EDR - Endpoint Detection & Response is a foundational technology. It gives us great visibility as you know.
There are many components to it.
Endpoint code
Central Management module
Rule Generation (there has to be a team/people generating rules) teams
Storage of all the telemetry
and so on…
Its a personal opinion, so in my view having the Agent Code local (it has to be local anyway) but central management and storage Cloud is the best way architecturally. Of course respecting Data Residency issues while providing this cloud as we do.
Cloud has a cost, especially the storage aspect. Of course it wouldn’t be fair to expect unlimited cloud storage on unlimited endpoints for free.
So the Cloud Platform Xcitium has provided running OpenEDR does provide 3 days of FIFO storage for unlimited endpoints for free.
With all that, you get a Cloud platform to manage all your devices, and Cloud platform has other bells & whistles as well like Remote Desktop and so on and you get to have 3 days of continuous (FIFO) storage of all your telemetry.
The alternative is: You can always spin up your own ELK for central management, but it is more cumbersome.
when it comes to helping the community
Cybercrime is a global issue, it takes a village to raise kids, as the saying goes. Fighting cybercrime, cyber warfare should be a community effort. We believe in a win-win situations like creating accessible foundational technology like EDR so that people who are not in a position to pay those high fees for licenses can have access to technology as well as providing an environment for the community and sponsors to benefit…win-win for everyone!