Skip to main content
Skip table of contents

Choosing the Right Deployment Option(s)

Choosing the Right Deployment Option(s) for HYAS Protect

HYAS Protect offers flexible deployment options to fit your environment—whether you're securing roaming endpoints, enforcing policy at the network edge, or integrating with existing security platforms like Microsoft Defender for Endpoint or SentinelOne. You can deploy a single method or use a hybrid approach, combining multiple deployment types to match your infrastructure, user base, and operational needs. Each method provides a different balance of visibility, control, and integration effort, allowing you to tailor protection to your organization’s unique requirements.

HYAS Protect Agent

The Agent is a lightweight service installed directly on Windows or macOS devices. It intercepts DNS traffic at the device level, enabling fine-grained control, user and device attribution, and consistent policy enforcement—on or off the corporate network.

Best For:

  • Organizations with remote or hybrid workforces

  • Scenarios needing user or device level visibility

  • Environments requiring per-user group policy enforcement

  • Continuous protection across networks, including off-network use

Avoid When:

  • You want a fully agent-less deployment

  • Devices are always on a corporate network, and user-level attribution is unnecessary

  • You lack the ability to manage or push software to endpoints

HYAS Protect Resolver

This method secures DNS traffic by routing it through HYAS’s protected DNS resolvers. It’s configured at the network level (e.g., router, firewall, DHCP) and requires no endpoint software.

Best For:

  • Fixed-location environments like offices, branches, or retail sites

  • Organizations looking for a quick, agent-less setup

  • Environments where network-based policy enforcement is sufficient

Avoid When:

  • You need user or device-level attribution

  • Devices frequently operate off-network (e.g., remote workers, laptops)

  • You require per-user or group-level policy controls

Microsoft Defender for Endpoint (MDE) Integration

This integration uses the existing MDE agent to route DNS traffic through HYAS Protect. It requires no separate installation and extends PDNS protection to devices already covered by MDE.

Best For:

  • Organizations that already have MDE deployed

  • Use cases where off-network protection is needed without extra agents

  • Environments aiming to simplify deployment and maintenance

Avoid When:

  • Devices are not covered by Microsoft Defender for Endpoint

  • You need more advanced policy customization than MDE's integration allows

  • Your organization uses a different EDR or AV solution

SentinelOne Integration

This integration uses the existing SentinelOne agent to enable HYAS Protect DNS enforcement. No additional software is required, and protection applies to all S1-managed devices.

Best For:

  • Existing SentinelOne customers with Cloud Funnel already deployed or planning to enable it

  • Organizations wanting to avoid installing additional agents

  • Teams looking for a centralized, agent-less DNS protection layer through existing EDR tooling

Avoid When:

  • Devices are not managed by SentinelOne

  • You need user/device attribution or fine-grained DNS policy management beyond what the integration supports

  • Your use case requires domain-specific blocking—SentinelOne enforces blocks at the IP level, which can cause over-blocking in shared or CDN environments

  • You are not using Cloud Funnel—the integration requires it, and enabling Cloud Funnel may involve additional cost, configuration effort, or architectural changes

Deployment Method Matrix

To help you quickly compare these deployment methods side-by-side, the chart below breaks down key capabilities, coverage, and requirements—so you can more easily determine which option(s) best align with your environment.

Capability

HYAS Protect Agent

HYAS Protect Resolver

MSFT Defender for Endpoint Integration

SentinelOne Integration

Best-in-Class Defense Against Domain-Based Threats

On-Network Coverage

Off-Network Coverage

✅ provided the subject device is covered by MDE

✅ provided the subject device is covered by S1

HYAS Agent Installation Required

User & Device Level Attribution

User Group Level Support and Policy Application

Local DNS (Domains & Resolvers) Configurability

Split-Horizon Compatibility

Safe Search Enforcement

Source Network Level Policy Application

Hybrid Deployments

While the matrix above focuses on individual deployment methods, many organizations benefit most from a hybrid approach—combining multiple deployment types to reflect how their environment actually operates.

Hybrid deployments allow you to apply the right level of attribution, control, and visibility across a variety of device types—such as roaming laptops, on-prem desktops, or unmanaged IoT infrastructure.

