Review Scope
Beacon is designed for endpoint-local collection of supported agent harness activity. During normal collection, supported runtimes send telemetry to a localhost OpenTelemetry receiver or invoke the localbeacon-hooks adapter. Beacon normalizes those signals into endpoint events and writes them to a local JSONL log for local review or customer-controlled forwarding.
Normal hook execution has no Beacon-hosted dependency. The endpoint agent does not require a Beacon-hosted account, remote policy fetch, or external network connection to collect supported local runtime activity.
Review Package
Data flow and threat model
Follow runtime signals from local collection through normalization, storage, dashboard inspection, and optional forwarding.
Data inventory
Review runtime coverage and the event fields Beacon can write when a source provides them.
Redaction and size limits
Review content handling, redaction, sanitization, truncation, and event-size limits.
Endpoint operations
Review paths, permissions, daemon behavior, network behavior, forwarding boundaries, and uninstall behavior.
Security policy
Find the security contact, vulnerability disclosure guidance, and release verification policy.
Endpoint event schema
Inspect the normalized JSONL contract used for Beacon endpoint events.
Default Posture
| Area | Default behavior |
|---|---|
| Collection | Local OpenTelemetry receivers on 127.0.0.1 or local hook adapter execution |
| Storage | Local runtime.jsonl on the endpoint |
| Hosted dependency | None required for normal endpoint collection |
| Forwarding | Optional and customer configured |
| Content handling | Retained local telemetry is subject to redaction, sanitization, truncation, and event-size limits |
| Removal | Endpoint uninstall removes managed service/config files, with explicit flags to keep logs or config |
Related
Beacon architecture
See the endpoint collection, normalization, storage, and forwarding architecture.
For Security & IT Teams
Plan deployment, monitoring, and forwarding workflows.