Howdy @SLAK - I ran your questions by our experts and they had some really good input I want to share with you, addressing by question:

1. For deployment on 9300 switches what are the recommended security best practices? Is hosting them on core infrastructure considered a security risk? "Please ask the member to open a support case with our InfoSec team to provide better, more personalized insights into this."

2. How are the switch-hosted Enterprise Agents hardened? What security practices are recommended for their deployment? "At a high level, we use Alpine as the latest version for Enterprise Agents installed on Cisco devices. Alpine is built on musl which is a security-hardened C library, rather than the more general glibc.  This includes automatic hardening for many C and C++ projects built against it, including the Enterprise Agent."

3. Can these agents be scanned with Tenable scanners? "Please ask the member to open a support case with our InfoSec team to provide better, more personalized insights into this."

4. Do switch-hosted agents support certificates from customer CA? If so, what's the best way to automate certificate deployment to a large number of agents? "Enterprise Agents are installed on standard operating systems which the customer controls, including control of the certificate stores. At the moment, certificates should be updated manually but there is currently a feature request to have them updated in bulk. It should be noted that it is not yet on our roadmap. Additional details on certificates is in this documentation."

Welcome to the community! If you've never opened a case with our support team it's pretty simple! This article goes into more detail if you need a refresher.