Agent connectivity and response availability

Kaseya MDR uses a lightweight endpoint agent to support detection, investigation, and response. While the underlying agent continues monitoring systems continuously, its connectivity state can affect when response actions are executed.

In Kaseya MDR, alerts, investigations, and response outcomes—not device status indicators—are the primary way to understand security activity and system health.

Read this article if an alert is valid but a response action did not execute as expected, if an agent appears temporarily unreachable in the platform, or if you want to understand why detection continues even when connectivity is interrupted.

This article explains:

How the Kaseya MDR agent communicates with the platform
The difference between agent reachability and detection capability
How connectivity affects response actions
What to expect during and after temporary connectivity interruptions

How the MDR agent communicates

The Kaseya MDR agent communicates with the Kaseya MDR platform using an outbound‑only connection model, which limits exposure and supports resilient monitoring.

At a high level, the agent:

Continuously monitors the system for security‑relevant activity
Sends detections and telemetry to the Kaseya MDR platform
Receives response and control actions when reachable
Queues or caches activity if connectivity is temporarily disrupted

Short‑term connectivity interruptions do not stop detection or create blind spots. Collected activity is preserved and delivered once connectivity is restored.

Agent reachability vs. detection capability

It is important to distinguish between agent reachability and detection capability.

Agent reachability refers to whether the platform can immediately communicate with the agent to send commands or response actions.
Detection capability refers to the agent’s ability to continue monitoring the system and recording security activity.

An agent may be temporarily unreachable while still actively monitoring the system. In these situations:

Alerts can continue to be generated
Security activity is preserved locally
Collected data is delivered once connectivity is restored

This design ensures that brief network interruptions or system changes do not invalidate alerts or interrupt monitoring.

How connectivity affects response actions

Response actions—whether manual or automated—require the agent or an integrated service to be reachable at the time the action is executed.

If an agent is temporarily unreachable:

Response actions may be delayed or queued.
Some actions may fail to execute immediately.
The alert or investigation reflects the response status.

A response action failure does not mean the alert is invalid or that monitoring has stopped. It indicates that the response action could not be completed under the current conditions. This behavior aligns with the Detect > Investigate > Respond lifecycle, where investigation context remains valid even when response execution is constrained.

How isolation affects agent communication and investigations

When a device is isolated, its general network communication is restricted, but this does not invalidate alerts or investigations.

Isolation is designed to prevent a device from communicating with external networks while still allowing Kaseya MDR and supported management platforms to communicate with the device. As a result, alerts remain valid, investigations continue, and response actions initiated through Kaseya MDR can still be executed while the device is isolated.

Common reasons an agent may be unreachable

Temporary agent unreachability can occur for several reasons, including:

The device is powered off, suspended, or restarting.
Network connectivity issues prevent communication with the RocketCyber cloud.
The agent service is stopped or being updated.
The device is isolated as part of a response action (general network communication is restricted, but the device remains reachable by Kaseya MDR and supported management platforms).

In many cases, no manual intervention is required. The agent automatically reconnects when normal conditions are restored.

What happens when connectivity is restored

When connectivity is re‑established:

Queued detections are delivered to the platform.
Investigation timelines are updated with preserved activity.
Pending or retried response actions can proceed.
Historical alerts and investigations remain intact.

Temporary connectivity interruptions do not remove alerts, erase investigation data, or reduce long‑term visibility.

Key takeaways

Kaseya MDR detection continues even during temporary connectivity interruptions.
Agent reachability affects response execution, not alert validity.
Alerts and investigations are the primary way to assess security activity.
Delayed or failed response actions do not invalidate alerts.

Additional help

If agent connectivity issues persist or response actions repeatedly fail, submit a request through the Kaseya Helpdesk.

For product discussion and feedback, visit the Kaseya Community or the Kaseya Ideas portal.

Detect > Investigate > Respond flow: Understand how response fits into the overall lifecycle
Agent architecture and security model: Understand the trust boundaries and outbound‑only communication model that shape agent connectivity and response behavior
Using Kaseya MDR: Continue working with alerts, investigations, and response actions

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.