Stop selling tools.
Start selling outcomes.
One platform that does what seven vendors do separately - SIEM, 24×7 SOC, AI triage, incident response, dark-web monitoring and board-grade reporting - resold under your brand, at one flat per-tenant fee.
How a SOC + SIEM keep a company safe
Five things your clients actually buy
A SOC, not a tool
The team that detects, contains - processes killed, sessions revoked, emails purged. No separate IR retainer, which is $60–150K a year your client stops paying.
Enterprise visibility
Endpoint, identity, firewall, cloud, email, dark web and attack surface stitched together. One screen instead of seven logins, and the attack caught at the first hop.
Prevention, not post-mortems
Risky config changes, public cloud buckets, identity drift and leaked credentials surfaced in minutes. The Optus misconfig would have flagged in under 60 seconds.
Reports the board reads
A monthly 0–100 score, A–F grade, 90-day trend and the three things to fix - co-branded for your MSP. Insurance evidence packets generated in five minutes.
Breaches stopped before they start
We don't wait for the breach to fire - we detect the conditions that lead to one. The risky config change, the credential that just leaked, the admin role granted at 2am, the host that just started beaconing. Caught while it's still a precondition, the door closes before the attacker walks through it.
And when something does fire, the investigation is already done. We retain the deepest forensic record on the market - every process, sign-in, network flow and identity change, kept long enough that the full kill chain is still there to walk. Response isn't a scramble to reconstruct what happened. It's instant, because the evidence was captured the moment it occurred.
Five gifts on top
We give time
3 weeks → 30 secondsBefore: ask the SIEM a question, wait three weeks for a consultant to compile an answer. Now: ask the AI, get the answer in 30 seconds with the evidence attached. The client doesn't wait. The deal doesn't stall.
We give confidence
every event, recordedEvery event is forensically recorded - every process, login, network flow, identity change. Even when hackers manage in and our live alarms miss them, we can still contain the breach - the full kill chain is in the data lake, ready to walk.
We give sleep
your team can do itWhen something fires, the timeline is already reconstructed. Your team contains and remediates in hours - no external IR retainer, no $300/hr consultants flown in, no week-long forensic engagement. The data lake had it all along.
We give proof
proof on demandCyber insurance renewals. Compliance audits. Breach disclosure deadlines. Every question is already answered - the data lake is the evidence. Premiums down 15-30% because you can actually prove your controls work.
Total assurance - breach or not, with receipts
Has my client been breached? Most MSPs answer "we think not." You answer "no, here's the proof" - every login, every process, every network flow searchable and ready. The same applies in reverse: if there has been an intrusion, you see it the moment it occurred, with the full kill chain laid out.
This is the conversation the CFO and the board actually want. Not promises. Not vendor talk. Yes, no, here's the evidence. And it's the conversation no competitor can have without a $500K SIEM stack you've already replaced for them.
The +50% tooling tax,
gone.
A Splunk customer still buys NDR, attack-surface discovery, cloud posture, vulnerability management, dark-web feeds, threat intel, SOAR, connectors and a reporting layer on top - roughly 50% more on top of the SIEM bill.
We bundle the entire stack into one flat per-tenant fee. No per-GB meter. No renewal surprise. No bill that punishes your client's growth.
- Enterprise SIEM (per-GB ingest)$$$$$
- Network detection & response$$$$
- Attack-surface discovery$$$
- Cloud posture / CSPM$$$
- Vulnerability management$$$
- Dark-web monitoring$$$
- Threat intel feeds$$$
- SOAR / response playbooks$$$
- Connectors & ETL plumbing$$
- IR retainer$$$$
Why MSPs partner with us
Flat per-tenant pricing
Predictable cost as you grow. Per-endpoint maths is fine at 50 seats and crippling at 2,000 - ours stays flat.
Grow without hiring
AI auto-triage drains a third of the queue on its own. The same SOC team serves many more tenants without burnout.
Your logo on the portal
White-labelled client portal and co-branded reports. Your clients see your MSP, backed by our SOC.
Live in days, not quarters
Pre-built connectors for what your clients already pay for. Connect on Monday, show threats caught by Friday.
Australian data, Australian SOC
Data and analysts onshore. Healthcare, finance, government and defence supply-chain deals stop stalling at procurement.
Renewals that defend themselves
A monthly board-grade report with your name on it makes the renewal conversation short - and the insurer happy.
All included in the box
Your clients keep their EDR, firewall, identity provider and email gateway. Their tools become inputs, not replacements - we sit on top and run the SOC.
Three lines that win the room
- 01"We see what your other tools don't."
- 02"Our AI does the noise. Our SOC does the response. Our reports do the board meeting."
- 03"Enterprise visibility. Full SOC service. MSP pricing."
