one cool thing: Maintain a real-time graph on each endpoint agent. Then, let the agents chat and traverse edges across graphs (endpoints), peer-to-peer.

When an alert fires, the agent provides relevant evidence from across hosts in a single package. https://twitter.com/williballenthin/status/1233177407370121221