Blog / Security

Security
May 25, 2026 · 6 min read · Nexus Team

Every remote command Nexus runs on a device is cryptographically signed — here is why

Remote scripting and patch deployment are two of the most useful things an endpoint agent can do — and two of the most dangerous if the authorization model behind them is weak. If an attacker can convince an agent that a malicious command came from the management platform, they get remote code execution across every device that agent is installed on. That is not a hypothetical; it is the exact failure mode security teams ask RMM vendors about first.

The Nexus endpoint agent does not trust a command because it arrived over the right connection. Every job — a script, a patch instruction, a remote-control session request — is signed with an Ed25519 key on the platform side before it ever reaches a device, and the agent verifies that signature before it will execute anything.

Signed, and default-deny

  • Every remote job is Ed25519-signed by the platform — a device will not execute a job it cannot cryptographically verify.
  • A default-deny capability registry sits in front of that: today, low-risk classes like echo, ping, and inventory collection are enabled, and higher-risk classes like arbitrary patch-apply or script execution are explicitly gated — nothing is implicitly trusted.
  • The agent itself is outbound-only, the same architecture as the network monitoring agent — it phones home for jobs; nothing reaches in to hand it one.

That combination — signed authorization plus a default-deny registry — means the question "what can an attacker who compromises the management plane actually do to my endpoints" has a narrower, more specific answer than "whatever the RMM console can do," which is the honest answer for a lot of legacy tooling.

Patch deployment with ring rollout and auto-halt is live end-to-end on real hardware in our own practice today; remote scripting and remote control ride the same signed-job pipeline. We'd rather describe the actual cryptography than say "enterprise-grade security" and leave it there — ask us to show the signature verification path directly if you want to see it before you trust it.

Follow the build as it ships.

Nexus is live in our own MSP operations and opening to a limited design-partner cohort. Join the private-preview list.