If your prospect remembers one line after the meeting - make it #3.
The platform,
on three screens.
Not a roadmap, not a brochure. This is what your clients log into - the same screens your SOC works from every day.
Human-assisted, or fully autonomous.
WEI investigates the alert and writes a verdict with a confidence score. Your analyst approves or rejects it in co-pilot mode - or flip to Auto-pilot and let the AI hunt and triage the entire queue on its own.
C-level reports for the boardroom.
A single composite risk score across every onboarded data source, with the drivers explained in plain English - the report the CFO and the board read without translation.
Every detection on one screen.
All detections, from every corner of the organisation - endpoint, network, identity, cloud, email, dark web - correlated on one screen, with the risk score, top alerts and asset coverage in a single view.
The full playbook
Sections 01–21 · Talking points · Battle cards · Comparison tables · v3 · June 2026
Why ThreatDefence
ThreatDefence is one platform that does what seven vendors do separately. A SIEM that ingests every signal the customer has, from endpoint and email to firewall, identity, cloud, dark web and attack surface. An AI that auto-triages a third of the queue before anyone touches it. A 24×7 SOC that picks up the phone the same hour the alert fires and contains the threat across every surface, not just the endpoint. Monthly board-grade reports the CFO reads without translation. Cyber-insurer evidence packets generated in five minutes. Splunk-class coverage at roughly 40% of Splunk's cost, with the 50% tooling tax (NDR, EASM, CSPM, vuln, dark web, SOAR, reporting) absorbed into the same flat per-tenant fee.
One contract. One team to call. One bill that doesn't surprise at renewal. The difference between buying tools and buying outcomes - and the difference between becoming the next Optus and staying out of the headlines.
Business value at a glance
Drop the technical detail. Strip the platform names. This is what the prospect actually buys.
Same SIEM-class coverage
At a fraction of the price. No per-GB ingest surprise.
Tooling tax eliminated
NDR, EASM, vuln scanner, dark web, threat intel, SOAR, reporting layer all bundled in.
Detection in minutes
Industry average breach detection is 200+ days. We catch in minutes, contain in the same hour.
Cyber-insurance saving
Insurers reward provable controls. Renewal premiums drop 15 to 30% once we're providing the evidence.
Analyst headcount avoided
AI auto-triage closes a third of the alert queue. Same SOC team scales to many more tenants without hiring.
Annual saving per mid-market deal
Replaces SIEM + MDR + IR retainer + a stack of point tools. One contract, one bill, one team.
| Dimension | Business pain today | With ThreatDefence | Saving / benefit |
|---|---|---|---|
| Visibility | Five vendor consoles, none sees the whole attack. Blind to lateral movement, identity drift, cloud misconfig, dark-web exposure. Average breach goes undetected for 200+ days. | Every signal stitched into one timeline. Endpoint, identity, network, cloud, email, dark web, asset surface. Detected in minutes. | Average breach cost reduced from $4.5M to a contained incident. Detection time cut from months to minutes. |
| Incident response | Detection vendor sends an alert, then leaves the work to the customer. IR partner shows up the next day. Most breach impact happens in the first 24 hours. | The SOC that detected, contains. Same hour, same analyst, multi-surface action: kill processes, revoke sessions, block IPs, purge emails. | No separate IR retainer ($60–150K/year saved). Containment in minutes, not days. Damage stops at the first host. |
| Tooling stack | Customer pays Splunk for the SIEM, then buys NDR, EASM, vuln, CSPM, dark web, honeypots, SOAR, threat intel, connectors, reporting layer. Roughly +50% on top of the SIEM bill. | One platform, one bill, one team. Every category above bundled in the same flat per-tenant fee. | Splunk-class SIEM at roughly 40% of Splunk's cost. The +50% tooling tax goes away. Six-figure annual saving on a typical mid-market deal. |
| Reports & board | CISO opens a console screenshot at the board meeting. No single number, no grade, no trend. Security treated as compliance theatre, never gets the budget it needs. | Monthly board-grade report: composite risk score 0–100, A–F grade, 90-day trend, three things to fix. Co-branded for the MSP. CFO and board read it. | Security becomes a budget winner. Renewal conversations short and supported. CISO retention up. |
| Insurance & compliance | Insurer renewal questionnaire arrives. Customer scrambles to assemble MFA evidence, log retention, response SLA, MITRE coverage. Renewal premium goes up 20–40%. | Evidence packet generated in five minutes. Carriers know the format. Customer hands it to the underwriter on day one. | Cyber-insurance premium reduction of 15–30% at renewal. Audit prep time cut from weeks to an afternoon. Renewal terms protect the customer's growth. |
| Operational load | SOC team drowns in alerts, 70%+ false positive. Analyst burnout. MSP can't scale past 20 clients without doubling the headcount. | AI auto-triage closes a third of the queue before any human touches it. Analysts work on real signals. Same team scales to many more tenants. | Two analyst FTEs avoided ($180K–260K/year). MSP scale curve flattens; margin per client improves. |
| Sovereignty | Customer data hosted abroad, US CLOUD Act exposure. Procurement form gets stuck on "where is the data stored?". Regulated industries blocked. | Data and SOC analysts both in the customer's country. No foreign-jurisdiction issue. | Healthcare, finance, government, defence supply chain deals unblock. Procurement closes on first round. |
One contract, one team to call, one bill that's predictable. Replaces a SIEM, an MDR, an IR retainer, an NDR, an EASM, a CSPM, a vuln scanner, a dark-web feed, a reporting tool, and the engineering team that holds it all together. Detection in minutes instead of months. Cyber-insurance premium down 15–30%. Two analyst FTEs avoided. Compliance audits handed off in five minutes instead of two weeks. Total saving on a typical mid-market deal: six figures a year, every year, with the breach risk falling at the same time.
