diff --git a/config/ns-checkmk-agent.conf b/config/ns-checkmk-agent.conf
new file mode 100644
index 000000000..29eec6aea
--- /dev/null
+++ b/config/ns-checkmk-agent.conf
@@ -0,0 +1,2 @@
+CONFIG_PACKAGE_ns-checkmk-agent=y
+CONFIG_PACKAGE_socat=y
diff --git a/packages/ns-checkmk-agent/Makefile b/packages/ns-checkmk-agent/Makefile
new file mode 100644
index 000000000..0cf2f9b28
--- /dev/null
+++ b/packages/ns-checkmk-agent/Makefile
@@ -0,0 +1,82 @@
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ns-checkmk-agent
+PKG_VERSION:=0.0.1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/ns-checkmk-agent-$(PKG_VERSION)
+
+PKG_MAINTAINER:=Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
+PKG_LICENSE:=GPL-3.0-only
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/ns-checkmk-agent
+	SECTION:=base
+	CATEGORY:=NethSecurity
+	TITLE:=Check_MK monitoring agent
+	URL:=https://github.com/Checkmk/checkmk
+	DEPENDS:=+socat
+	PKGARCH:=all
+endef
+
+define Package/ns-checkmk-agent/description
+	Check_MK monitoring agent for NethSecurity with custom plugins
+endef
+
+# Base URLs for downloads
+CHECKMK_AGENT_URL:=https://raw.githubusercontent.com/Checkmk/checkmk/master/agents/check_mk_agent.openwrt
+PLUGIN_BASE_URL:=https://raw.githubusercontent.com/Coverup20/checkmk-tools/refs/heads/main/script-check-nsec8/full
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)/plugins
+
+	# Download main Check_MK agent
+	wget -O $(PKG_BUILD_DIR)/check_mk_agent $(CHECKMK_AGENT_URL)
+
+	# Download all plugins
+	wget -O $(PKG_BUILD_DIR)/plugins/check_dhcp_leases.sh $(PLUGIN_BASE_URL)/check_dhcp_leases.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_dns_resolution.sh $(PLUGIN_BASE_URL)/check_dns_resolution.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_firewall_connections.sh $(PLUGIN_BASE_URL)/check_firewall_connections.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_firewall_rules.sh $(PLUGIN_BASE_URL)/check_firewall_rules.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_firewall_traffic.sh $(PLUGIN_BASE_URL)/check_firewall_traffic.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_martian_packets.sh $(PLUGIN_BASE_URL)/check_martian_packets.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_opkg_packages.sh $(PLUGIN_BASE_URL)/check_opkg_packages.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_ovpn_host2net.sh $(PLUGIN_BASE_URL)/check_ovpn_host2net.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_root_access.sh $(PLUGIN_BASE_URL)/check_root_access.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_uptime.sh $(PLUGIN_BASE_URL)/check_uptime.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_vpn_tunnels.sh $(PLUGIN_BASE_URL)/check_vpn_tunnels.sh
+	wget -O $(PKG_BUILD_DIR)/plugins/check_wan_status.sh $(PLUGIN_BASE_URL)/check_wan_status.sh
+endef
+
+define Build/Compile
+endef
+
+define Package/ns-checkmk-agent/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/usr/lib/check_mk_agent/plugins
+	
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/check_mk_agent $(1)/usr/bin/check_mk_agent
+	$(INSTALL_BIN) ./files/check_mk_agent.init $(1)/etc/init.d/check_mk_agent
+	
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_dhcp_leases.sh $(1)/usr/lib/check_mk_agent/plugins/check_dhcp_leases.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_dns_resolution.sh $(1)/usr/lib/check_mk_agent/plugins/check_dns_resolution.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_firewall_connections.sh $(1)/usr/lib/check_mk_agent/plugins/check_firewall_connections.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_firewall_rules.sh $(1)/usr/lib/check_mk_agent/plugins/check_firewall_rules.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_firewall_traffic.sh $(1)/usr/lib/check_mk_agent/plugins/check_firewall_traffic.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_martian_packets.sh $(1)/usr/lib/check_mk_agent/plugins/check_martian_packets.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_opkg_packages.sh $(1)/usr/lib/check_mk_agent/plugins/check_opkg_packages.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_ovpn_host2net.sh $(1)/usr/lib/check_mk_agent/plugins/check_ovpn_host2net.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_root_access.sh $(1)/usr/lib/check_mk_agent/plugins/check_root_access.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_uptime.sh $(1)/usr/lib/check_mk_agent/plugins/check_uptime.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_vpn_tunnels.sh $(1)/usr/lib/check_mk_agent/plugins/check_vpn_tunnels.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_wan_status.sh $(1)/usr/lib/check_mk_agent/plugins/check_wan_status.sh
+endef
+
+$(eval $(call BuildPackage,ns-checkmk-agent))
diff --git a/packages/ns-checkmk-agent/README.md b/packages/ns-checkmk-agent/README.md
new file mode 100644
index 000000000..2f990deaa
--- /dev/null
+++ b/packages/ns-checkmk-agent/README.md
@@ -0,0 +1,67 @@
+# ns-checkmk-agent
+
+Check_MK monitoring agent integration for NethSecurity.
