# How Does Endpoint Protection Work? Aikido Endpoint Protection installs a lightweight Layer 4 proxy on each device. It only inspects supported package manager traffic. Everything else bypasses it. ### Decisions happen on the device All allow and block decisions happen locally. Aikido does not receive your traffic, browsing history, or downloaded files. The agent downloads only the data it needs to enforce policy: * **Allowlists and blocklists** * **Malware signatures** * **Policy rules and exceptions** After that sync, the device can enforce rules on its own. ### Aikido only sees install outcomes Package contents stay on the device. General browsing stays invisible to Aikido. Aikido only receives install outcomes, such as: * Allowed installs * Blocked installs * Flagged installs ### It only intercepts supported ecosystems The proxy is not a general web filter. It only intercepts supported package ecosystems, including `NPM`, `PyPI`, `Chrome Web Store`, `VS Code Marketplace`, `Maven`, and `NuGet`. All other traffic passes through unchanged. ### HTTPS inspection stays local Supported package managers use HTTPS. To inspect that traffic, the agent installs a local Certificate Authority on the device. That CA is generated and stored locally. It never leaves the device. It is only used for the ecosystems Aikido monitors. ### Sync and reporting frequency The agent sends a heartbeat every 10 minutes. It generates and syncs a fresh SBOM once a day. A new device does not wait up to a day to appear. On first install, the initial heartbeat and SBOM run immediately, so the device shows up almost instantly. New installs and blocks are immediately sent to Aikido. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/aikido-endpoint-protection/miscellaneous-aikido-endpoint/how-does-endpoint-protection-work.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.