Watch Documentation
Watch is a real-time server monitoring and autonomous security platform. It combines live fleet metrics, AI-driven threat detection, and automated response into a single dashboard.
New here? Jump to Quick Start to get your first server online in under 5 minutes.
Introduction
Watch runs a lightweight agent on each server you want to monitor. The agent streams metrics and security events back to Watch over an encrypted WebSocket tunnel. Cortex AI continuously analyzes this data to detect threats, plan responses, and — when authorised — execute containment actions automatically.
Key capabilities:
- Live fleet metrics — CPU, memory, disk, network, load average updated every few seconds
- Autonomous threat detection — brute force, rootkits, ransomware, lateral movement, credential stuffing, container escapes, and more
- Cortex AI — reasons over alerts, builds attack chains, proposes and executes remediation
- Zero Trust enforcement — policy-based access control, process allowlists, IP bans, lockdown mode
- Compliance scoring — CIS, SOC2, PCI-DSS with per-control pass/warn/fail breakdown
- Vault — encrypted secrets stored and pushed to agents on demand
- Full audit trail — every action logged with who, what, when, and outcome
Quick Start
Sign in at watch.alsopss.com. You'll land on the Fleet overview.
Add your first server. Click Add Server in the Fleet view (or top-right corner). Copy the one-line install command shown.
Run the install command on your server as root. It downloads and starts the Watch agent, which connects back automatically.
Watch it appear. Within a few seconds the server shows up in Fleet with live CPU and memory. A green dot means the agent is connected.
Configure alerts. Go to Settings → Alert Rules to customise thresholds and notification channels.
Installing the Agent
The agent is a single binary that runs as a systemd service. Supported platforms: Linux (x86_64, arm64), Debian/Ubuntu, RHEL/CentOS, Alpine.
One-line install (recommended)
curl -sL https://watch.alsopss.com/install | sudo bash -s -- --token YOUR_INSTALL_TOKENYour install token is shown when you click Add Server in the dashboard. Each token is single-use and tied to your org.
What the installer does
- Downloads the agent binary for your architecture
- Installs it to
/opt/watch-agent/ - Creates a systemd unit
watch-agent.serviceand enables it on boot - Connects to
wss://agents.watch.alsopss.com/agent-wsusing the token
Verify the agent is running
systemctl status watch-agent
journalctl -u watch-agent -fUninstall
sudo systemctl stop watch-agent && sudo systemctl disable watch-agent
sudo rm -rf /opt/watch-agent /etc/systemd/system/watch-agent.service
sudo systemctl daemon-reloadNavigation
The sidebar on the left groups features into sections. It can be collapsed to icon-only mode by clicking the arrow at the bottom.
| Section | What's here |
|---|---|
| Fleet | All servers — live status, metrics, and agent activity |
| Alerts | Every anomaly, threshold breach, and attack signal in real time |
| Network | Active connections, listening ports, and IP ban list |
| Services | Systemd service status across all monitored servers |
| Respond | Human override queue — approve, reject, or roll back Cortex decisions |
| Investigations | Active AI investigation cases, evidence chains, and confidence scores |
| Timeline | Unified event timeline correlating alerts, actions, and metric spikes |
| Intelligence | Attacker profiles, predictive findings, and missed-attack analysis |
| Coverage | MITRE ATT&CK playbook coverage and false-positive suppression |
| Cortex AI | Autonomous threat reasoning, planning, and execution console |
| SOC Ops | MTTD/MTTR metrics, alert funnel, and analyst workload |
| Sec Intel | CVE exposures, threat feeds, and external IOC correlation |
| Audit Log | Immutable record of every action — who, what, when, outcome |
| Settings | Agent config, automation policy, notifications, team, billing |
Fleet Overview /
The Fleet view is your home screen. It shows every server in your org as a card with live metrics.
- Status dot — green (online), yellow (degraded), red (offline)
- Sparklines — last 30 minutes of CPU and memory at a glance
- Threat score — 0–100 risk indicator driven by Cortex AI
- AI activity badge — shown when Cortex has an active investigation on that server
- Tags — click any tag to filter the fleet to servers sharing that tag
Click any server card to open the Server Detail view.
Server Detail /server/:id
A full-page view of a single server with tabs covering every aspect of that host.
Lockdown
The Lockdown button (top-right of Server Detail) puts the server into a restricted state: blocks all inbound connections except the agent tunnel, kills non-whitelisted processes, and logs every action. Use it when you suspect active compromise. Lockdown can be lifted from the same button or via the Respond queue.
