Every time some security compliance goon comes by telling me to install an agent on all of our servers to meet some security compliance requirement, I remind them that they are asking me to install a backdoor on our servers and handing the keys to a 3rd party.

The Crowdstrike Falcon Sensor agent (with a kernel module) establishes TLS connections to several random AWS endpoints.

I really have no idea how security people think this is a good thing aside from checkbox compliance but man-o-man do they love it.

Well honestly, this security person thinks its a terrible idea - but needless to say the people selling those systems disagree - and for non-technical management, it ticks the compliance box and they get back to their jobs.

You will not be faulted for anything if the security company gets hacked and you get hacked through it. Probably a lot of sleepless nights to fix your infra, but that's it.

Tell that to my customers.

Your lawyers and your PR department will do that, emphasizing very strongly that you did nothing wrong and their security is your utmost priority.

They are also telling you how to cover-your-ass once a breach happens.