The visibility problem
Before pitching what we do, paint what the customer already lives with. Eight blind spots every mid-market business has unless they have a real SIEM and a real SOC behind it.
- Each tool sees one slice. Nothing sees the attack.EDR catches endpoint. Firewall catches perimeter. Email gateway catches inboxes. The attacker walks across all three and not one of them sees the whole story.
- Lateral movement is invisible.The first hop into a server, then the pivot to another, then the privilege escalation, happens across endpoint, identity, and network. Without correlation, the customer sees three unrelated low-severity alerts and ignores all three.
- Identity drift goes uncaught.New admin role granted in Azure AD. New OAuth consent in M365. Logon from a new country. Each event lives in its own audit log nobody reads. By the time anyone notices, the account is the attacker's.
- Credentials are on the dark web. Customer doesn't know.Employee passwords appear on paste sites and leak forums every week. Without dark-web monitoring, the customer finds out when the attacker uses them, not before.
- Vulnerabilities arrive at the rate of 100 a week.Patch teams drown in CVE lists. No way to tell which are being exploited in the wild, which match the customer's assets, which are linked to ransomware. Patch fatigue. Ransomware lands.
- The cloud side is wide open.S3 bucket left public. IAM role over-permissive. Azure subscription with no logging. The cloud teams ship features fast and the security team has no telemetry.
- "We have 24×7 monitoring" is a checkbox that fails on day one.The customer ticks the box on an insurance form. There's no SOC actually reading the alerts at 3am. The first time it matters, nobody's home.
- The board asks "are we secure?" and nobody can answer.The CISO has a folder full of console screenshots from seven products. No single number, no grade, no trend. The board moves on to the next agenda item and treats security as compliance theatre.
What a SIEM does · what we add
Splunk and other enterprise SIEMs solve the visibility problem by centralising the logs. We do that AND the SOC AND the response AND the reports, at roughly 40% of Splunk's cost.
SIEM (Splunk class)
What a SIEM gives you- One place for every log. Endpoint, identity, firewall, cloud, email, vuln, centralised and searchable.
- Cross-source correlation. An identity event + a firewall event + an endpoint event recognised as one incident, not three unrelated alerts.
- Hunt capability. Custom queries, saved dashboards, ad-hoc investigation over months of historical data.
- Compliance evidence on demand. Log retention, search audit, regulator-friendly export.
- Cost. Per-GB ingest, surprises at renewal, big-enterprise engineering required to operate it.
ThreatDefence
SIEM + everything around it- Everything a Splunk-class SIEM gives you - same depth, same correlation, same hunt, at roughly 40% of the cost.
- A live 24×7 SOC, not a self-service platform you have to operate.
- AI auto-triage that closes a third of the alert queue before anyone touches it.
- Incident response built in - the same team that detected, contains it. No second contract.
- Dark-web monitoring, EASM, vulnerability matching, MITRE coverage chart, board-grade reports, co-branded customer portal, all bundled.
- Flat per-tenant pricing - no per-GB surprise at renewal. No "expand the contract" conversation.
Splunk solves logs. It doesn't solve everything.
A SIEM is only the start. After spending six figures on Splunk, a real SOC still buys another stack of point tools on top, and pays roughly 50% more on top of the SIEM bill to do it. We bundle that stack into the same flat fee.
Splunk customer · still needs to buy
The other half of the SOC stack- NDR - network detection & response (ExtraHop, Vectra, Corelight). Reads the wire, not the logs. $$$$
- CSPM / CIS benchmarking - cloud-config posture (Wiz, Lacework, Prisma Cloud). Catches the misconfig before the attacker.
