Reference · Horizon agent

How the full Horizon agent works.

A plain explanation of the full-fat Horizon Platform agent: the complete fifteen-collector telemetry it runs, the operational dashboards and reports it populates, where the data lives, and the boundaries we deliberately keep around it. No pitch, no pricing — those live elsewhere. This page is here so the technical and security reviewers can read what the thing actually does before it gets near a host.

Collectors
15
enforced server-side
Surfaces
Cross-platform
windows · macos · linux · proxmox · pfsense
Trust posture
Outbound-only
https · 90-day default retention
Repeating cylindrical facade with regular window grid, abstract architectural rhythm

01 · What it is

What it is.

The Horizon agent is the operational telemetry layer for the Horizon Platform. The ESG and Cyber agents are rotated subsets of it — same installer, same update channel, same data path — but the full agent runs the entire collector set, fifteen collectors covering health, hardware, containers, networking, filesystem layout, software inventory, security posture, electricity draw, thermal sensors, AI-model presence, Proxmox and PBS hypervisor surfaces, severity-filtered system logs, Hermes AI project context, and Cyber Essentials Plus compliance evidence.

It is built for the case where one team is responsible for keeping a heterogeneous fleet alive: a Proxmox cluster here, a handful of Windows workstations there, a couple of macOS designers, a pfSense edge appliance, an Ollama server, a PBS backup target — and a portal that has to show all of it on one screen without lying.

Within that broad surface, the operating principle is the same as for the smaller agents: the agent reads, the portal scores. The two operator-initiated control surfaces (remote support sessions over SSH, and remote desktop over bundled VNC) are explicitly opt-in, audit-logged, and never silent.

For the narrower, scoped variants see the ESG agent reference (power / Scope 2 evidence only) and the Cyber agent reference (CE+ readiness and CIS topology only).

02 · What it measures

Fifteen collectors. The full surface.

Fifteen collectors run on a full-mode agent. The collector set is enforced from the server side as well as in the agent, so a host that should be running a narrower mode cannot accidentally upgrade itself.

  • Health. CPU%, memory%, disk%, uptime. The liveness signal underneath every other reading.
  • Hardware. CPU model, core count, RAM, motherboard / chassis identifier — read once a day. Lets the portal pick the right TDP profile, recognise hardware refreshes, and pre-populate asset inventories.
  • Docker. Container inventory and per-container CPU%. Used by the portal to attribute power draw across containers proportionally and to surface container-level health on the dashboard.
  • Network. Interface configuration, listening ports, ARP table, DNS servers, gateway detection, well-known port name mapping. Feeds the CIS topology view and the operational fleet map.
  • Filesystem. Mounts, usage percent, inode usage. Metadata only — the agent does not open files or read their contents.
  • Software. Installed package inventory with versions (up to 2000 packages). Linux uses dpkg-query or rpm; Windows reads the installed-software registry; macOS reads the equivalent. Feeds the A6.6 unsupported-software check.
  • Cybersecurity. Trivy container-image scanning (counts by severity), read-only nmap for network exposure, and a CIS-aligned check suite — firewall state, SSH configuration, update posture, sudo logging, key-based authentication.
  • Power. Whole-host electricity draw in watts. Primary counters where available — IPMI on baseboard management controllers, RAPL on x86 Linux, NVIDIA / AMD GPU counters, powermetrics on Apple Silicon, LibreHardwareMonitor on Windows — falling back to a calibrated CPU-time × TDP estimate, labelled accordingly so the method travels with the figure.
  • Sensors. Thermal readings (CPU, GPU, NVMe, motherboard) and fan tachometer speeds. Useful for cooling-load calculations and for spotting hosts running hot.
  • AI models. Localhost-only HTTP probes of common inference services — Ollama, LM Studio, LocalAI, OpenWebUI — capped at a three-second timeout per probe. Returns model names, parameter counts, and VRAM use per loaded model. The agent does not call any external AI service from your host.
  • Proxmox. Read-only API calls to the local Proxmox node (PVEAPIToken auth) to enumerate VMs and LXC containers, node status, per-guest CPU / RAM / disk. Excluded from Cyber and ESG agents.
  • Proxmox Backup Server. Datastore inventory, recent backup task history, version. Separate API token format (PBSAPIToken). Lets the portal show backup success rates next to the workloads they protect.
  • Logs. System log headlines only — ERROR / WARNING / CRITICAL severity, capped at 200 entries and 200 KB per push. Sources are journald on Linux, the Windows Event Log, and syslog on macOS / BSD. The agent does not stream verbose application logs and does not send body text beyond the severity-filtered headline.
  • Cyber compliance. CE+ A4–A8 self-assessment evidence: A4 (firewalls), A5 (secure configuration), A6 (security updates), A7 (user access), A8 (malware protection). The same collector the Cyber-mode agent uses.
  • Hermes. Detects the presence of the Hermes AI framework on the host — CLI binary, data directory, running process — and reads its public configuration: version, inference provider and model, workspace path, skills inventory, cron jobs, memory metadata. It is a presence and configuration read, not a content read; Hermes project files and conversations are not transmitted.

