Everything the workforce-analytics tool would do, minus the per-seat tax.
The categories below mirror the buckets you'll recognise from incumbent platforms. Each card is honestly labelled Now for what ships today, v1.1 for the next quarter, or Later for what's on the roadmap.
Real-time workforce visibility
What's on screen, who's at the keyboard, and what the day actually looked like.
Active-window timeline Now
Foreground process, window title, and Windows user — sampled every 10 seconds. The screenshot reel reconciles to the same timeline.
Idle vs. active detection Now
Native GetLastInputInfo with 49-day wrap protection. Idle gaps don't get attributed to whichever app happens to be in the foreground.
Browser URLs, no extension Now
UI Automation reads the address bar from Chrome, Edge, Firefox, Brave, Vivaldi, Opera, LibreWolf, and Arc. Query strings and OAuth tokens are stripped before they leave the endpoint.
Screenshot timeline Now
One JPEG per minute (quality 70), perceptual-hash deduped, idle-skipped. Hot tier 30 days, cold tier through day 365, hard-deleted after.
Multi-monitor capture Now
Virtual screen rect — every monitor stitched into one frame. No "primary display only" blind spots.
Per-user attribution Now
Resolves the Windows SID of the foreground process owner, not the service account. RDP and fast-user-switching sessions are tracked separately on the same device.
Live activity widget v1.1
Tenant overview card that auto-refreshes every 30s — last-5min activity per user, sorted by productivity. The "is anyone working right now?" answer at a glance.
Productivity intelligence
Categorise activity, surface trends, and give MSP admins something to brief their customers on.
Productive · Neutral · Unproductive Now
Sensible defaults out of the box — Office, IDEs, comms, browsers, games. Override per tenant; rules cascade by executable or URL host.
Daily work metrics Now
Minutes-by-category cards per tenant. Top apps and top hosts per user, per day, with category badges.
Per-tenant classification rules Now
MSP admin or super-admin adds executable or url_host rules in the dashboard. Each rule is tenant-scoped — your customers' categorisations don't leak across.
Productivity trends v1.1
Weekly and monthly rollups, sparklines per user and per team, regression-line on net productive time. All on top of data we already collect today.
Goals + benchmarks v1.1
Per-tenant productivity targets (e.g. "≥ 5h productive / day"). Dashboards show distance-to-goal, not raw numbers, so the bar moves with the business.
Exception reporting v1.1
Outlier detection: idle > N hours during the work window, off-hours bursts, an app unusually high for a given user vs. their team.
Org overview (super-admin) v1.1
Cross-tenant aggregate on one page — total active users, productive minutes, top tenants by activity, devices reporting in the last hour. For when you run dozens of customers.
Category trend chart v1.1
Stacked-area chart of productive / neutral / unproductive minutes over time. Per tenant, per user, per group.
Daily metrics grid v1.1
Multi-day heat-map: rows = users, columns = last N days, cell shading = productive minutes. Spot drift instantly.
Application & website usage
Per-app dwell time, browser-tab visibility, license-spend signal.
Per-app dwell time Now
Foreground-only sampling — background apps don't count as time spent. Background CPU snapshots are deliberately not collected (v1.0 trade-off).
Browser tab URL Now
host + path only. Queries, fragments, and the entire OAuth token portion of magic links are dropped at the endpoint before storage.
Activity alignment v1.1
Map roles to expected-app sets. Surface users whose actual usage drifts from what their role typically needs.
License spend & underuse Later
Cross-reference an MSP-managed license inventory against actual usage. Identify the SaaS seats that are paid but cold.
Application Usage page v1.1
Top exes per tenant with productivity badges, sortable + filterable. Drill from "tenant uses Photoshop 14h/wk" to which users contributed those hours.
Website Usage page v1.1
Top URL hosts per tenant. Same drill-down. Productivity classification at the host level (work-app domains → productive, social → neutral, etc.).
AI usage tracking
Tell the customer how much time their workforce is spending with AI assistants — without spying on the conversations.
AI assistant detection v1.1
Out-of-the-box matchers for Claude, ChatGPT, Copilot, Cursor, Windsurf, Cody, Notion AI, Gemini desktop. New ones add as classifications.
AI time per user / per tenant v1.1
Foreground time in AI tools, separated from "browser → ai.google.com" and tracked together. Trend over weeks.
AI productivity correlation Later
Does heavy AI use shift category mix toward productive? The roll-up doesn't claim causation — it claims correlation, with confidence intervals.
AI governance policy Later
Per-tenant policy on which AI tools are sanctioned. Activity outside the allow-list flags into the alerts pipeline.
Alerts & compliance
Push the signals that need attention; archive the rest for the auditor.
SOC 2 audit log Now
Every authenticated mutating action recorded with actor, IP, user-agent, target, outcome, structured metadata. Default 3-year retention (CC7.2).
Append-only by convention Now
No UPDATE or DELETE API on the audit table from the app. Only the dedicated retention sweep removes rows aged past the policy.
Activity alarms v1.1
NotifyBell push when a rule fires — offshore IP, off-hours screenshot burst, sanctioned-AI policy violation, unexpected admin tool use.
Schedule adherence v1.1
Per-tenant work-hours config. Highlight users whose activity profile drifts outside their scheduled window.
Alarm configuration UI v1.1
Per-tenant rules editor — idle threshold, off-hours activity, app on deny-list, screenshot rate anomaly. Activate, mute, route to webhook or NotifyBell.