- EASM - external attack surface (Censys, Randori, Cyberhaven). Finds what's exposed to the internet.
- Honeypots / deception - Thinkst Canary, Illusive. Trip-wires for lateral movement.
- Threat intel feeds - Recorded Future, Mandiant, CrowdStrike Falcon Intel. Per-seat or per-feed licenses.
- Vulnerability mgmt - top vulnerability scanners. Scanner + dashboards + KEV matching.
- Dark-web monitoring - Recorded Future, SOCRadar, Flashpoint. Credential leak feeds.
- SOAR - Tines, Torq, Splunk SOAR (Phantom). Automated response playbooks.
- Integration ETL / connectors - Cribl, Logstash. Custom plumbing to land everything in Splunk.
- Reporting / dashboarding layer - board-grade PDFs that Splunk dashboards alone don't produce.
- Roughly +50% on top of the Splunk bill, often more.
ThreatDefence · already in the box
Everything above, bundled- NDR - Network Sensor + NIDS in core ingest, no add-on.
- CSPM / CIS benchmarking - cloud-config auditing on AWS, Azure, GCP, with KEV-style scoring.
- EASM - continuous external attack surface discovery, exposures feed the SOC queue directly.
- Honeypots / deception - supported pattern; we ingest the trip-wire signals into the same queue as everything else.
- Threat intel - CISA KEV, EPSS exploit likelihood, ransomware-linked CVEs, dark-web feeds.
- Vulnerability mgmt - Tenable + native scanners matched against the customer's actual assets.
- Dark-web monitoring - leak sites, paste sites, ransomware-leak forums, on every customer.
- SOAR-style response - AI triage + IR runbooks + multi-surface containment from the SOC itself, not a separate platform.
- Integration ETL - pre-built connectors for every vendor we list. No Cribl tax.
- Reporting - board-grade Monthly SOC Summary, C-Brief, Weekly Digest. Co-branded for your MSP.
- One flat per-tenant fee. The 50% markup goes away.
Preventing breaches before they happen
Most security vendors talk about detecting attacks. We catch the conditions that enable attacks, before the attacker arrives. The same data backbone that gives the SOC instant IR also gives us continuous visibility into changes, misconfigurations, and the entire data-flow surface across cloud and on-prem. Six prevention surfaces we monitor every hour of every day:
Configuration changes on high-value assets
Every change to a production database, an API gateway, a firewall rule, an admin role, an IAM policy. CIS benchmarking runs continuously; the SOC sees the diff the moment it lands. The misconfigured test API that Optus deployed to a public address would have surfaced in under 60 seconds, not three months later.
Cloud misconfigurations, every provider
AWS S3 buckets going public. Azure RBAC roles getting elevated. GCP service accounts with wildcard permissions. M365 mailbox forwarding rules pointed at external domains. We pull the audit feeds from every cloud the customer runs and compare against benchmarks the second a config drifts.
Network data flows, end-to-end
Every outbound connection from every host, on-prem and cloud. Network Sensor + NIDS baselines what normal looks like for each workload. New protocol on an unusual port, sustained outbound to a fresh external IP, anomalous byte volume, threat-intel matches, all flagged before exfiltration completes.
External attack surface, daily sweep
Continuous discovery of the customer's public-facing estate. Every domain, certificate, IP, exposed service. A new endpoint appearing in DNS or TLS-transparency logs gets probed, scored, and surfaced to the SOC queue. Shadow IT and forgotten staging environments stop being attack vectors.
Identity and access drift
New admin assignment in Azure AD. New OAuth consent in M365. Logon from a fresh country. Service-principal credentials that haven't rotated in 12 months. Every identity event tied to the user, the device, the network flow, and the risk score, so the privilege change is caught before it's abused.
Vulnerabilities matched to live exploitation
CISA KEV listings, ransomware-linked CVEs, and EPSS exploit-likelihood feeds matched continuously against the customer's actual asset inventory. The patch team sees the 3 vulnerabilities under live attack this week, not the 3,000 in the next quarterly scan.
Most breaches in the public record (Optus, Capital One, MOVEit, Snowflake customer wave) were caused by an exposed condition that sat open for weeks or months. The detection failure was a visibility failure. We close that gap because we already ingest the data the visibility check needs.
