PERSONA: MSSP Operator
CATEGORY: MSSP
ENDPOINTS: 4 used
UPDATED: April 2026

USE CASE · MSSP OPERATOR

Continuous exposure monitoring for MSSP client portfolios

Q: How does this compare to Qualys / Tenable / Rapid7 for MSSP use?

Those are authenticated internal scanners with a per-asset license model. DFIR Platform's exposure endpoint is external-only (no agents, no credentials) and priced by credit, not per client. If you need authenticated internal scanning you still need a VM tool; if you need continuous external exposure monitoring across a large client book, this endpoint is built for that fan-out pattern.

Q: Can I label findings with an internal client ID?

The request is stateless — you control how findings are labelled by keying the response against your internal client ID when you write to your reporting store. The API does not currently have a first-party multi-tenant client model; that mapping lives in your orchestrator.

Q: How deep does the subdomain enumeration go?

The endpoint uses passive sources (CT logs, DNS aggregators) plus lightweight active probing. It will reliably surface the public subdomain inventory and open services reachable from the internet. It is not a substitute for active port-scanning tools like masscan if you need exhaustive port coverage.

Q: Is there rate limiting when I fan out across hundreds of clients?

Paid tiers get a sensible default rate-limit bucket that covers hundreds of sequential scans over a few hours. If you want to parallelize aggressively or run sub-minute sweeps across large client books, the Enterprise tier raises limits and can add a dedicated pool.

Q: Can the output feed directly into my client portal?

Yes — the response is a normalized JSON schema. Most MSSPs write it into a Postgres / SQLite store and render from there. The fields are stable; versioned changes are announced in the changelog.

Q: What about white-labelling the scanner for clients to self-serve?

That is an Enterprise-tier conversation — custom branding and direct client API keys are not on the self-serve plans. Most MSSPs on Professional wrap the API behind their own portal instead, which is the cleaner model anyway.

MSSPs get paid to surface what their clients missed — but running weekly attack-surface scans across 50, 100, 200 client orgs does not scale on per-seat enterprise VM pricing. DFIR Platform exposes one API that takes a domain and returns normalized exposure data, so the only thing your runbook has to do is loop over the client list.

Create a free account (100 credits/mo)Try /exposure-scanner — no signup

CONTEXT

Per-seat VM pricing breaks the MSSP margin

Most enterprise vulnerability / attack-surface tools are licensed per-client or per-asset. That model prices MSSPs out of delivering continuous monitoring as a standard service — the list price of Qualys / Tenable / Rapid7 per client dwarfs what an MSSP can bill at the SMB end of the market. The alternative — stitching together nmap, subfinder, and a half-dozen open-source scripts per client — works, but the maintenance burden and reporting inconsistency eat the margin back.

PAIN POINTS

Enterprise VM tooling runs $8k–$15k/yr per client, with a minimum asset floor that assumes Fortune-500 sizing.
Weekly scans across a 100-client book means either 100 separate tool tenancies or fragile scripts the analyst maintains.
Findings arrive in N different schemas — each report has to be re-normalized before it hits the client portal.
Rate limits on free OSINT APIs make 'loop over clients' impractical without hand-written backoff.

The reality

“Enterprise VM tooling runs $8k–$15k/yr per client, with a minimum asset floor that assumes Fortune-500 sizing.”

CAPABILITIES

The endpoints that solve it

The /v1/exposure/scan endpoint is designed for automated fan-out. Feed it a domain, it returns subdomain inventory, exposed services, TLS posture, and flagged hosts in a single normalized JSON. Pair it with /v1/enrichment/lookup to enrich any suspicious IPs that surface, and /v1/ai/threat-profile to generate client-ready briefings on active threat actors targeting the client's sector.

External exposure scan

10 credits / scan

POST /v1/exposure/scan

Accepts a root domain. Returns enumerated subdomains, discovered services and open ports, TLS/certificate posture, and a risk-scored findings array. The single unit of work MSSPs loop over to monitor a client book.