Alerts /alerts
The alert feed shows every security event across the fleet in real time. Alerts are streamed over the SSE event stream — no page refresh needed.
| Severity | Meaning |
|---|---|
| Critical | Active threat requiring immediate action (ransomware, rootkit, active exfil) |
| Warning | Suspicious activity that may indicate a threat (brute force, anomalous process) |
| Info | Noteworthy events that are not immediately dangerous |
Acknowledging alerts
Click Ack on any alert to mark it reviewed. Bulk-acknowledge with the Ack All button. Acknowledged alerts are archived but remain in the audit log forever. You can add a note when acknowledging — it's attached to the alert record.
Alert rules
Go to Settings → Alert Rules to create custom threshold rules (e.g. CPU > 90% for 5 min) or tune the severity of built-in detections. The Rule Builder lets you test rules against recent data before saving.
Network /network
A fleet-wide view of all active TCP/UDP connections and listening ports. Use it to spot unexpected outbound calls, port scanners, or services that shouldn't be exposed.
- Filter by server, port, or remote IP
- Ban IP — one-click to push an IP ban to the agent; takes effect in seconds
- Active IP bans are shown with expiry time; click to lift
Timeline /timeline
A chronological view that merges alerts, Cortex actions, metric spikes, and config changes onto a single timeline. Use it to reconstruct an incident: see the CPU spike that preceded the alert, the Cortex decision that followed, and the remediation that resolved it — all in sequence.
Cortex AI
Cortex is Watch's autonomous security engine. It continuously analyses telemetry across the fleet, correlates signals into attack chains, and — depending on your automation policy — either proposes or automatically executes containment actions.
How Cortex works
Detect — ingest process trees, network connections, file changes, and login events from all agents.
Assess — score each anomaly, correlate across servers, and build a causal chain (e.g. brute force → successful login → lateral move → exfil attempt).
Plan — propose a remediation plan: ban IP, kill process, quarantine server, rotate credential.
Execute — if automation is enabled for that action class, execute immediately. Otherwise, send to the Respond queue for human approval.
Verify — re-check the server after action to confirm the threat is resolved and no regression occurred.
Automation policy
Go to Settings → Security Policy to control what Cortex can do autonomously. Each action class (IP ban, process kill, lockdown, credential rotate) can be set to auto, require approval, or disabled.
Tip: Start with all actions in require approval mode. Once you trust Cortex's decisions on your environment, selectively enable auto-execution for lower-risk actions like IP bans.
Detections & Coverage /detection
Shows which MITRE ATT&CK techniques Watch actively detects on your fleet, and which have gaps. Green = covered, yellow = partial, grey = not covered.
Each technique card links to the playbook for that detection — showing what signals trigger it, what Cortex does in response, and any false-positive suppression rules in effect.
Use YARA Rules (/yara) to write custom detections that scan file content and process memory on demand or on a schedule.
Respond & Approvals /respond
When Cortex proposes an action that requires human approval, it appears here. Each item shows:
- The threat that triggered it and the evidence chain
- The proposed action and its blast radius preview
- Cortex's confidence score and reasoning
Approve to execute, Reject to dismiss, or Modify to adjust the action before running it. All decisions are logged in the Audit Log.
You can also roll back any executed action here within the retention window.
Investigations /investigations
Each Cortex investigation is a structured case file. It contains:
- Evidence ledger — every signal, log entry, and file artifact collected
- Causal chain graph — visual attack path from initial access to impact
- Kill chain stage — where on the MITRE ATT&CK kill chain the attack reached
- Decision trace — each Cortex reasoning step with confidence scores
- Actions taken — timeline of executed and pending responses
Investigations can be exported as PDF incident reports for compliance or post-mortem review.
Zero Trust /zerotrust
Watch implements a Zero Trust model for your fleet. Rather than trusting servers by network position, every process, connection, and user action is validated against policy.
- Process allowlist — only explicitly allowed binaries can run; unknown processes are flagged or killed
- Policy profiles — apply named security profiles to groups of servers (e.g. "web tier", "database", "dev")
- Policy versions — changes are versioned; roll back to any previous policy instantly
- Trust sessions — time-limited elevated access grants logged and auto-revoked
- mTLS agent auth — agents authenticate with client certificates; unauthenticated connections are rejected
Ghost Mode /ghost
Ghost Mode makes Watch's presence invisible to an attacker who has compromised a server. It:
- Hides the agent process and binary from
ps,ls, and common enumeration tools - Disguises network connections used by the agent
- Enables counter-reconnaissance — logs attacker enumeration attempts
Note: Ghost Mode requires kernel-level support. Available on Linux with kernel ≥ 5.10. Not supported on containers.