What if they had ThreatDefence: Optus, Okta, Uber
Three of the biggest breaches of the decade. Three different attack paths. One common root cause: lack of integrated visibility. Each victim ran multiple security products. None of them connected the events across endpoint, network, identity, dark web, and configuration layers. The attack walked between tools that didn't talk to each other. ThreatDefence's unified SecOps platform - with >80% environment coverage through integrated sensors - would have correlated the signals and contained each one in minutes, not months.
| Breach | Primary failure | ThreatDefence prevention | Business impact |
|---|---|---|---|
| Optus | Missed configuration changes and attack spikes | CIS benchmarking on HVT assets plus NDR anomaly and spikes detection | 9.8M records exposed |
| Okta | Credential theft undetected | Credential disclosure scanning, UEBA on support sessions, automated token revocation | Customer trust erosion |
| Uber | Exposed credentials unmonitored | Dark-web credential scans plus NDR anomaly and spikes detection | $200M+ breach cost |
1 · Optus - the missed configuration cascade
3 months from misconfig to public disclosure9.8 million customer records exposed because an internal test database API was deployed to a publicly accessible endpoint with no authentication. The exposure ran for three months. Australian average breach cost: AU$3.35M; Optus paid far more.
| When | What happened |
|---|---|
| Month −3 | Database API misconfigured, exposing customer data to the public internet. |
| Minute 0 | 300+ attackers discover and exploit the exposed endpoint within 15 minutes. |
| Week 1 | Data exfiltration begins, remains undetected for weeks. |
| Month 3 | Breach becomes public. 9.8M records compromised. |
| Attack phase | ThreatDefence detection | Response time | Business outcome |
|---|---|---|---|
| Configuration change | CIS automated benchmarking + HVT change-control alerts | < 60 seconds | Misconfiguration flagged and remediated 3 months before exploitation. |
| Reconnaissance spike | NDR behavioural analytics + statistical ML | < 5 minutes | Attack-spike traffic pattern surfaces in the alert queue. |
| Data exfiltration | Network anomaly detection + dark-web monitoring | < 2 minutes | Data transfer blocked, exposure contained. |
CIS Benchmarking available since 2014 · NDR Behavioural Analytics since 2017 · Dark-Web Intelligence since 2014.
"Alert: Database configuration violation detected. 342 unauthorised connection attempts from 47 unique IP addresses in a 15-minute window. Automated containment initiated."
"Alert: Spike of never-before-seen incoming connections to a HVT asset."
"Alert: Potential data exfiltration, detected 30× increase from baseline."
Comparable detections live in our customer environments right now: Incoming NGINX Traffic Spike (DOS or Exfil), Mailgun Spike of Traffic, SCADA Spike in Authentication Requests, Spike of Keycloak Errors, Significant Incoming Network Spike, Potential Exfil with Tunnel, Exfil by Incoming SSL Session.
2 · Okta - the credential chain reaction
From social engineering to multi-tenant compromise in one weekSupport-system credentials compromised through social engineering. Session tokens harvested from open support cases. Legitimate customer sessions hijacked. The breach cascaded into multiple downstream Okta customers before anyone noticed.
| When | What happened |
|---|---|
| Day 1 | Support-system credentials compromised through social engineering. |
| Day 2 | Session tokens harvested from support case files. |
| Day 3 | Legitimate customer sessions hijacked using stolen tokens. |
| Week 1 | Breach impacts multiple downstream Okta customers. |
| Attack phase | ThreatDefence detection | Response time | Business outcome |
|---|---|---|---|
| Credential access | Endpoint file scanning + pattern recognition | < 30 seconds | Credential theft detected and blocked. |
| Token harvesting | UEBA + NDR correlation | < 2 minutes | Suspicious access patterns identified. |
| Session hijacking | Automated containment + token revocation | < 60 seconds | Compromised sessions terminated. |
Endpoint File Scanning available since 2017 · UEBA Analytics since 2018 · SOAR Playbooks since 2019.
"Critical: Credential file containing session tokens accessed. Unusual support-system activity detected. Automated token revocation and account isolation initiated."
3 · Uber - the $200 million oversight
$2-a-month problem that became a $200M breachCorporate VPN credentials had been sitting on a dark-web forum for a year before anyone used them. When an attacker finally did, they walked through the VPN, discovered an administrative password file on a local endpoint, and used it to compromise the full network. Total breach impact: $200M+. Prevention cost: $2 a month.
| When | What happened |
|---|---|
| Year −1 | Corporate VPN credentials appear on dark web ($2/month to detect). |
| Day 1 | Attacker uses exposed credentials to access internal network. |
| Hour 1 | Administrative password file discovered on local endpoint. |
| Hour 2 | Full network compromise using stolen admin credentials. |
| Day 30 | $200M+ breach impact realised. |
| Attack phase | ThreatDefence detection | Response time | Business outcome |
|---|---|---|---|
| Dark-web exposure | Continuous credential monitoring | < 1 hour | Credentials flagged and rotated automatically. |
| Local file discovery | Endpoint pattern matching | < 2 minutes | Password file access detected and blocked. |
| Privilege escalation | ML analytics + NDR monitoring | < 5 minutes | Lateral movement contained. |
Dark-Web Monitoring available since 2014 · Endpoint Pattern Matching since 2017 · ML Analytics since 2014.
