IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Ps erick ingelby head of products 1
#
Firewalls
#
SIEM
#
Network Security

SIEM’s “evil secret”: Agents are not always needed

Thu, 28th Aug 2025
By Erick Ingleby, Head of Product, Anomali

How agent-based architecture became the status quo - and why it's holding us back

There's a moment in every technological revolution when an outdated solution clings on, persisting well past its expiration date. We've seen it happen with the telegraph and telephone, mainframes and PCs. In the modern security world, that holdout is the notion of endpoint agents - small bits of software quietly installed on laptops and servers. Agents solved yesterday's hardware constraints but are now creating a tangle of costs and complexities for tomorrow's security needs.

Before we dive in, let's be clear: This isn't an overnight shift, and it's not about turning off every agent you own tomorrow. Some use cases still require them. Rather, it's about recognising that the industry is moving toward agentless solutions - and planning a sensible path forward to avoid new blind spots or security holes.

Over the years, I've witnessed a curious phenomenon: even as technology migrates to the cloud, many SIEM vendors cling to archaic endpoint agents. They don't do this solely for your benefit. Often, they do it to offload their own processing burdens onto your systems - a hidden "tax" on your endpoint infrastructure.

In this article, I want to expose why that approach persists, how it quietly drains your resources, and why a cloud-native, agentless SIEM could free you from these burdens - over time, in a measured way.

The early days: How agents became king

Let's step back to the early 2000s, the era of rising compliance standards (SOX, HIPAA, PCI DSS) that required log collection from nearly every network corner. SIEM solutions were often delivered as on-premises hardware or software. Given the physical limits of on-prem servers - finite CPU, RAM, and storage - vendors had to distribute the workload cleverly.

Enter the agent.

Installed on your endpoints, these agent programs parsed logs, normalised them, and prepared them for ingestion before sending them to the central SIEM. It helped circumvent hardware constraints - but also shifted the heavy lifting from the vendor's data center onto your infrastructure. 

Consider Walter's cozy coffee shop. One day, a sales rep pitches a magical coffee machine that processes orders faster. The catch? Every customer must install a mini-grinder at home. While Walter spares his shop's machine from extra strain, his customers shoulder the real burden - purchasing, maintaining, and upgrading their own grinders. Sound familiar? That's exactly how agents dominate many legacy SIEM architectures.

The unspoken burden: Hidden costs everywhere

On the surface, agent-based SIEMs can appear innocuous - until you factor in the associated financial and operational burdens:

  • Per-endpoint price tag
    Maintaining agents on thousands (or even tens of thousands) of endpoints is not a one-click process. Each agent must be continuously patched, monitored, and secured. Multiply this overhead across a sprawling organisation, and both licensing costs and staff time skyrocket.
  • Extra CPU, RAM, and storage
    Agents take on tasks like ETL (Extract, Transform, Load) directly on each endpoint, consuming additional CPU cycles, memory, and storage. Even an extra 5% overhead on 10,000 endpoints can lead to significant infrastructure upgrades - faster processors, more RAM, and higher-performing storage. This "endpoint tax" adds up fast.
  • Endless upkeep
    Once you deploy an agent, you enter a perpetual cycle of updates. New OS releases, security patches, or application changes all risk destabilising your agent environment. Security teams can easily find themselves mired in agent maintenance instead of focusing on high-value work like threat hunting or advanced forensics.

The changing landscape: Why cloud-native agentless matters

Despite these headaches, agents have stuck around mostly by inertia. But now that the industry is embracing the cloud, we're no longer bound by the on-prem resource constraints that once justified them. A modern, cloud-native SIEM architecture can:

Centralise data processing

Instead of forcing every laptop or server to handle resource-intensive correlation or normalisation tasks, a scalable data lake in the cloud does the heavy lifting. This drastically reduces the load on your endpoints.

Streamline operations

Removing the agent layer simplifies everything - no more mass updates, version mismatches, or reinstallation marathons after every minor tweak. Operational overhead drops significantly.

Enable rapid deployment & scalability

Expanding coverage with an agent-based solution requires installing more agents, each with its own lifecycle. An agentless, cloud-native SIEM simply uses flexible cloud resources, making "scaling up" almost instantaneous.

A measured approach: Why we're not flipping a switch overnight

Let's be crystal clear: Some enterprises, especially those dealing with highly specialised systems or legacy environments, do still need agents for certain use cases. Likewise, turning off all agents at once can create coverage gaps if not managed carefully. Think of it more as a transition plan - a systematic phasing out of unnecessary agents while keeping security posture intact.

Compliance & future-readiness

Regulatory acts like DORA in the EU and NIST 2 globally are pushing for stronger resiliency and exit strategies in enterprise software deployments. Having an agentless solution can make exiting your current SIEM, data lake, or other technology far more feasible - essentially removing vendor lock-in. This is becoming a "must-have" for modern organisations that value compliance and future flexibility.

Liberate your endpoints: Freedom requires planning

If you're tired of the agent "endpoint tax" but recognise you still need a transitional roadmap - one that won't compromise security in the short term - it's time to explore what an agentless infrastructure looks like for your organisation. 

Don't feel pressured to rip and replace overnight, but start planning now. As regulatory demands tighten and technology expands, agentless SIEM is far more than a "nice to have" - it's a logical next step. Liberate your endpoints and let go of the weight of your security workloads to reclaim business and operational efficiency. The future is agentless, and it's closer than you think.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Exclusive: Granicus' Alex Gelbak on 'making the invisible visible'
Exclusive: Coevolve's Tim Sullivan warns firms on AI connectivity gap
Financial firms struggle to fully scale AI amid data silos & security
Datadog launches cloud storage tool to tackle rising AI costs
Atturra & EncompaaS partner to accelerate agentic AI adoption

Top stories

CNCF launches new certification for cloud native engineers
CNCF brings AI discipline to Kubernetes deployments
McKinsey report shows AI interest but slow scaling
Enterprises to focus AI spend on cost savings & data control
AI & phishing attacks highlight human risk in Australian fraud