Skip to main content

First Steps

Once you have logged in and enrolled at least one agent, this guide walks you through the TridentStack Control interface and the recommended steps to get your environment configured.

Your organization comes ready to go

When your organization is created, TridentStack Control sets it up with sensible defaults so you see results as soon as you enroll your first endpoint. Out of the box, your organization includes:

  • A default system update policy that automatically approves operating system updates older than 7 days with no unresolved known issues, then surfaces them for your review.
  • A default application updates policy covering more than 30 popular applications. It keeps those applications current if they are installed, and never installs an application that is not already present.
  • An "all endpoints" tag that every newly enrolled device joins automatically, so the default policies apply to your fleet from the moment a device checks in.

Because of this, you do not need to create a policy or a tag before you get value. As soon as you enroll an endpoint, applicable operating system and application updates begin appearing for it.

warning

The default policies surface and pre-approve updates for your review, but nothing installs automatically. To actually install updates on your endpoints, you create and assign a deployment ring. This keeps you in control of when and how patches roll out.

What you see after login

After logging in, you land on the Dashboard. The default system dashboard provides a high-level view of your fleet: agent status, patch compliance, vulnerability counts, and recent activity. The system dashboard is read-only, but you can clone it or create your own custom dashboards where widgets can be freely added, removed, and rearranged. The dashboard system is highly modular, allowing you to build visualizations for essentially any data within the platform.

The left sidebar is your primary way to move between sections. It is organized into these areas:

SectionPagesPurpose
DashboardDashboardFleet overview with customizable widgets
AgentsEndpoints, Tags, AutomationManage enrolled devices, organize them with tags, create automation rules
Update ManagementSystem Updates, Application Updates, Deployment RingsCreate patch policies, manage third-party app updates, configure phased rollouts
Configuration PoliciesConfiguration PoliciesApply and enforce device configuration settings
VulnerabilitiesVulnerabilitiesView detected CVEs across your fleet, manage exceptions
ComplianceComplianceMeasure endpoints against CIS, DISA STIG, Microsoft, and NIST baselines
ReportingReportingBuild custom reports with the visual query builder or SQL editor

At the bottom of the sidebar:

SectionPurpose
System AuditActivity logs and change tracking
SettingsPlatform configuration, user management, API keys, agent installers
tip

The sidebar can be collapsed to icon-only mode by clicking the collapse button at the bottom. This gives you more screen space when working in detail views.

Because your organization arrives pre-configured, getting to a fully managed environment is mostly a matter of enrolling endpoints and deciding how you want updates to roll out:

The default update policies and the "all endpoints" tag are already in place, so enrolled devices are covered immediately. The one action that actually installs updates is creating and assigning a deployment ring. From there, you can refine targeting with your own tags and add compliance baselines as your needs grow.

How targeting works

Understanding the relationship between agents, tags, and policies is key to managing your fleet effectively.

The hierarchy works like this:

  • Tags are the only thing directly associated with an agent. You do not assign policies to individual endpoints. Instead, you assign tags to agents and then target policies at those tags.
  • All policies target tags. System update policies, application update policies, configuration policies, and compliance baselines are all associated with tags, not individual agents. When you add or remove an agent from a tag, it automatically gains or loses every policy targeting that tag.
  • Deployment rings are associated with update policies, not tags or agents. Both system update policies and application update policies can use deployment rings. Rings control the rollout pace of a specific policy and determine what percentage of the targeted agents receive updates at each stage.
note

Linux updates are managed exclusively through system update policies. Application update policies apply to Windows and macOS endpoints.

info

This design means you manage your fleet by organizing agents into the right tags. Once your tags are set up, adding a new endpoint is as simple as assigning its tags - all relevant policies apply automatically.

note

Your organization's default update policies are already targeted at the built-in "all endpoints" tag, and every newly enrolled device joins that tag automatically. That is why updates begin appearing without any setup. You can create additional tags and policies whenever you want finer-grained control.

Step 1: Verify your agents

Before configuring anything, confirm your agents are communicating properly.

  1. Navigate to Agents > Endpoints in the left sidebar.
  2. Check that each enrolled endpoint shows a Status of Online.
  3. Review the Last Seen column to confirm agents are actively reporting.

If any agents show as Offline, refer to the Agent Enrollment troubleshooting section before proceeding.

Step 2: Confirm updates are appearing

Thanks to the default policies and the "all endpoints" tag, you do not need to create anything to start seeing results. Once an endpoint is online and has completed its first telemetry refresh, applicable updates show up automatically.