03 · What you get back

Everything the platform surfaces.

The full agent feeds the entire Horizon Platform. Everything the ESG and Cyber agents produce is included; on top of that:

  • Operational fleet dashboard. Live wattage, health, container count, OS / kernel, and parent-child Proxmox nesting (hosts with their VMs grouped beneath). Method-accuracy badges on every power reading.
  • Network & CIS topology view. Two-axis CIS scoring (device-local posture × internet exposure) plus a fleet map that shows what faces the internet and what sits behind it.
  • CE+ readiness — Controls dashboard, IASME-shaped PDF, software EOL flags, A2 scope pre-population. Identical to the Cyber-agent output, because it uses the same compliance collector.
  • ESG Reporting. kWh, kg CO2e (location-based and market-based), £, heat dissipation, SECR intensity ratio, methodology footer. Identical to the ESG-agent output.
  • Threats tab. Findings from the cybersecurity collector — Trivy CVE counts, exposed services, CIS check failures — with deduplication so a misconfiguration on a pfSense edge doesn't show up twice as a perimeter problem.
  • AI model inventory. Which inference servers are reachable on each host, which models are loaded, and how much VRAM they are using. Lets you keep an eye on local-LLM sprawl across the fleet.
  • PBS backup health. Recent task success / failure counts per datastore, datastore capacity, version. Surfaced alongside the workloads each datastore protects.
  • Hermes project surfaces. Visibility of which hosts have Hermes installed, what model they're configured to use, what skills and cron jobs are present. Useful when a fleet of AI assistants needs governance, not just installation.
  • System log headlines. Severity-filtered tails per host so the portal can surface a failing service or a flapping disk without you signing in to the box.
  • Remote support sessions. Operator-initiated SSH and remote-desktop access via bundled VNC over a Cloudflare Tunnel, with an ED25519 keypair minted per session and a recorded transcript. Sessions are explicitly opened by the operator from the portal; the agent does not accept commands from anywhere else.

04 · The boundaries

What it never touches.

The full agent is broad — but breadth is in the metadata layer, not in the content layer. The agent does not read documents, conversations, or user secrets; it reads the shape of the system the host is running.

  • No file contents. The filesystem collector reports mount points and capacity, never the bytes inside them.
  • No full log content. Logs are severity-filtered headlines, capped at 200 entries and 200 KB per push. Application logs, request bodies, and verbose journald output are not transmitted.
  • No process command lines or environment variables. The agent knows a process exists and how much CPU and memory it is using; it does not read the arguments it was invoked with or the environment it inherited.
  • No browser history, cached credentials, or stored secrets.
  • No user account contents. Account existence and permission groups are visible at the OS level; passwords, tokens, and session data are not.
  • No Hermes project content. The Hermes collector reads framework presence and configuration. Conversation history, project files, and skill outputs are not transmitted.
  • No AI inference traffic. The AI-models collector is a localhost HTTP probe — it asks the inference server what it has loaded; it does not read prompts, completions, or model weights.
  • No silent remote control. Remote-support sessions are initiated from the portal, audit-logged, and visible to the operator on the host while in progress. There is no covert command channel.

05 · Data residence

Where the data lives.

