ETC Collector is the evidence engine behind EtcSec’s Active Directory and Microsoft Entra ID reviews. It is a Go-based collector that supports standalone local operation, SaaS-enrolled daemon mode, REST API access, and recurring execution without requiring agents on domain controllers.
The published documentation positions it as a collection → parsing → analysis → graph → response pipeline, with support for LDAP or LDAPS, SMB for SYSVOL and GPO analysis, Microsoft Graph API, optional network probes, and structured JSON output.
curl -fsSL https://get.etcsec.com/install-pro.sh | sudo bash -s -- --mode server --token="<verify-in-popup>"Verify your email in the popup, then copy a one-line server install command with a short-lived token.
Community Edition: Apache 2.0 open-source license, free for any use including commercial. Pro Edition: proprietary, included with EtcSec subscription.
LDAP or LDAPS, SMB for SYSVOL, and Microsoft Graph reads are combined in one workflow. No directory mutation is required to collect the evidence.
The architecture documentation describes a pluggable provider and detector system with concurrent execution and attack-graph analysis on top of collected objects.
Standalone server mode exposes a local web GUI and REST API on port 8443 so the collector can be used even without a SaaS connection.
Daemon mode polls the SaaS platform, executes commands, reports health, and can update itself while still keeping collection local to the customer environment.
Use standalone server mode when everything must stay local, or enroll the daemon when you want the SaaS platform to orchestrate and track the collector.
Enter your email, verify the six-digit code, and copy a one-line server install command with a short-lived token.
Point the collector at LDAP or LDAPS, SYSVOL, and optionally Microsoft Graph. SaaS daemon mode can also receive configuration pushes from the platform.
Standalone server mode starts the local GUI and API. Daemon mode enrolls into the SaaS platform and polls for commands while keeping collection local.
The published docs describe LDAP or LDAPS and SMB reads for AD, plus Graph reads for Entra. The collector is not meant to write back into those systems during normal audit operation.
Standalone mode runs a local API and GUI. In daemon mode the local GUI is bound to 127.0.0.1 by default unless the operator explicitly enables network exposure.
Enrollment stores credentials locally in encrypted form. The docs also describe binary update staging and watcher restart logic for daemon mode.
Run `etc-collector server` to expose the local GUI and REST API. This mode is useful for local review, air-gapped workflows, and API-driven one-off assessments.
Run `etc-collector daemon` after enrollment to poll the SaaS platform for commands, execute audits locally, and report results and health back centrally.
The local API under `/api/v1` supports JWT creation and programmatic audit launches, which makes the collector usable from scripts, SIEM hooks, and CI pipelines.
The collector stays local to the environment, while EtcSec provides the dashboarding, scheduling, and historical follow-up layer for organisations that want it.
Run ETC Collector locally with the embedded web GUI and REST API under `/api/v1`, without depending on the SaaS layer.
Enroll the collector into EtcSec to poll for commands, execute audits locally, and report health and results centrally.
Review the documented architecture, deployment modes, API surface, and the split between Community collection and the broader EtcSec operating layer.
Standalone mode is useful when everything must stay local or when the security team wants to script around the local API directly. Daemon mode is useful when a central team wants to orchestrate collectors across multiple sites or domains without giving up local collection.
Importantly, the modes share the same collection engine. The distinction is how the collector is operated and where the workflow is observed, not whether one mode has a different evidence base.
| Mode | What it does | Best fit |
|---|---|---|
| Standalone server | Runs a local GUI and REST API on port 8443 without SaaS dependency | Air-gapped, local-only, or API-driven one-off reviews |
| SaaS daemon | Polls the SaaS platform for commands, executes locally, reports results and health centrally | Managed fleets, recurring audits, multi-site operation |
The published architecture describes a modular provider and detector model with concurrent execution. In practice, that means one engine can collect from AD and Entra ID, analyse results in parallel, and add graph context on top of collected objects.
Teams can see which protocols are used, which objects are collected, and how findings are derived. That makes the collector easier to review, approve, and operate in controlled environments.
Because the collector combines directory data, SYSVOL analysis, Graph data, and optional network probes, it can surface both identity misconfiguration and the surrounding controls that make compromise practical.
| Source | Examples | Why it matters |
|---|---|---|
| Active Directory via LDAP | Users, groups, computers, trusts, domains, ACLs | Core identity and privilege relationships |
| SYSVOL via SMB | registry.pol, GptTmpl.inf, scripts | GPO hardening and credential leakage visibility |
| Microsoft Graph API | Users, groups, applications, CA policies, role assignments | Cloud identity and policy posture |
| Optional probes | Spooler, TLS, DNS or web enrollment surfaces | Relay and weak transport detection |
The split is straightforward: Community gives you the collection engine and core detections, while Pro and EtcSec add dashboards, central orchestration, historical follow-up, and expanded analysis.
| Capability | Community | Pro / EtcSec |
|---|---|---|
| Active Directory detections | Yes | Yes |
| Microsoft Entra ID detections | Yes | Yes |
| Standalone local server mode | Yes | Yes |
| SaaS daemon management | Works with EtcSec | Yes |
| ADCS ESC analysis | Extended in Pro workflows | Yes |
| Attack-path graphing | Extended in Pro workflows | Yes |
| Dashboards, history, scheduling | No | Yes |
The standalone server exposes `/api/v1` and supports JWT creation through the GUI token flow. That makes the collector usable from scripts, CI pipelines, or SIEM integrations. The daemon flow adds health reporting, remote commands, and update handling for teams managing multiple collectors.
That makes the collector practical for recurring reviews, scripted workflows, and local-first operations without giving up control over collection.
The collector is the evidence engine. EtcSec adds dashboards, historical trending, scheduling, and a wider operating layer for teams that need central follow-up rather than local execution only.
Explore detailed pages for Active Directory, Entra ID, ETC Collector deployment, and side-by-side product comparisons.
Review the landing page focused on Tier 0, Kerberos, delegation, ADCS, and remediation priorities.
See the Entra ID page covering Conditional Access, MFA, PIM, app permissions, and guest exposure.
Compare PingCastle with ETC Collector for recurring AD audits and standalone collection workflows.
Compare Purple Knight with ETC Collector for AD plus Entra ID reviews and recurring follow-up.
Review ETC Collector, its local deployment modes, and how teams run standalone or recurring audits.
Start with the open-source collector if you need local evidence gathering. Add EtcSec when the same collection engine also needs a dashboard, scheduling, and central remediation follow-up.