  1. Navigate to Update Management > System Updates to see operating system updates the default policy has surfaced and pre-approved for your endpoints.
  2. Navigate to Update Management > Application Updates to see third-party application updates for the popular applications that are installed on your fleet.
  3. Open an individual endpoint from Agents > Endpoints to see the updates applicable to that specific device.

Remember that surfaced and pre-approved updates are ready for installation, but they do not install on their own. The next step puts them into action.

note

The default application updates policy only updates applications that are already installed. It will not add new software to an endpoint.

Step 3: Create and assign a deployment ring to install updates

A deployment ring is what actually rolls out approved updates to your endpoints. It also lets you control the pace: you can install to a small test group first, watch the results, and then expand to the rest of your fleet in phases.

  1. Navigate to Update Management > Deployment Rings.
  2. Click Create Ring and give it a descriptive name (for example, "Standard Rollout").
  3. Define the rollout phases, or start from a built-in preset. A common pattern is a small canary group first, followed by progressively larger waves until every targeted endpoint is covered.
  4. Assign the ring to an update policy. You can attach it to the default system update policy, the default application updates policy, or any policy you create.
  5. Save the ring.

Once a ring is assigned to a policy, approved updates begin installing on the targeted endpoints according to the ring's schedule and phase settings. For a full walkthrough of phases, advancement rules, and presets, see Deployment Rings.

warning

When trying out a new rollout, start with a small phase so updates reach a handful of non-critical endpoints first. Confirm the results, then let the ring expand to the rest of your fleet.

Step 4: Organize with your own tags (optional)

The built-in "all endpoints" tag covers your whole fleet, which is perfect for getting started. As your environment grows, you will likely want to group endpoints more precisely so you can apply different policies to different sets of devices.

  1. Navigate to Agents > Tags.
  2. Create tags that reflect your environment. Common examples:
    • Production and Development (by environment)
    • Windows Servers and Linux Servers (by platform)
    • Finance, Engineering, HR (by department)
    • US-East, EU-West (by location)
  3. Assign tags to endpoints from the Agents > Endpoints page by selecting one or more agents and using the tag assignment action.
  4. Target a policy at your new tags by editing the policy and choosing those tags under Targets.
note

A single endpoint can have multiple tags. For example, a server might be tagged as both "Production" and "Windows Servers". When a policy targets either tag, that server receives the policy.

tip

To create your own update policy, navigate to Update Management > System Updates or Update Management > Application Updates, click Create Policy, choose which updates to include and how they are approved, and select the tags it targets. See System Updates and Application Updates for details.

Step 5: Review vulnerabilities

TridentStack Control automatically scans your fleet for known vulnerabilities based on installed software and missing patches.

  1. Navigate to Vulnerabilities in the left sidebar.
  2. Review the list of detected CVEs, sorted by severity (Critical, High, Medium, Low).
  3. Click any CVE to see which endpoints are affected and whether a patch is available.
  4. For vulnerabilities that cannot be patched immediately (due to compatibility requirements or other constraints), create an exception with a justification and expiration date.

Vulnerability data updates automatically as agents report new software inventory and as new CVE information becomes available. No manual scans are required.

You can also view vulnerabilities for a specific endpoint by navigating to its details page in Agents > Endpoints and selecting the Vulnerabilities tab. This gives you a per-agent view of all detected CVEs affecting that individual endpoint.

Step 6: Check compliance

Compliance baselines measure your endpoints against industry-standard security frameworks. Unlike vulnerabilities (which are detected automatically), compliance evaluation requires you to assign a baseline to your endpoints first.

  1. Navigate to Compliance in the left sidebar.
  2. Review the available frameworks: CIS Benchmarks, DISA STIGs, Microsoft Security Baselines, and NIST controls.
  3. Assign a baseline to one or more tags. Endpoints with those tags will begin compliance evaluation on their next check-in.
  4. Once evaluation completes, select a baseline to see your fleet's compliance score and which specific controls are passing or failing.
  5. Drill into individual controls to see affected endpoints and remediation guidance.
info

Compliance evaluation only runs on endpoints that have a baseline assigned through their tags. If you do not see compliance data for an endpoint, verify that its tags are associated with at least one compliance baseline.

Next steps

With endpoints enrolled, updates appearing through your default policies, and a deployment ring installing them, you have a working environment. From here, explore these areas:

  • Application Updates - Review and tune the third-party application patches that the default policy surfaces, or create your own application policies.
  • Deployment Rings - Refine your phased rollouts so patches reach test groups before production.
  • Configuration Policies - Enforce device settings (security configurations, feature toggles) across your fleet.
  • Automation - Create rules that automatically tag, patch, or notify based on endpoint conditions.
  • Reporting - Build custom reports to share patch compliance and vulnerability status with stakeholders.