"Alert: Corporate VPN credentials detected on dark-web forums. Administrative password file accessed from unauthorized location. Automated credential rotation and endpoint isolation executed."
| Detection layer | Optus | Okta | Uber |
|---|---|---|---|
| Dark-web monitoring | ✓ | ✓ | ✓ |
| Configuration checking (CIS) | ✓ | ✓ | ✓ |
| Credential protection | ✓ | ✓ | ✓ |
| Behavioural analytics (UEBA) | ✓ | ✓ | ✓ |
| Network anomaly (NDR) | ✓ | ✓ | ✓ |
| Endpoint DFIR agents | ✓ | ✓ | ✓ |
The Optus, Okta, and Uber breaches all shared one thing in common: they were preventable with basic security controls working together. ThreatDefence provides the integrated visibility and automated response that stops these breaches before they become headlines.
Instant incident response
Most SOCs spend the first 60–90 minutes of an incident reassembling the timeline, pulling logs from each system, joining identities to IPs, working out which endpoints were involved. Wasted minutes the attacker uses to move. We don't have that gap, because we already have the data.
Why we respond in minutes, not hours: deep visibility plus end-to-end data coverage means the context is already there. By the time the alert fires, the analyst already has:
Identity
Who the user is, recent sign-ins, MFA history, group changes in the last 24 hours.
Endpoint
What processes ran, parent–child tree, file activity, known-bad indicators.
Network
Every outbound connection from the host in the period, with threat-intel matches.
Cloud
IAM events tied to the user, S3 access, SaaS API calls.
Recent inbound emails, attachments, forwarding rules, suspicious links clicked.
Vuln & intel
Known exploits matching the host, CISA KEV listings, ransomware family attribution.
WEI, the AI analyst on every alert
Every vendor says "AI". You can show one working. WEI is the AI analyst built into the platform - it triages across the entire SIEM, every data source your customer has: endpoint, identity, cloud, email, network, dark web. Run it as a co-pilot next to the analyst or let it work the queue fully autonomously. Open the alert queue and demo it live - that is the moment most deals turn.
Analyst-assisted · co-pilot mode
A junior analyst's hour done in about a minute- One click on any alert, the investigation streams live. WEI pulls the user, the host, the sign-ins, the processes, the network connections, and reasons through them on screen while the customer watches.
- A verdict with a confidence score. True positive, false positive, benign, or needs escalation, each with a percentage and a written justification in plain English.
- The human stays in charge. The analyst accepts or rejects the verdict. Anything WEI wants escalated lands in front of a person for review - the AI never escalates past the human on its own.
- Every verdict is on the record. The outcome and the reasoning are written to the alert and the analyst note. An auditor can replay exactly what the AI concluded and why.
Autopilot · fully autonomous
The backlog draining on its own- Bulk triage walks the whole queue. Point it at the alert list and it works alert after alert, investigating, deciding, moving on, with a pause button when the analyst wants the wheel back.
- It remembers what it has already investigated. A repeat of a known alert is matched to the earlier session and resolved with the prior verdict - the same noise never gets triaged twice.
- The noise closes, the threats surface. Roughly a third of the queue resolves with no human touch, and what remains is the short list a person should actually look at.
- This is how your customer scales without hiring. Two analyst salaries avoided, the team they have stops burning out, and 3am coverage stops depending on who is awake.
Top 15 talking points
Each card: the line, what the customer gains, and the proof example. Visibility · AI · IR · One screen · CFO reports · Cost · Onboarding · Dark web · Intel · Portal · Board · MITRE · Insurance · Sovereignty.
"We see what your current tools can't."
Customers buy four or five products that each see one slice of the business - endpoint, email, firewall, cloud. None of them sees the whole attack. We do. Your customer stops being the company that finds out about an incident from the news.
"Our AI handles the noise. Your customer's team only sees what matters."
A typical SOC handles thousands of alerts a week, and most are false positives. Our AI closes the noise automatically and only escalates the real threats to a human. The customer's team gets back their week.
"We don't just call you when something happens. We contain it."
Most security tools send an alert and leave the work to the customer. We're already on the phone, and we've already started shutting the attack down. Same team, same hour, no second contract.
"Everything we detect, on one screen."
Your customer's internal team currently jumps between seven vendor logins just to investigate one alert. We bring every detection, from every source they have, into a single view. One login, one analyst's brain, 30 to 40 minutes saved per incident.
"Reports your customer's CFO and board can actually read."
Most security reports are dumps of technical noise nobody understands. Ours arrive monthly, in business English, with a single risk score and the three things to fix. The CISO can hand it straight to the board.