Common Hybrid Deployment Scenarios:

  • Agent + Resolver
    Use the HYAS Agent for remote or roaming users to enable user-level attribution and group-based policy enforcement. Pair this with the HYAS Resolver for on-premises or fixed-location devices, where source network–based policies are sufficient.

  • MDE + Resolver
    Many organizations use Microsoft Defender for Endpoint to monitor DNS activity from managed endpoints. HYAS Protect ingests DNS logs from MDE via an Azure Event Hub and analyzes them for threats and behavioral anomalies. However, MDE only provides visibility into devices running the Defender agent. By adding a HYAS Resolver, you gain policy enforcement and visibility for unmanaged, shared, or IoT devices that MDE doesn’t cover—ensuring more complete DNS-layer protection across your environment.

  • SentinelOne + Resolver
    Organizations using SentinelOne can enable Cloud Funnel to forward DNS queries from managed endpoints to HYAS Protect for analysis and threat detection. This provides deep visibility into DNS activity on protected devices. However, SentinelOne only captures traffic from endpoints with the agent installed. Adding a HYAS Resolver extends coverage and enforces DNS-layer policy for infrastructure devices, IoT systems, and other unmanaged assets—ensuring nothing falls through the cracks.

Why Go Hybrid?

  • Achieve comprehensive DNS-layer protection across managed, unmanaged, and hybrid environments

  • Cover devices that don’t support agents or endpoint integrations (e.g., printers, cameras, guest devices)

  • Maintain clean attribution and policy enforcement without unnecessary overhead

  • Get the most out of your existing security investments while expanding coverage to what they miss

HYAS Protect was designed with deployment flexibility in mind, so you can adapt your protection strategy to your infrastructure—not the other way around.

Still Not Sure?

If you’re unsure which method fits your environment best, answer a few quick questions below, and we’ll guide you to the recommended deployment path based on your needs.

Deployment Assistant

This quick assistant will walk you through a few simple questions to help identify the best way to deploy HYAS Protect—whether that’s through our lightweight Agent, DNS Resolver, Microsoft Defender for Endpoint (MDE) integration, SentinelOne, or a combination of methods.

By answering just a few prompts, you’ll get a personalized recommendation that aligns with your network architecture, visibility needs, and operational goals.

Let’s find the right fit for you.

  1. Does your organization use Microsoft Defender for Endpoint or SentinelOne with Cloud Funnel?

✅ Yes - Choose the appropriate integration below:

🚫 No - Continue to Question 2. ⤵️

  1. Do you have a mix of devices—some that stay in one place (eg., desktops) and others that travel (eg., remote laptops)?

✅ Yes - Go to Question 3.

🚫 No - Go to Question 4.

  1. Is it acceptable for stationary devices to have policies based on network location (without user/device attribution), while roaming devices get group-based policies and individual attribution?

✅ Yes – A hybrid deployment is recommended.
Deploy the HYAS Protect Resolver for stationary devices and the HYAS Protect Agent for roaming devices.

🚫 No – Deploy via the HYAS Protect Agent. Agent Deployment Guide

  1. Are all of your devices always connected to the corporate network (e.g., via a fixed office, site-to-site VPN, or similar)?

✅ Yes - Go to Question 5

🚫 No - Deploy via the HYAS Protect Agent. Agent Deployment Guide

  1. Is it acceptable to apply policies based on network location (source network) instead of user groups, without knowing which specific user or device made each DNS request?
    (You’ll still see all DNS queries—just not who made them.)

✅ Yes - Deploy via the HYAS Protect Resolver. Protect Resolver Deployment Guide

🚫 No - Deploy via the HYAS Protect Agent. Agent Deployment Guide

Optional: Do you also need to protect unmanaged or infrastructure devices (e.g., printers, IoT, or guest systems) not covered by MDE or SentinelOne?

✅ Yes – Consider adding a HYAS Protect Resolver alongside your integration. Protect Resolver Deployment Guide

🚫 No – Your existing integration may be sufficient for your current environment.

If your environment doesn’t fit cleanly into these scenarios, contact HYAS to discuss a custom deployment strategy that meets your specific operational and security needs.

Deploying HYAS Protect ➡️

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close