  • Hosting. UK-hosted Postgres, single-tenant logical separation per company. Telemetry does not leave the UK.
  • Direction of traffic. Outbound-only HTTPS from the host to the portal for telemetry. Remote-support sessions ride a Cloudflare Tunnel that is opened by the agent on demand and closes when the session ends — there is no permanent inbound listener.
  • Retention. 90-day rolling window by default for telemetry. Fixed-period retention is configurable on request and is enforced by automated deletion. Remote-session transcripts follow the same window.
  • Update channel. The agent pulls signed tarballs and verifies a recorded SHA-256 before applying. A failed update rolls back automatically; a tampered tarball never installs.
  • Session keys. Remote-support sessions mint a fresh ED25519 keypair per session. Keys do not persist on the host beyond the session that needed them.
  • Uninstall. One-line removal that leaves no residual state on the host beyond the install-log entry. After uninstall the agent goes offline in the portal within five minutes and is auto-archived after thirty days.

06 · Deployment

How it deploys.

Deployment is the same three-step shape as the narrower agents. The mode is selected when the install token is generated, and the collector set is enforced server-side so a host cannot accidentally drift into a wider mode than it was provisioned for.

  1. Generate a token in the portal. Pick the company, choose "Horizon mode", copy the install command.
  2. Run the install command on each host. A single line on Windows (PowerShell as admin), macOS, or Linux. The installer drops the agent into a known path, registers it as a service or LaunchDaemon, and exits.
  3. Wait a minute. The agent registers itself with the portal on first run; the first telemetry batch lands within sixty seconds. Tabs (Threats, ESG Reporting, CE+ Controls, AI Models, PBS) populate as their underlying collectors return data.

Hosts can be moved between modes by issuing a new install token — the change takes effect on the next check-in, no re-install required.

07 · Honest scope

What we won't claim.

An honest list. We'd rather name the gap than pretend it's solved.

  • Observability plus operator-initiated control, not autonomy. The agent does not act on its findings. It does not patch, reboot, kill processes, or change configurations by itself. The remote-support surfaces exist; they are opened by a human and visible while in use.
  • Logs are headlines, not an audit trail. Severity-filtered, capped at 200 entries per push. If you need a forensic-grade log archive, you need a log shipper — Horizon is not it.
  • Hermes presence, not Hermes content. The agent reads configuration and metadata. Conversation history, project files, and skill outputs stay on the host.
  • AI-model inventory is local-only. The collector probes localhost inference servers. It does not enumerate cloud-hosted models or call external AI APIs.
  • The CE+ and Scope 2 caveats still apply. CE+ evidence is evidence, not certification. Scope 2 figures are auditor-friendly, not ISO 14064-3 third-party-verified. Those caveats live on the Cyber agent reference and the ESG agent reference respectively; this agent inherits them in full.
  • The agent is broad; the trust boundary is narrow. Running a fifteen-collector agent is a serious ask, and we treat it that way. The list above of what it does not touch is the contract, and the server-side ingest enforces it as a second line of defence.

08 · Related reading

Horizon Cyber agent

The narrower security-evidence sibling: same installer, eight collectors, scoped to Cyber Essentials Plus readiness and CIS-style topology scoring.

Read the Cyber agent reference

Horizon ESG agent

The narrowest sibling: five collectors, scoped to energy, Scope 2 emissions, and heat. Feeds the ESG Reporting tab and the auditor-friendly PDF.

Read the ESG agent reference

Sustainable infrastructure

The pillar that frames why one team owning the meter, the stack, and the audit trail is becoming the answer to two questions at once: sovereignty and sustainability.

Read Sustainable infrastructure
Calm horizon over open water under a soft cloudy sky

Next step

See it in the platform.

The full Horizon agent is one of three modes shipped by the Horizon Platform. See where its readings land and how the rest of the platform is built around them.

No deckNo sales pressureWe'll tell you to wait if you should

Or email a workload to hello@althorizon.co.uk — one-page model back in 48h.

Matt Shore Founder · Alt Horizon

Registered

Alt Horizon Ltd · 17098644

England & Wales · founded 2026

Data residency

Sovereign by default

Self-hosted unless you opt to a cloud option

Verify

LinkedIn · Company

Why a 2026-founded firm →