"Same coverage as the enterprise SIEM tools. Roughly 40% of the cost."
The big SIEM vendors charge per gigabyte of data and surprise customers with the bill at renewal. We charge a predictable flat fee per tenant and include the SOC team and the response. No log-volume surprises.
"Customer running in days, not quarters."
Most enterprise security platforms need a consulting engagement and 6 to 12 weeks before they're producing value. We have ready-made connectors for what your customer already pays for. Connect on Monday, see threats caught by Friday.
"Dark-web monitoring is in the box."
Most vendors charge extra for credential-leak monitoring. We do it for every customer, every day, automatically. The first time we tell a customer "your password is on a leak site, here's the user" they remember why they pay us.
"We tell your customer the three vulnerabilities that matter, not the three thousand they have."
Vulnerability scanners list everything. Useless. We match the public exploit data - the things attackers are actually using right now - against the customer's actual assets and tell them the handful that matter. Patch fatigue solved.
"Your customer's CIO gets their own login, with your logo on it."
Customers want to log in and see their own posture, not wait for a monthly PDF. We give them a private portal, white-labelled to your MSP. Less support load on your team, more trust from theirs.
"One number, one letter, one chart your customer's board can act on."
The customer's CISO walks into a board meeting and needs a single answer to "how secure are we?". We give them a 0-to-100 score, an A-to-F grade, and a 90-day trend line. No jargon, no excuses, just the number.
"We can prove which attack techniques the customer is protected against."
Other vendors say "we cover MITRE." We can SHOW the techniques the customer has actually been protected from in their own data over the last 30 days. Evidence, not marketing.
"Cyber-insurance evidence on demand."
Insurers and auditors increasingly require proof of controls - MFA enforcement, alert response times, log retention. The customer's renewal premium hangs on it. We produce the evidence packet in five minutes.
"Customers renew their cyber insurance at better rates."
Cyber insurers reward customers who can prove their controls work. We make the proving easy and automated. Customers we cover routinely get better renewal terms, which means real money back to their CFO.
"The data stays in your customer's country. So does our SOC."
For regulated industries - healthcare, finance, government, defence supply chain - and for any customer who's been asked "where's the data stored?" by their procurement team, this is a deal-closer. Local data, local analysts, no foreign-jurisdiction exposure.
Three sentences you recite in your sleep
- "We see what your other tools don't."
- "Our AI does the noise. Our SOC does the response. Our reports do the board meeting."
- "Enterprise visibility, full SOC service, MSP pricing."
If the prospect can only remember one sentence after you leave the room, make it #3.
Common objections and the answer that closes them
The 18 pushbacks you hear in almost every conversation. Each one paired with a single-sentence answer that flips the objection into a proof-point. You should be able to answer any of these in one breath.
| # | What the prospect says | What you answer |
|---|---|---|
| 1 | "We already have an EDR (or MDR). We don't need this." | "Keep your EDR. We connect to it. The other 80% of the attack surface - identity, firewall, cloud, email, dark web - the EDR doesn't see, is where we add value." |
| 2 | "Your AI will create false positives we have to chase." | "It does the opposite. Our AI auto-closes a third of the queue before any human touches it. The customer's team sees fewer alerts, not more." |
| 3 | "You're more expensive than (Top Global Vendor 2 / Defender / Sophos)." | "We're more expensive per endpoint, less expensive per outcome. They cover endpoint. We cover the whole stack, plus the SOC, the IR, and the reports. The math flips fast above 200 seats." |
| 4 | "We need 24×7 monitoring from the same country." | "Our SOC is in your country, the data stays in your region. The auditors and insurers tick the box on day one. No CLOUD Act exposure." |
| 5 | "Show me a customer like us." | "Happy to. What's the industry and rough seat count? We'll put you in touch with two reference customers this week." |
| 6 | "We can build this internally." | "For three FTEs plus the tooling stack, around $800K a year before licensing. We're a fraction of that, with a proven SOC on day one. You only build it if your security IS the product." |
| 7 | "Our cyber insurance covers this." | "Insurance pays out after the breach, minus the deductible, minus the premium hike. We prevent the breach. And our reports drop your renewal premium 15 to 30% at the same time." |
| 8 | "We're not big enough to need a SOC." | "Attackers don't check your seat count. Optus and the Snowflake wave hit companies of every size. The 100-to-500-seat band is exactly who we serve, exactly because the in-house SOC math doesn't work for you." |
