I am merging in a post from Managed EDR about an ESXi Agent so those folks can follow along here as well.

While we have seen an uptick in hypervisor-based ransomware cases, the unfortunately reality is that the underlying operating system for ESXi cannot support a 3rd-party agent. From VMware (Broadcom)'s own documentation: "While this approach has several advantages, it also makes ESXi unable to run “off-the-shelf” software, including security tools..."

It is clear, however, that hypervisor-based ransomware is a very real problem. Our approach to addressing this tradecraft is twofold:

First, from a Managed EDR perspective, we are looking into additional ways to figure out of vCenter is being accessed in a suspicious way as well as identifying more enumeration techniques that indicate the threat actor could be looking for hypervisors.

Second, and the topic of this request, is pulling in ESXi logs into Managed SIEM so that we can monitor for indicators of malicious actors preparing to do something at the hypervisor level. One of the most promising pieces of telemetry that we're looking into is when SSH (or another remote management interface) gets enabled on the hypervisor.

We are continuously looking for new sources of telemetry that can give us a leg up on the bad guys so we can always revisit our approach but right now this is our most promising avenue.

We're actively looking for beta testers who can help by sending logs for us to review and parse. Please reach out to myself or Nate if you're interested. nate.obrien@huntresslabs.com / matthiew.morin@huntresslabs.com

Would this be for an official integration for VMWare and Huntress monitored detections for it?

esxi hosts and Vcenter/ VMware is a place of low visibility to attacks, and tough to protect. would love to see this

+1, but probably also look at for other hypervisors as well since the MSP market is going to start using other options like Proxmox, XCP-NG, Xen etc.

Many organizations today rely on virtual infrastructure for critical servers. Visibility and threat detection within the hypervisor layer has become increasingly important. While Huntress provides excellent protection across Windows, macOS, and Linux endpoints, the lack of coverage for ESXi leaves a significant blind spot in environments where virtualization is core to operations.

Adding ESXi support would definately close this gap. Given the rise in ransomware and hypervisor-level attacks, this would be a highly valuable addition to the Huntress platform and help extend its protections to one of the most critical components that is currently left exposed from protection

With the threat landscape what it is; we need to have as much visibility as possible to stay ahead of attackers. Be comprehensive and unique

Attackers have clearly identified this weakness. Ransomware gangs like LockBit, Akira, and the group behind ESXiArgs have developed custom encryptors that specifically target ESXi hosts. They often gain access via exposed management interfaces or stolen credentials and then execute malicious scripts directly on the hypervisor to encrypt virtual machine disk files - This would be groundbreaking for Huntress and the cybersecurity community as a whole.

You've built your reputation on finding hidden footholds and malicious activity that other tools miss. Extending this capability to the ESXi hypervisor is a natural evolution of your platform and the best step forward in my mind.

A Huntress ESXi agent would provide immense value by monitoring for the exact TTPs (Tactics, Techniques, and Procedures) that attackers use in this space.

Absolutely needed now a days! Be the first to protect ESXi's!