Follow-on IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

When an exposure scan surfaces a suspicious IP, hash, or domain, submit it (or a batch) to /v1/enrichment/lookup. Returns normalized verdicts aggregated across up to 11 sources per IP (VirusTotal, AbuseIPDB, GreyNoise, Shodan, Censys, OTX, urlscan, Pulsedive, and more).

Client-sector threat profile

20 credits

POST /v1/ai/threat-profile

Generate a concise written threat-actor briefing scoped to a client's sector and geography. Drops straight into the monthly client report without the analyst hand-curating a TTPs list.

Batch client loop

There is no special endpoint — you call /v1/exposure/scan once per client domain from your existing automation (Airflow, cron, n8n, GitHub Actions). One Bearer token, one rate-limit bucket, one normalized response schema to parse.

WORKFLOW

The canonical MSSP fan-out

The standard shape is a scheduled job that reads your client list from your PSA / CRM / flat file, calls /v1/exposure/scan once per root domain, and writes the normalized findings into your reporting database or client portal. Below is the minimal loop in bash — substitute your orchestrator's HTTP block and the logic is identical.

$ dfir-lab run mssp-exposure-monitoring

# Weekly exposure sweep across every client domain
# CLIENTS.txt: one root domain per line

while IFS= read -r domain; do
  curl -s https://api.dfir-lab.ch/v1/exposure/scan \
    -H "Authorization: Bearer $DFIR_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"target\": \"$domain\"}" \
    > "./reports/$(date +%Y-%m-%d)/$domain.json"
done < CLIENTS.txt

# Each response includes:
#   subdomains[], services[], tls_findings[], risk_score, severity_counts

# Optional: enrich any suspicious IPs that surfaced across the sweep
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "ip",     "value": "203.0.113.42" },
      { "type": "domain", "value": "stale-dev.clientX.tld" }
    ]
  }'

One credit bucket, one auth scheme, one schema to parse — for every client in the book.

01
Step 01
Inventory
Pull the client list from your PSA (Autotask, ConnectWise, HaloPSA) or a flat CSV. Each row needs a root domain and the internal client ID.
02
Step 02
Schedule
Run the fan-out on your cadence — weekly for most MSSPs, daily for high-value clients. Airflow / GitHub Actions / a plain cron are all fine; the API is stateless.
03
Step 03
Scan
POST each domain to /v1/exposure/scan. Responses come back as normalized JSON per client, keyed by your internal client ID.
04
Step 04
Diff + enrich
Diff this week's findings against last week's. New open ports, newly discovered subdomains, or newly suspicious IPs go through /v1/enrichment/lookup for reputation context.
05
Step 05
Report
Write structured findings into your client portal. Generate the monthly narrative with /v1/ai/threat-profile so the written brief matches the client's sector without analyst hand-curation.

PRICING

Pricing that tracks your workload

Professional is the right default for any MSSP running weekly scans across ~50 clients — 2,500 credits/mo comfortably absorbs the scan volume plus follow-on enrichment. Larger books (100+ clients) or daily scanning cadences should go straight to Enterprise for unlimited credits and a dedicated SLA. Starter only works if your book is <15 clients.

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

01
Small MSSP — 20 clients × weekly scan
20 × 4 × 10 credits = 800 credits/month (scans only)
Fits Starter ($29, 500 credits) only with bi-weekly cadence; Professional ($99, 2,500 credits) fits weekly with ~1,700 credits left for enrichment and threat profiles.
02
Mid-size MSSP — 50 clients × weekly scan + enrichment
(50 × 4 × 10) + (50 × 4 × 5 IOCs × 3) = 2,000 + 3,000 = 5,000 credits/month
Exceeds Professional (2,500) — run Professional + a 5,000-credit top-up, or move to Enterprise for unlimited usage.
03
Large MSSP — 150 clients × weekly scan + monthly threat profile
(150 × 4 × 10) + (150 × 1 × 20) = 6,000 + 3,000 = 9,000 credits/month
Enterprise tier (custom pricing, unlimited credits) is the only sensible fit at this volume.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /exposure-scanner — no signup

