Reactive and proactive — without a false dichotomy
Reactive security (default baseline):
- System inventory and asset visibility
- Centralized, consistent logging
- Time synchronization for forensics
- Patch posture reporting
- Minimal abuse protection (e.g. SSH brute-force)
Proactive security (opt-in):
- Firewall enforcement
- Central log forwarding / SIEM integration
- Stricter policies per profile
- Extended monitoring and controls
There is no global “mode switch”.
Security posture is defined by enabled modules and profiles, not by hidden logic.