Every endpoint.
A moving target.
PacketViper’s AMTD Agent deploys rotating deceptive responders on every Windows and Linux host. The same doctrine that stops attacks at the network edge — now running inside the endpoint itself.
The attacker cannot map what keeps changing.
The attacker who gets past the edge still needs to map the inside.
Phishing, supply-chain compromise, stolen credentials — every one of them lands an attacker on an endpoint. From there, they map. They scan. They fingerprint what’s running on adjacent hosts before they move. That reconnaissance phase has always been invisible to defenders.
PacketViper appliances already make the network edge a moving target. The AMTD Agent makes the host itself one.
Three things. All of them happen in the background.
Surveys and rotates
Every minute, the agent discovers which ports are free on that specific host. It binds rotating decoys — high-fidelity protocol emulators and fast-accept sentries — drawn from a 250-port attacker-target library. The surface changes continuously. No two endpoints look the same. No endpoint looks the same minute to minute.
Captures with full attribution
When anything connects to a decoy port, the agent records the source IP, the process that opened the connection, the user who owned that process, the bytes exchanged, and the credentials offered. Every probe leaves a complete forensic record — including offered usernames and passwords captured in plaintext, because they are intelligence, not real credentials.
Coordinates as a hive
Every agent reports to the manager. The manager sees the whole fleet. When the same credential pair appears on five hosts in nine minutes, that is a credential spray campaign — and the hive surfaces it as one event, not five tickets. When one host is scanned, the hive reshapes the deception surface across every other host before the attacker finishes reading the first result.
AMTD Agent — live walkthrough
Endpoint Defense Demo
Hive Intelligence and Fleet Coordination
Detection looks backward. AMTD looks forward.
EDR is built on a sound idea: watch behavior on the host, recognize the shape of badness, alert. That model has one structural problem — it engages after the attacker has already landed. The AMTD Agent engages during reconnaissance, weeks earlier, before anything bad has happened.
| Capability | EDR (CrowdStrike / SentinelOne) | PacketViper AMTD Agent |
|---|---|---|
| When it engages | After compromise begins | During reconnaissance — before exploit |
| What it catches | Malicious behavior (recognizable) | Any probe — unauthorized by construction |
| False positive rate | Behavioral models create noise | Zero — decoy contact is unauthorized by definition |
| Attack surface | Static — same surface every day | Moving — reshapes every 30 to 90 seconds |
| Fleet coordination | Cloud-side correlation, after the fact | Hive — real-time, reshapes across all endpoints |
| Kernel driver required | Yes | No — single userland binary |
| OT safe | OT installs unsupported / risky | Windows and Linux IT hosts only — OT layer untouched |
| Data sovereignty | Cloud only | Customer choice — on-prem or hosted |
The two are complementary. EDR catches the attacker who gets past the moving target. AMTD ensures very few attackers get that far.
One binary. Two SKUs. Customer decides where the data lives.
The agent is bit-identical in both deployments. The only difference is where the manager runs.
Federation Agent
For organizations that already own a PacketViper Federation Manager — or are buying one. Endpoint telemetry stays on your appliance. Never leaves your network.
- On-premises manager — data sovereignty guaranteed
- Same console as your network AMTD deployment
- 5 seats included with every FM appliance
- DoD, HIPAA, GDPR, NERC CIP, CMMC ready
- mTLS enrollment — per-fleet client certificate
Best for: Federal agencies, critical infrastructure, healthcare, finance, any organization where the answer to “where does the telemetry live?” must be “on our appliance.”
AMTD Portal Agent
For organizations that want endpoint AMTD without an appliance. Public sign-up. Self-service. Defended in under five minutes.
- PacketViper-hosted SaaS at amtd.packetviper.com
- Same agent binary — full capability, no compromises
- Sign up, download, install — under 5 minutes
- MSP-friendly — multi-tenant, per-customer isolation
- Upgrade path to on-prem when ready
Best for: SMB, MSPs, remote-workforce organizations, cloud-native shops, and anyone who wants AMTD on the endpoint without buying hardware first.
What happens when one of your own endpoints is compromised?
A compromised workstation is still a trusted member of the hive. Its IP is known. It can reach its peers. If an attacker uses it to probe other endpoints, most platforms treat that probe the same as any external scan.
PacketViper doesn’t. When a hive member’s decoy receives a connection from another hive member’s IP, that is classified as a hive violation — a different event class entirely. A probe from the internet is a stranger trying the door. A probe from a hive member is a trusted occupant going room to room with a crowbar. The response is different.
The hive surfaces the violation immediately. Operators can pre-authorize automatic isolation — the compromised host gets cut off from every other protected endpoint in the fleet, while the rest of the environment keeps running.
Three-Tier Response
High-priority dashboard alert with full context. Human decides what to do. Default for all deployments.
Violator is flagged fleet-wide. Tray indicator turns red. All events from that host elevated to high severity.
Every other protected endpoint refuses the violator. The compromised host cannot reach any peer. The rest of the fleet keeps running.
Common questions about the AMTD Agent
Does the AMTD Agent replace EDR?
No. The two work at different points in the attack sequence. EDR catches attacks after they land on the host. The AMTD Agent catches reconnaissance before any exploit runs — typically weeks earlier. Most organizations run both. The AMTD Agent reduces the volume of events EDR has to investigate because many attacks never get past the reconnaissance phase.
Does it require a kernel driver?
No. The agent runs entirely in userland — a single signed binary, approximately 30MB, no kernel module, no signed driver requirement. This keeps the installation lightweight, reduces the blast radius of any software bug, and avoids the EDR-style “one bug bricks the host” risk.
Can it run in OT environments?
The agent runs on Windows and Linux IT hosts only. It does not run on PLCs, RTUs, HMIs, or any embedded OT device. For OT environments, the right deployment is the agent on the engineering workstations and Windows HMI boxes that talk to OT — the documented entry vector for almost every OT compromise — while PacketViper appliances handle the OT layer itself, agentless and non-intrusive.
Where does the telemetry go?
Customer’s choice. Federation Agent customers route telemetry to their on-premises Federation Manager — it never leaves the customer network. Portal Agent customers route to PacketViper’s hosted single-tenant cloud at amtd.packetviper.com. The agent binary is identical in both cases. This is the only endpoint deception product in the market that gives customers a real sovereignty choice.
What operating systems are supported?
Windows (7 and later, Server 2012 R2 and later) and Linux (major distributions with glibc 2.17+, including RHEL/CentOS/Rocky 7+, Ubuntu 18.04+, Debian 10+). The agent is a statically linked Go binary — no runtime dependencies, no library conflicts.
What is the AMTD Portal at amtd.packetviper.com?
amtd.packetviper.com is PacketViper’s public self-service portal for the Portal Agent SKU. Organizations sign up, create a tenant, download a per-tenant installer bundle, and have endpoint AMTD running in under five minutes. No appliance required, no sales call required. MSPs can manage multiple customer tenants from one login.
Two ways in. Same defense.
Start with the Portal — free, five minutes, no hardware. Or add the Federation Agent to your existing PacketViper deployment and get endpoint AMTD on the same console you already run.