Security

The most important things about Arqos are the things it can't do.

Every monitoring vendor says “we take security seriously.” We'd rather show you the architecture. Arqos was designed by starting from the worst day — the day the monitoring company itself gets breached — and removing everything that could hurt you on that day.

What Arqos can't do

01

It can't run commands on your machines.

Most monitoring tools include a remote-control feature — run a script, push an update, open a shell. Arqos has none. Not switched off, not admin-restricted: the agent contains no code that executes instructions from outside. If someone stole every password we have, there would still be no button that touches your servers, because the button doesn't exist.

02

It can't reach into your network.

The agent only ever makes outbound connections — your machines call us, the way your browser calls a website. Nothing in your building listens for Arqos, so there is no door for anyone to knock on. Installing Arqos changes your network's exposure to the outside world by exactly nothing.

03

It can't see your files, keystrokes, or screens.

The agent reads health gauges — processor load, memory and disk fullness, whether the machine is up — and sends those numbers. It has no code to open documents, record typing, or capture screens. Your data isn't protected by a promise in our privacy policy; it's protected by the agent having no way to collect it.

Read-only by architecture,
not by policy.

The difference matters. A policy is a setting — and settings can be changed, by a mistake or by an attacker who gets in. An architecture is what the software is physically capable of. Arqos is read-only the second way: there is no privileged mode to unlock and no configuration that turns watching into controlling.

This is why we built Arqos in the first place. In 2021, attackers compromised a popular IT management platform and used its own trusted channel to push ransomware to roughly 1,500 businesses at once. Those businesses did nothing wrong — the tool they trusted to watch their machines was also capable of commanding them. We decided our worst day should be boring: if Arqos is ever breached, the attacker gets read-only health numbers. Not your network.

A TYPICAL MANAGEMENT TOOLvendor cloudyour machinesmetricscommands ·scripts · updatesbreach the cloud → control of every machineARQOSarqos cloudyour machineshealthnumbersno channelexistsbreach the cloud → read-only numbers

Verifiable builds

Every agent release ships with a published checksum — a fingerprint — for every file. Before anything runs on your machines, your team can confirm it is byte-for-byte what we built, and that nobody altered it along the way. Code-signed Windows builds are rolling out now.

Friendly with your defenses

Arqos works alongside your antivirus and EDR, not against them. The agent reads standard health counters and doesn't hook into other software, so there's nothing for your security stack to fight — just one small, signed program to allowlist once.

Encrypted in transit

Every report leaves your network the same way your online banking does: encrypted end to end, outbound only, over the standard secure web port. There are no special protocols and no exceptions to request from your firewall team.

None of this asks for your trust. Your IT team can verify every claim on this page — ask us for the technical dossier and we'll send the architecture details, the data schema, and the checksums to check our work against.

Monitoring your insurer will like and your engineers won't dread.

Early access is open to a small number of MSPs and IT teams.

Get early access60-second install · free during pilot