Run a single-domain exposure scan in the browser. Same engine as the API endpoint, rate-limited per IP — useful for showing a prospective client the output shape before wiring the fan-out into your orchestrator.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Those are authenticated internal scanners with a per-asset license model. DFIR Platform's exposure endpoint is external-only (no agents, no credentials) and priced by credit, not per client. If you need authenticated internal scanning you still need a VM tool; if you need continuous external exposure monitoring across a large client book, this endpoint is built for that fan-out pattern.
Q / 02: The request is stateless — you control how findings are labelled by keying the response against your internal client ID when you write to your reporting store. The API does not currently have a first-party multi-tenant client model; that mapping lives in your orchestrator.
Q / 03: The endpoint uses passive sources (CT logs, DNS aggregators) plus lightweight active probing. It will reliably surface the public subdomain inventory and open services reachable from the internet. It is not a substitute for active port-scanning tools like masscan if you need exhaustive port coverage.
Q / 04: Paid tiers get a sensible default rate-limit bucket that covers hundreds of sequential scans over a few hours. If you want to parallelize aggressively or run sub-minute sweeps across large client books, the Enterprise tier raises limits and can add a dedicated pool.
Q / 05: Yes — the response is a normalized JSON schema. Most MSSPs write it into a Postgres / SQLite store and render from there. The fields are stable; versioned changes are announced in the changelog.
Q / 06: That is an Enterprise-tier conversation — custom branding and direct client API keys are not on the self-serve plans. Most MSSPs on Professional wrap the API behind their own portal instead, which is the cleaner model anyway.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Continuous exposure monitoring for MSSP client portfolios

Per-seat VM pricing breaks the MSSP margin

PAIN POINTS

Enterprise VM tooling runs $8k–$15k/yr per client, with a minimum asset floor that assumes Fortune-500 sizing.
Weekly scans across a 100-client book means either 100 separate tool tenancies or fragile scripts the analyst maintains.
Findings arrive in N different schemas — each report has to be re-normalized before it hits the client portal.
Rate limits on free OSINT APIs make 'loop over clients' impractical without hand-written backoff.

The reality

“Enterprise VM tooling runs $8k–$15k/yr per client, with a minimum asset floor that assumes Fortune-500 sizing.”

The endpoints that solve it

External exposure scan

10 credits / scan

POST /v1/exposure/scan

Follow-on IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Client-sector threat profile

20 credits

POST /v1/ai/threat-profile

Generate a concise written threat-actor briefing scoped to a client's sector and geography. Drops straight into the monthly client report without the analyst hand-curating a TTPs list.

Batch client loop

The canonical MSSP fan-out

$ dfir-lab run mssp-exposure-monitoring

# Weekly exposure sweep across every client domain
# CLIENTS.txt: one root domain per line

while IFS= read -r domain; do
  curl -s https://api.dfir-lab.ch/v1/exposure/scan \
    -H "Authorization: Bearer $DFIR_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"target\": \"$domain\"}" \
    > "./reports/$(date +%Y-%m-%d)/$domain.json"
done < CLIENTS.txt

# Each response includes:
#   subdomains[], services[], tls_findings[], risk_score, severity_counts

# Optional: enrich any suspicious IPs that surfaced across the sweep
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "ip",     "value": "203.0.113.42" },
      { "type": "domain", "value": "stale-dev.clientX.tld" }
    ]
  }'

One credit bucket, one auth scheme, one schema to parse — for every client in the book.

Step 01

Inventory

Pull the client list from your PSA (Autotask, ConnectWise, HaloPSA) or a flat CSV. Each row needs a root domain and the internal client ID.

Step 02

Schedule

Run the fan-out on your cadence — weekly for most MSSPs, daily for high-value clients. Airflow / GitHub Actions / a plain cron are all fine; the API is stateless.

Step 03

Scan

POST each domain to /v1/exposure/scan. Responses come back as normalized JSON per client, keyed by your internal client ID.

Step 04

Diff + enrich

Diff this week's findings against last week's. New open ports, newly discovered subdomains, or newly suspicious IPs go through /v1/enrichment/lookup for reputation context.

Step 05

Report

Write structured findings into your client portal. Generate the monthly narrative with /v1/ai/threat-profile so the written brief matches the client's sector without analyst hand-curation.

