, buffer data locally, or operate in isolated environments. Both agentless and agent-based inputs feed into the same processing layer, where data is normalized, enriched, filtered, and routed consistently. 

Because collection methods are decoupled from downstream destinations, the same telemetry can be prepared once and delivered to multiple platforms, such as SIEMs, data lakes, or long-term archives, without duplicating pipelines or changing collection logic. 

This architecture illustrates how hybrid collection can be applied without forcing a single model everywhere, while preserving control over data quality, cost, and governance.

Hybrid collection defines how telemetry should be gathered. The remaining question is how this model is implemented in practice without reintroducing operational or governance tradeoffs. 

In the next article, we examine the VirtualMetric DataStream architecture in detail, focusing on how hybrid collection is realized through local processing, centralized control, and scalable routing across modern SOC environments.