+
+## Description
+
+This package provides the Check_MK agent for monitoring NethSecurity firewalls. It includes:
+
+- Main Check_MK agent from the official Checkmk repository
+- Custom plugins for NethSecurity-specific monitoring
+- Procd-managed service using socat to listen on TCP port 6556
+
+## Features
+
+- Automatic start on boot (START=98)
+- Respawn on failure
+- TCP listener on port 6556 using socat
+- Plugin support at `/usr/lib/check_mk_agent/plugins/`
+
+## Adding More Plugins
+
+To add additional plugin files from the [checkmk-tools repository](https://github.com/Coverup20/checkmk-tools/tree/main/script-check-nsec8/full):
+
+1. Browse the plugin directory on GitHub to find available plugins
+2. Add the plugin name to the `PLUGIN_FILES` variable in the Makefile:
+
+```makefile
+PLUGIN_FILES:=nethsecurity openvpn ipsec mwan3 certificates <new_plugin_name>
+```
+
+3. The plugin will be automatically downloaded and installed to `/usr/lib/check_mk_agent/plugins/` during the build
+
+## Testing
+
+After installation on a NethSecurity firewall:
+
+```bash
+# Test agent locally
+/usr/bin/check_mk_agent
+
+# Test via network from monitoring server
+echo "" | nc <firewall-ip> 6556
+
+# Check service status
+/etc/init.d/check_mk_agent status
+
+# Start/stop service
+/etc/init.d/check_mk_agent start
+/etc/init.d/check_mk_agent stop
+```
+
+## Configuration
+
+The service is configured via procd and requires no additional configuration files. To enable/disable the service:
+
+```bash
+/etc/init.d/check_mk_agent enable
+/etc/init.d/check_mk_agent disable
+```
+
+## Dependencies
+
+- socat: Used to expose the agent via TCP socket
+
+## Firewall Rules
+
+Remember to allow incoming connections on TCP port 6556 from your Check_MK monitoring server.
diff --git a/packages/ns-checkmk-agent/files/check_mk_agent.init b/packages/ns-checkmk-agent/files/check_mk_agent.init
new file mode 100644
index 000000000..958059e9a
--- /dev/null
+++ b/packages/ns-checkmk-agent/files/check_mk_agent.init
@@ -0,0 +1,19 @@
+#!/bin/sh /etc/rc.common
+START=98
+STOP=10
+USE_PROCD=1
+
+PROG=/usr/bin/check_mk_agent
+
+start_service() {
+    procd_open_instance
+    procd_set_param respawn
+    procd_set_param command socat TCP-LISTEN:6556,reuseaddr,fork,keepalive EXEC:$PROG
+    procd_set_param stdout 1
+    procd_set_param stderr 1
+    procd_close_instance
+}
+
+stop_service() {
+    killall socat >/dev/null 2>&1 || true
+}