Skip to main content

Customised Agents & Extensions

While the First Watch® platform provides comprehensive built-in capabilities, certain operational scenarios require targeted monitoring tailored to a specific process, system, or risk. For these cases, the platform supports the use of customised agents and extensions.

Customised agents are designed to extend visibility and detection, not to replace core platform functions. They are typically used where standard monitoring cannot directly observe a critical artefact or behaviour.

Purpose and Operational Scope

Customised agents allow organisations to:

  • Monitor artefacts that are unique to their process or vendor environment
  • Collect specialised data that is not available through standard protocols
  • Raise events, alarms, and notifications within the First Watch® platform
  • React to deviations in near real time without disrupting operations

As with other advanced capabilities, customised agents are human-governed and must be designed and reviewed carefully.

Example — Monitoring Recipe Files Using Python

A common industrial requirement is the protection of recipe files used by control systems or manufacturing execution processes.

Operationally, recipe files may define process parameters, influence batch behaviour, or affect quality, safety, and compliance. Unauthorised or unintended changes to these files can introduce significant risk.

Using a Python-based custom agent, the following monitoring pattern can be implemented:

  • The agent periodically calculates a cryptographic hash of approved recipe files
  • The hash is compared against a known, approved baseline
  • If a recipe file changes unexpectedly:
    • An event is generated
    • An alarm is raised in the First Watch® platform
    • A notification is sent to designated personnel

This reaction occurs in near real time, allowing rapid investigation before the change propagates into production.

Operational Characteristics

Customised agents are designed to:

  • Operate in monitoring mode, without modifying control behaviour
  • Integrate natively into the platform's event, alarm, and reporting workflows
  • Support traceability by recording when and where changes were detected

They are particularly effective for detecting silent changes that may not generate standard system logs.

Governance and Risk Considerations

Because custom agents introduce site-specific logic, they require:

  • Careful definition of what is monitored and why
  • Validation in non-production or controlled environments
  • Clear ownership and maintenance responsibility

Custom agents should not be deployed ad-hoc and should always align with the organisation's operational and cybersecurity governance model.

Risk Considerations

While custom agents provide powerful flexibility, they also introduce additional complexity that must be governed carefully:

  • Increased operational complexity — custom logic adds another layer to the operational environment. Without proper governance, this can complicate troubleshooting, upgrades, and audits.
  • Tight control of PowerShell and JavaScript usage — where custom agents or extensions interact with PowerShell or JavaScript, usage must be strictly governed, execution scope must be limited, and alignment with Application Control policies is mandatory. This prevents misuse of scripting capabilities that could otherwise be leveraged for malicious activity.
  • Mandatory testing outside production — all custom agents and extensions must be developed and validated in test or staging environments, verified against expected behaviour and failure scenarios, and approved before deployment into live industrial systems. Direct development or testing in production environments is strongly discouraged due to the risk of unintended disruption.

Operational Considerations

The use of customised agents introduces additional operational responsibilities that must be managed explicitly:

  • Development using the provided SDK — custom agents are developed using the First Watch® SDK, ensuring consistent integration, secure communication, and compatibility with the platform's event and alarm framework.
  • Unified visibility within the platform — data collected by custom agents is presented through the same dashboards, event views, and alarm workflows as native platform data. Operators do not need to manage separate tools or interfaces.
  • Clear ownership and documentation — each custom agent must have defined ownership (responsible team or individual), documented purpose and scope, and clear maintenance and update responsibility. This prevents custom logic from becoming opaque, unmanaged, or forgotten over time.

Training and Support

Development and deployment of customised agents are typically supported through advanced training and implementation guidance provided by First Watch engineers. This ensures that:

  • Agents are safe, efficient, and reliable
  • Monitoring logic aligns with operational intent
  • False positives and unnecessary alerts are avoided

Operational Positioning

Customised agents are a powerful extension mechanism, not a default operating mode. When used with appropriate governance, testing, and ownership, they allow organisations to address highly specific monitoring needs without compromising platform integrity or operational safety.