Intelligence /intelligence
The Intelligence view surfaces proactive findings that don't rise to the level of an alert but are worth knowing:
- Attacker profiles — IPs and domains that have probed your fleet, enriched with threat-feed context
- Predictive findings — Cortex's forward-looking risk assessments based on fleet behaviour trends
- Missed attacks — retrospective analysis of events that slipped past detections
- Rollback candidates — changes that look suspicious in hindsight
Threat Map /threatmap
A real-time world map showing the geographic origin of attack traffic hitting your fleet. Circles pulse on new events. Click any origin to see the associated alerts and attacker profile. Available on paid plans.
Predict /predict
Predict uses behavioural baselines to surface anomalies before they become incidents. It builds a statistical model of normal behaviour per server (CPU patterns, process launches, login times) and flags deviations with a z-score and severity. Unlike threshold alerts, Predict catches slow-burn attacks that stay below fixed thresholds.
DARVER /darver
DARVER (Detect → Assess → Remediate → Verify → Enforce → Report) is Watch's structured incident-response pipeline. It gives each incident a lifecycle stage and tracks it through to resolution, ensuring no alert is left unresolved. The DARVER dashboard shows the current distribution of incidents across each stage.
Playbooks /playbooks
Playbooks are automated response runbooks. When a trigger condition is met (e.g. ransomware detected), the playbook executes a sequence of steps: notify on-call, snapshot disk, isolate server, open incident. You can write your own playbooks or start from built-in templates.
Each step can be conditional, delayed, or require manual approval before proceeding. Playbook runs are logged in full in the Audit Log.
War Room /war-room
A live multi-team collaboration space for active incidents. All team members see the same real-time feed of Cortex actions, alerts, and server state. Use it to coordinate during a breach: assign tasks, share findings, and track who is doing what without leaving the dashboard.
Compliance /compliance
Generates live compliance scores for CIS Benchmarks, SOC2, and PCI-DSS. Each framework shows a breakdown by control with pass, warn, and fail status. Watch maps its own detections and hardening checks to the relevant controls automatically.
Export a compliance report PDF for auditors from the top-right of the Compliance view.
Vault /vault
Vault stores encrypted secrets (passwords, API keys, TLS certificates) and distributes them to agents on demand. Secrets are encrypted at rest with a per-org key.
- Push to agent — send a secret to a server's environment or a specific file path
- Rotate — replace a secret and push the new value to all assigned servers
- Reveal — decrypt and display a secret (rate-limited, requires
vault:revealscope, logged) - Custody log — every reveal is logged with user, time, and IP
Audit Log /audit
Every privileged action in Watch is appended to a tamper-evident audit log. This includes user logins, alert acknowledgements, Cortex decisions, playbook runs, settings changes, and API key usage.
The log is append-only and cryptographically chained — each entry includes a hash of the previous entry. Export to CSV/JSON for SIEM integration via the API.
Team & Roles /users
| Role | Can do |
|---|---|
| Owner | Everything — billing, team management, delete org, all API key scopes |
| Admin | All operations except billing and owner management |
| Analyst | View all data, acknowledge alerts, approve Cortex actions. Cannot change settings. |
| Read-only | View only. Cannot acknowledge, approve, or change anything. |
Invite team members from Settings → Team. Invites are sent by email and expire after 48 hours. SSO (SAML 2.0) is available on Enterprise plans — configure it under Settings → SSO.
Integrations /settings/integrations
Watch can send notifications and create tickets in external systems when alerts fire or Cortex takes action.
Configure integrations at Settings → Integrations. Use the Send test button to verify your config before saving. Each integration can be scoped to specific alert severities or servers.
API Keys /settings/api-keys
API keys let you access Watch programmatically. Create them at Settings → API Keys.
Key prefixes
wk_live_— production key, full access within assigned scopeswk_test_— test key, same scopes but flagged in audit log
Available scopes
| Scope | Grants access to |
|---|---|
servers:read | List and retrieve server metadata |
metrics:read | Time-series metric data |
alerts:read | List and filter alerts |
alerts:write | Acknowledge and snooze alerts |
stream:read | Subscribe to the real-time SSE event stream |
vault:reveal | Decrypt vault secrets |
integrations:read | List integrations |
integrations:write | Create and update integrations |
audit:read | Read the audit log |
webhooks:write | Create, update, delete, and test outbound webhook targets |
events:read | Read the historical custom event log |
events:write | Push custom events from external systems |
actions:write | Trigger automation: ban IP, run scan, lockdown, restart agent |
read:* | All read scopes |
write:* | All write scopes |
Using a key
curl https://api.watch.alsopss.com/api/servers \
-H "Authorization: Bearer wk_live_YOUR_KEY"Developer APIs
The following APIs are designed for programmatic use — automation pipelines, CI/CD integrations, and external tools. All require a wk_live_ key with the appropriate scope.