Pricing that tracks your workload

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

Small MSSP — 20 clients × weekly scan

20 × 4 × 10 credits = 800 credits/month (scans only)

Fits Starter ($29, 500 credits) only with bi-weekly cadence; Professional ($99, 2,500 credits) fits weekly with ~1,700 credits left for enrichment and threat profiles.

Mid-size MSSP — 50 clients × weekly scan + enrichment

(50 × 4 × 10) + (50 × 4 × 5 IOCs × 3) = 2,000 + 3,000 = 5,000 credits/month

Exceeds Professional (2,500) — run Professional + a 5,000-credit top-up, or move to Enterprise for unlimited usage.

Large MSSP — 150 clients × weekly scan + monthly threat profile

(150 × 4 × 10) + (150 × 1 × 20) = 6,000 + 3,000 = 9,000 credits/month

Enterprise tier (custom pricing, unlimited credits) is the only sensible fit at this volume.

Frequently asked

Q / 01

How does this compare to Qualys / Tenable / Rapid7 for MSSP use?

Those are authenticated internal scanners with a per-asset license model. DFIR Platform's exposure endpoint is external-only (no agents, no credentials) and priced by credit, not per client. If you need authenticated internal scanning you still need a VM tool; if you need continuous external exposure monitoring across a large client book, this endpoint is built for that fan-out pattern.

Q / 02

Can I label findings with an internal client ID?

The request is stateless — you control how findings are labelled by keying the response against your internal client ID when you write to your reporting store. The API does not currently have a first-party multi-tenant client model; that mapping lives in your orchestrator.

Q / 03

How deep does the subdomain enumeration go?

The endpoint uses passive sources (CT logs, DNS aggregators) plus lightweight active probing. It will reliably surface the public subdomain inventory and open services reachable from the internet. It is not a substitute for active port-scanning tools like masscan if you need exhaustive port coverage.

Q / 04

Is there rate limiting when I fan out across hundreds of clients?

Paid tiers get a sensible default rate-limit bucket that covers hundreds of sequential scans over a few hours. If you want to parallelize aggressively or run sub-minute sweeps across large client books, the Enterprise tier raises limits and can add a dedicated pool.

Q / 05

Can the output feed directly into my client portal?

Yes — the response is a normalized JSON schema. Most MSSPs write it into a Postgres / SQLite store and render from there. The fields are stable; versioned changes are announced in the changelog.

Q / 06

What about white-labelling the scanner for clients to self-serve?

That is an Enterprise-tier conversation — custom branding and direct client API keys are not on the self-serve plans. Most MSSPs on Professional wrap the API behind their own portal instead, which is the cleaner model anyway.

Continuous exposure monitoring for MSSP client portfolios

Per-seat VM pricing breaks the MSSP margin

The endpoints that solve it

External exposure scan

Follow-on IOC enrichment

Client-sector threat profile

Batch client loop

The canonical MSSP fan-out

Inventory

Schedule

Scan

Diff + enrich

Report

Pricing that tracks your workload

Small MSSP — 20 clients × weekly scan

Mid-size MSSP — 50 clients × weekly scan + enrichment

Large MSSP — 150 clients × weekly scan + monthly threat profile

Three ways to evaluate

Create a free account (100 credits/mo)

Try /exposure-scanner — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Threat Intelligence API for Security Teams

IOC Enrichment for Incident Response

Automated Phishing Triage for SOC Teams

Stop triaging by hand.

Continuous exposure monitoring for MSSP client portfolios

Per-seat VM pricing breaks the MSSP margin

The endpoints that solve it

External exposure scan

Follow-on IOC enrichment

Client-sector threat profile

Batch client loop

The canonical MSSP fan-out

Inventory

Schedule

Scan

Diff + enrich

Report

Pricing that tracks your workload

Small MSSP — 20 clients × weekly scan

Mid-size MSSP — 50 clients × weekly scan + enrichment

Large MSSP — 150 clients × weekly scan + monthly threat profile

Three ways to evaluate

Create a free account (100 credits/mo)

Try /exposure-scanner — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Threat Intelligence API for Security Teams

IOC Enrichment for Incident Response

Automated Phishing Triage for SOC Teams

Stop triaging by hand.