Managed EDR

It would be extremely helpful if agents that remain unresponsive for a certain period could automatically transition into a non-billable state. We’ve noticed that in co-managed environments where customers handle their own device refresh cycles - devices are sometimes wiped and shelved when a user leaves, but the Huntress agent isn’t uninstalled. This results in continued billing for inactive devices. Ideally, if an agent remains unresponsive beyond a defined threshold, it would be marked as non-billable. Should the device come back online or re-register, billing and protection could automatically resume.

file intregrity motioning and DLP at endpoint

With the increase in activity targeting the root environment of ESXi hosts, we would love to see an ESXi agent.

Nobody wants a data exfiltration, but most of the time data is exfiltrated before encrypted. It would be great to make canary files traceable and unique so that if data is exfiltrated, we could search for leaks on the dark web. That means. Be able to place canary files on targedet locations (example network shares). The canary files should be updated regularly so that it would be possible to identify when data was leaked. Maybe with a reporting functionality as canary tokens? https://canarytokens.org/nest/ That way, you can also find insider threats of trusted people leaking data out on the dark web without encrypting all the files afterwards.

in large environments, it would be great to see clients that does NOT have huntress agent installed. It could be achieved by collecting ARP table from the client. With a treshold of "number of known Huntress agents" seen in network, it could report MAC addresses that is not known by huntress as machines not covered by huntress. example: 1-2 huntress agents mac addresses seen in network = likely to be a home network. for gdpr reasons do not record mac addresses. 10+ huntress agens mac addresses seen, list all mac addresses (mac vendor, hostnames and as much information as possible). This will make it easy to find clients that is not enrolled with RMM, showing the holes in your deployment. Devices as printers, firewalls and switches can be "dismissed" by the admin. Also, when new mac address is seen, give the possibility to report as an incident. This machine "could" very much be a malicious "raspberry pi" device connected to ethernet jack in the lobby, dormant and waiting to take over your network :)

Adding a new ability to detect phishing when a user connects to a fake web page with a spoofed favicon that does not match the Microsoft favicon

Want to be able to set a start date for expected rules so that when a client gives us the start and end date of a trip we can add the schedule in when they tell us instead of having to schedule in to do it on the day they leave.

Would be good to collect the Mac logs into the SIEM its a requirement for some of our clients right now and makes sense to be in Huntress.

The Installer Download link contains the account secret key, but it appears to download the generic installer that prompts the user to enter the Account Key and Organization Key anyway. Would it be possible to embed these details within the installer using the unique download link?

The escalations dashboard would be so much easier to use if I could sort or filter by org, or save a custom view.