Most enterprise access systems collect information about the device only at the moment of connection: IP, OS name, maybe a TLS fingerprint, maybe an MDM token. After that, the data is never touched. Across a session that lasts hours, it is assumed the device state has not changed — that no patches have been applied or skipped, that the EDR agent has not stopped, that no new software has been installed, that no USB drive has been plugged in.
That assumption does not match modern attack models. A device can be compromised after the session opens, EDR can be stopped, malicious software can be installed, configuration can be changed. The classic system does not see this — because it never looks again.
Continuous telemetry breaks that model. Telemetry from the device is collected on a schedule — seconds or minutes apart — state changes are recorded, and policy is triggered when thresholds are crossed.
The TR7 ETM agent measures the device's internal state continuously and shares it live with the rest of the TR7 stack.
The ETM agent is delivered at full capability for Windows, macOS, and Linux. Operations teams don't have to manage different toolchains for different operating systems; the entire device estate is observed from a single platform.
The agent collects telemetry on configured intervals — from seconds to minutes depending on sector and risk level. Data is correlated over time; a state change is interpreted as an event, not just a snapshot.
Software inventory, running processes, open ports, configuration files, certificate stores, local user accounts, hardware inventory, disk encryption, network interfaces, security agent state, registry/system keys, system event logs — dozens of data categories under one agent.
When defined thresholds are crossed, when a critical configuration changes, or when an unexpected process starts, ETM emits an event. AAM can bind that event to an access decision, send it to SIEM, or raise an operator alert.
Continuous telemetry is not just data collection; it is a live visibility layer that ties data to access and operational decisions.
Installed software, version, vendor, and install timestamp are tracked continuously. Unauthorized installs, outdated versions, and applications outside the approved inventory become visible through ETM. License compliance and security policy compliance feed from the same data.
Configuration steps that change after the device aligns with security policy — local firewall rules, authorization files, audit policies, registry/plist edits — are tracked continuously. Drift from baseline can translate into an access decision or operator alert.
Disk SMART data, memory error counts, CPU temperature, and network interface errors are measured continuously. Hardware issues are signaled to operations before they degrade user experience; intervention happens before the failure surfaces.
The state of EDR, antivirus, host firewall, and DLP agents on the device is monitored continuously. Termination, disabling, or hanging of these agents reaches ETM as an instant event. AAM treats this as a first-class signal for access decisions.
The encryption state of the system disk and secondary drives is visible. Status from platform-native disk encryption (across Windows, macOS, Linux) is normalized by ETM into a single policy input. Disabling encryption is caught immediately.
Changes in device certificate stores — new trusted root certificate, tampering-related signing events — are recorded continuously. This telemetry is particularly valuable for detecting TLS interception and stealth proxy installations.
New local user creation, addition of an existing account to the admin group, and changes in password policy are part of the telemetry. Changes to the device's authorization surface don't slip past organizational control.
Active network interfaces, IP configurations, DNS server assignments, default route, and VPN tunnel state are measured continuously. An unexpected tunnel, an unusual DNS assignment, or simultaneous access from two networks becomes visible through ETM.
Process tree, start time, parent process relationships, and open network ports on the device are recorded. The start of an anomalous service or an unexpected port going into listen mode appears as an event.
Data from three different operating systems is normalized into a single data model. Operators don't have to write separate queries for Windows and Linux; the same policy applies across the device estate.
Continuous telemetry is not just a technical capability; it is a full operational model for data retention, consumption, and decision integration.
Each data category can have its own collection interval. Critical categories — security agent state, disk encryption — at seconds; low-intensity categories — software inventory — hourly or daily. Operations decides the balance based on device and network load.
Telemetry is not only stored; thresholds for state changes can be defined. When the EDR agent stops, when a new user is added to the admin group, or when disk encryption is disabled, ETM emits an event.
When telemetry is fed to AAM, a device's trust level is continuously updated. For a device whose state deteriorates after login, AAM can request additional MFA or terminate the session.
Telemetry can be streamed to SIEM in raw or event form. Streams are available to enterprise SIEM platforms for long-term retention. Event correlation can run alongside application access events.
Which data categories are collected and at what granularity is governed by policy. Avoidance of over-collection, masking of fields containing personal data, and capped retention are configurable. The configuration matches GDPR, sectoral regulators, and internal compliance frameworks.
The telemetry collection and evaluation layer scales to manage tens of thousands of endpoints from a single TR7 cluster. Storage, query, and retrospective inspection planning follow data volume.
A device that is secure at login becomes risky if an attacker stops the EDR agent. ETM catches this within seconds. AAM can trigger step-up MFA, suspend the session, or apply a full block.
When a user accessing finance or health data plugs in a new USB drive mid-session, ETM surfaces it as an event. Depending on policy, additional data-copy controls activate or an operator alert is raised.
Adding a new certificate to a device's trusted roots can indicate TLS interception. ETM records this change as a live event; the security team can investigate or the device is moved to at-risk class.
Unapproved, unlicensed, or outdated applications outside the approved inventory are continuously reported. Operations plans patches against the real inventory; audit processes have a ready evidence chain.
Let's see ETM Continuous Telemetry in your own environment — a tailored live deployment walk-through for your device estate.