Webhooks POST /api/webhooks
Register outbound webhook targets that Watch will POST to when events fire. Each delivery is signed with X-Watch-Signature: sha256=<hmac> using a per-webhook secret.
# Create a webhook
curl -X POST https://api.watch.alsopss.com/api/webhooks \
-H "Authorization: Bearer wk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "my-pipeline",
"url": "https://hooks.example.com/sentinel",
"events": ["alert.critical", "lockdown.enabled", "custom.event"]
}'
# List webhooks
curl https://api.watch.alsopss.com/api/webhooks \
-H "Authorization: Bearer wk_live_YOUR_KEY"
# Test a webhook
curl -X POST https://api.watch.alsopss.com/api/webhooks/1/test \
-H "Authorization: Bearer wk_live_YOUR_KEY"
# Delivery history
curl https://api.watch.alsopss.com/api/webhooks/1/deliveries \
-H "Authorization: Bearer wk_live_YOUR_KEY"| Event | Description |
|---|---|
alert.critical | Critical severity alert fired |
alert.warning | Warning severity alert fired |
alert.resolved | Alert acknowledged or auto-resolved |
lockdown.enabled | Server placed into lockdown |
lockdown.disabled | Lockdown lifted |
ban.added | IP address banned |
ban.removed | IP ban removed |
agent.offline | Sentinel agent went offline |
agent.online | Sentinel agent came back online |
scan.complete | rkhunter or clamav scan finished |
investigation.opened | New WID investigation opened |
ttp.matched | TTP pattern matched in telemetry |
custom.event | External event pushed via /api/events/ingest |
* | All events |
Event Ingest POST /api/events/ingest
Push custom events from external systems — deploy markers, CI results, on-call handoffs, external alerts. Events appear in the dashboard event timeline and can trigger webhook deliveries.
curl -X POST https://api.watch.alsopss.com/api/events/ingest \
-H "Authorization: Bearer wk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"source": "github-actions",
"type": "deploy",
"title": "Deployed v2.4.1 to production",
"severity": "info",
"server_id": "srv_abc123",
"meta": { "commit": "a1b2c3d", "actor": "aidenmcelroy" }
}'Fields: source (required), type (required, lowercase slug), title (required), body (optional markdown), severity (info | warning | error | success), server_id, meta (JSON object).
Event History GET /api/events
Paginated historical event log covering both system events and custom ingest events.
# Last 50 events
curl "https://api.watch.alsopss.com/api/events" \
-H "Authorization: Bearer wk_live_YOUR_KEY"
# Filter by source and time range
curl "https://api.watch.alsopss.com/api/events?source=github-actions&since=1700000000000&limit=100" \
-H "Authorization: Bearer wk_live_YOUR_KEY"Query params: limit (max 500), offset, source, type, severity, server_id, since (ms epoch), until (ms epoch).
Automation Actions POST /api/automation/*
Trigger remediation actions from automation pipelines. Requires scope actions:write. Command policies (two-person auth, approval gates) are enforced identically to the dashboard — if approval is required, the API returns 202 Accepted with an approval_id.
# Ban an IP
curl -X POST https://api.watch.alsopss.com/api/automation/ban-ip \
-H "Authorization: Bearer wk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"serverId": "srv_abc123", "ip": "1.2.3.4", "reason": "blocked by IDS"}'
# Run a scan
curl -X POST https://api.watch.alsopss.com/api/automation/scan \
-H "Authorization: Bearer wk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"serverId": "srv_abc123", "scanner": "rkhunter"}'
# Enable lockdown
curl -X POST https://api.watch.alsopss.com/api/automation/lockdown \
-H "Authorization: Bearer wk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"serverId": "srv_abc123", "active": true}'
# List active IP bans on a server
curl "https://api.watch.alsopss.com/api/automation/server/srv_abc123/bans" \
-H "Authorization: Bearer wk_live_YOUR_KEY"Notifications /settings/notifications
Control which events trigger notifications and through which channels. You can set per-severity rules (e.g. only page on-call for Critical, send Slack for Warning) and configure quiet hours to suppress non-critical noise outside business hours.
On-call rotation is configured under Settings → On-Call. Watch will call or page the currently on-call user when a critical alert fires and no human has acknowledged it within your configured escalation window.
API Reference
Interactive API explorer. Authenticate with a wk_live_ key using the Authorize button to try requests live.