Alarm log v1.1
Every fired alarm with timestamp, user, rule, payload, and acknowledged/dismissed state. The "who saw what when" view for compliance reviews.
MSP-grade platform
Our wedge. Built for MSPs first; single-org buyers come along for the ride.
Multi-tenant from row 1 Now
Every database row carries a tenant_id. Every MinIO object key starts with the tenant UUID. Cross-tenant access returns 404, not 403 — we don't even confirm the other tenant exists.
Per-tenant RMM bundles Now
Download a per-customer signed installer (.ps1 or .cmd) from the dashboard. Tenant ID + fleet enrollment key baked in. Push via ConnectWise, NinjaOne, Datto, Syncro, Action1 — whatever you run.
Fleet keys with auto-rotation Now
Every installer download rotates the fleet enrollment key. Past bundles stop working. Concurrent rotations are serialised by row-lock + partial unique index — no duplicate active keys.
Signed MSI Now
WiX 4 MSI signed by Azure Trusted Signing (identity verification in flight). SmartScreen-clean from install #1 once the cert lands.
Tenant-scoped admin accounts Now
Super-admin sees everything; tenant-scoped admin sees only their customer's data. Same M365 SSO across the fence.
White-label dashboard Later
Per-tenant logo and accent overrides so you can hand the dashboard to your downstream customer with your own branding.
Users & Groups v1.1
Group monitored users into named cohorts ("Sales", "Engineering"). All reports and dashboards roll up by group, not just by individual.
Per-tenant schedules v1.1
Work-hours config per tenant (timezone + weekday range start/end). Powers schedule-adherence reports and off-hours alarm rules.
Per-admin time zone v1.1
Every timestamp in the dashboard renders in your time zone, not server UTC. Tiny detail; every admin notices the day it lands.
Reports, APIs & integrations
Everything in the dashboard is also a JSON endpoint.
JSON API Now
/v1/dashboard/* for tenant, devices, users, timeline, screenshots. /v1/audit/ for compliance pulls. Cursor-paginated; cookie or bearer auth.
Audit-log query API Now
Filter by actor email, action, outcome, tenant, time range. Cursor pagination via before_id — fast even past a million rows.
CSV / Excel export v1.1
Daily activity, per-user, per-tenant. The compliance-evidence pull a customer's auditor asks for, on a button.
Webhooks v1.1
Push enrollment, alert, and high-value audit events into your existing SIEM, Slack, or PSA workflow.
Customisable dashboard widgets Later
Drag-rearrange dashboard cards. Per-admin layouts. Currently we ship one opinionated layout.
Endpoint Activity Log page v1.1
The raw activity feed in the UI — every activity_events row, filterable by user/exe/category/window, cursor-paginated, exportable. Auditors will ask for this.
API keys management v1.1
Generate scoped programmatic-access keys (read-only / tenant-scoped / super-admin). Replaces cookie-only auth for automation users hitting /v1/*.
Vs. the per-seat workforce-analytics tools.
The big incumbents are priced by seat and tiered by feature. We're priced flat per MSP and ship the same feature set to every tenant. Below is what actually shows up differently when you go to deploy on a 200-endpoint customer.
| Typical per-seat tool | SnitchOS | |
|---|---|---|
| Pricing model | $10–19 / user / month, tier-gated | Flat per MSP, all features |
| Multi-tenant | Often a paid add-on or separate console per customer | Native; one platform, every customer |
| RMM deployment | Generic MSI + manual per-customer wiring | Per-tenant signed MSI bundle, fleet key baked in |
| Browser URLs | Often full URL including query string | host + path; queries + fragments stripped at the endpoint |
| Local-password login | Default-on for admins | Removed in v0.3 — M365 SSO only |
| Audit-log retention | Variable; long retention often paid tier | 3 years (SOC 2 CC7.2 default) |
| Cross-tenant isolation | Application layer | DB row, MinIO object key, JSON API — three layers |
| Enrollment key in installer | Often in plain MSI properties (visible in verbose log) | MsiHiddenProperties + agent wipes the bootstrap value on first enroll |
| Free tier | Yes — 3 seats, 30 days history | Not yet — flat MSP pricing is the model |
What SnitchOS deliberately does not do.
- It is not a keylogger. Input is counted — never recorded.
keystroke_count,mouse_click_count,mouse_distance_px. Nothing else. - It is not a rootkit. The service is visible in Task Manager (
SnitchOSAgent) and uninstallable by a local administrator. By design — MSPs need that capability for support. - It does not collect audio, webcam imagery, file contents, or saved passwords. Not now, not later.
- It does not store URL query strings or fragments. Address-bar reads are normalised to
host + pathbefore they leave the endpoint. - It is not for personal devices. SnitchOS targets MSP-managed, company-owned endpoints with appropriate employee notice on the legal record.
Built the way you actually deliver service.
- One platform across every customer. Sign in once with your M365, switch tenants in the sidenav.
- Pricing scales with your fleet, not per-customer-seat-tier math.
- Tenant isolation is enforced at the DB, storage, and API layers — not just the dashboard.
- Per-tenant RMM bundles. Hand the ZIP to your engineer; they push it via ConnectWise / NinjaOne / Datto / Syncro / whatever you run.
- Built on industry standards: M365 SSO, signed MSI, audited architecture, 3-year audit-log retention for SOC 2.
Want to see it on your fleet?
Email and we'll cut you a per-tenant installer with a 30-day pilot key. One endpoint, one hour, you'll know whether it's right for you.