Opservant is the lightweight on-premises agent for the S4E Continuous AI-Based Security Operations platform. It is deployed inside customer networks to perform internal asset discovery, vulnerability scanning of private infrastructure, and local action execution - all without requiring inbound firewall rules or VPN tunnels.

Purpose

Organizations often operate mixed environments where critical assets sit behind firewalls, in segmented VLANs, or inside air-gapped networks that cloud-based scanners cannot reach. Opservant bridges this gap by running directly within those environments and relaying results back to the S4E platform over a secure outbound connection.

Key goals of the agent:

• Eliminate inbound exposure. The agent initiates all communication; no listening ports are opened on the customer network.
• Extend platform visibility. Assets that are invisible to external scanners become first-class citizens in the S4E asset inventory.
• Enable local remediation. The agent can execute approved actions - patch verification, configuration checks, service restarts - without human SSH access.

Architecture

Opservant follows an outbound-only communication model. On startup the agent establishes a persistent WebSocket channel to the S4E platform over HTTPS (port 443). All task assignments, heartbeat checks, and result uploads flow through this single channel.

+-----------------+              +-------------------+
|  Customer       |   WSS/443   |  S4E Platform     |
|  Network        | ----------> |  (Cloud / On-Prem)|
|                 |             |                   |
|  [Opservant]    | <---------- |  Task Scheduler   |
|    |            |  commands   |  Result Ingester  |
|    +-- Executors|             +-------------------+
+-----------------+

Component overview

Key Capabilities

Internal network discovery

Opservant performs ARP sweeps, ICMP probes, and passive traffic analysis to build a live map of hosts, open ports, and services on segments it can reach. Discovered assets are automatically synced to the S4E asset inventory.

Vulnerability scanning of private assets

The agent ships with a curated set of scanning executors (port scan, service fingerprint, CVE checks) and can load additional executors on demand. Scan definitions created in the S4E UI are pushed to the agent as tasks.

Local action execution

Beyond scanning, Opservant can run approved remediation or verification actions: checking patch levels, validating TLS certificates, testing DNS resolution, or invoking custom scripts packaged as executors.

Secure command relay

Every command dispatched to the agent is cryptographically signed by the platform. The agent verifies the signature before execution, ensuring that a compromised transport layer cannot inject unauthorized work.

Deployment Scenarios

DMZ scanning

Deploy Opservant in the DMZ segment to scan externally facing hosts from the inside, capturing services and configurations that external scanners miss.

Air-gapped networks with proxy

For environments without direct internet access, configure the agent to route its outbound WebSocket through an HTTP CONNECT proxy. The proxy address is set in the agent configuration file.

proxy:
  http: http://proxy.internal:3128
  https: http://proxy.internal:3128

Multi-site deployments

Each physical site or network segment can run its own Opservant instance. Agents register independently with the platform and are organized into agent groups that map to sites, business units, or security zones.

Agent Lifecycle

1. Registration - On first launch the agent presents its one-time registration token to the platform. The platform issues a client certificate and assigns a unique agent ID.
2. Heartbeat - The agent sends a heartbeat every 30 seconds (configurable). The heartbeat includes system metrics (CPU, memory, disk), agent version, and executor inventory.
3. Task assignment - The platform pushes tasks to the agent over the WebSocket channel. Each task specifies an executor, target scope, parameters, and a deadline.
4. Execution - The Task Runner dispatches the task to the appropriate executor inside a sandboxed environment.
5. Result reporting - Results are streamed back to the platform in chunks. Large payloads (e.g., full port-scan output) are compressed and uploaded via HTTPS multipart.
6. Deregistration - An agent can be deregistered from the platform UI or API, which revokes its certificate and removes it from the fleet.

Security Model

Opservant is built on a zero-trust foundation:

• Mutual TLS (mTLS) - Both the agent and the platform authenticate each other using X.509 certificates issued by the S4E internal CA.
• Signed commands - Every task payload is signed with the platform's Ed25519 key. The agent rejects any unsigned or tampered payload.
• Least-privilege executors - Each executor declares the permissions it needs (network access, filesystem paths, secret references). The sandbox enforces these declarations at runtime.
• Ephemeral secrets - Credentials required by executors are fetched from the platform vault just in time and are never written to disk.
• Tamper-evident audit log - All operations are recorded in an append-only local log that is periodically signed and shipped to the platform for compliance archival.