| 9 | "Last vendor promised the same thing and we got burned." | "Fair. Give us 60 days side-by-side. If we don't catch something your current vendor missed in the first month, we're out, no questions asked." |
| 10 | "How long is the contract? What's the lock-in?" | "Annual, with a 60-day exit clause. We give the data back in standard formats. No lock-in, because the platform should win on results not switching cost." |
| 11 | "We just signed Top Global Vendor 4 / Splunk. It's too late to switch." | "Don't switch. Bolt us on. We ingest from Top Global Vendor 4 as a source, sit on top, and run the SOC for you. When the contract renews you'll see the answer." |
| 12 | "What if ThreatDefence goes out of business?" | "The data is yours, exportable in standard formats any time. The SIEM, the reports, the rule logic, all yours. We don't hold customers hostage." |
| 13 | "We don't have time or people to onboard." | "Connect what's already configured - EDR, identity, firewall, M365. Templated, no consulting engagement. We're seeing live alerts in your environment inside a week." |
| 14 | "How will this integrate with our existing tools?" | "You keep your EDR, your firewall, your identity provider, your email gateway. We pull from each. The customer's tools become inputs, not replacements." |
| 15 | "We don't trust AI to make decisions on real alerts." | "It doesn't make decisions you can't override. Every AI-triaged alert is auditable, reversible, and falls back to a human analyst if confidence is low. The AI is the noise filter, not the judge." |
| 16 | "We're in the middle of an M&A / restructure / IT freeze." | "All the more reason. Mergers and restructures are when attackers strike - identity sprawl, gaps in monitoring, distracted teams. We deploy quietly in 30 days and stay invisible until the dust settles." |
| 17 | "How do we know your SOC analysts will be there next year?" | "Lower attrition than the industry average and a structured handover model for every customer. The IRIS case history follows the customer, not the analyst." |
| 18 | "We're cloud-only. Does this work for us?" | "Better, in fact. AWS, Azure, GCP, M365, Google Workspace audit feeds are native ingest. Cloud-only customers usually have less to onboard and see value faster." |
Battle card · Top Global Vendor 1
Concierge-MDR positioning, named human relationship, 200+ integrations. 10 of their sales lines · our counter.
| # | Top Global Vendor 1 says | ThreatDefence answer |
|---|---|---|
| 1 | "200+ integrations, vendor-neutral." | "Sounds great. How long to wire each one up? Theirs is consulting-led and runs weeks per source. Ours is templated, days." |
| 2 | "You get a Concierge Security Team, a named human." | "The Concierge is a relationship manager you see 30 minutes a month. You want the analyst who saw the alert, not the rep who got the summary." |
| 3 | "24×7 SOC monitoring included." | "Same here. Difference is, ours acts. Theirs writes you a monthly summary." |
| 4 | "Monthly security review + quarterly trend reports." | "Customers don't want to wait 30 days for a PDF. They want the dashboard live, today." |
| 5 | "We integrate with what you already have, no rip-and-replace." | "Same. We sit on top of your stack and start delivering Monday." |
| 6 | "Aurora platform, log ingestion + threat hunting in one place." | "Aurora is a read-only summary view. We give you the SIEM underneath so your team can pivot, hunt, and write custom queries." |
| 7 | "Vendor-neutral means we work for you, not for an EDR vendor." | "Same. We're vendor-neutral AND we contain incidents, not just summarise them." |
| 8 | "Sevco acquisition gives us asset coverage intelligence." | "Sevco was acquired in 2025 and integration is still in flight. Our asset surface monitoring has been live and feeding the SOC for years." |
| 9 | "Awareness training included in higher tiers." | "Training is a tick-box. We measure whether it's working by tracking phishing-click trend on the customer's actual data." |
| 10 | "Cyber-insurance friendly, major carriers know us." | "Same here. Difference is our monthly report maps to the questionnaire word-for-word, and the customer hands it to the carrier without rewriting it." |
Battle card · Top Global Vendor 2
SMB-first managed EDR + M365 identity, per-endpoint pricing, hacker-tradecraft content marketing. 10 of their sales lines · our counter.
| # | Top Global Vendor 2 says | ThreatDefence answer |
|---|---|---|
| 1 | "Built for MSPs, the busy IT shop's first line of defence." | "Built for MSPs serving sub-100-seat clients. Past 100 seats your customer outgrows it." |
| 2 | "Managed EDR + 24×7 SOC at a price you can resell." | "Managed everything - endpoint, firewall, identity, cloud, dark web, asset surface - at a price you can resell." |
| 3 | "AI-assisted threat hunting." | "Our AI doesn't just hunt, it triages every alert, closes the noise, and only escalates real threats. The customer's team gets back their week." |
| 4 | "Tradecraft Tuesdays + free education." | "Their content is marketing. Ours is a monthly report on what we caught in YOUR customer's environment." |
| 5 | "Real-time Attack Disruption Engine, contain before the SOC even acknowledges." | "Their disruption is endpoint-only. Ours contains across identity, firewall, and email too." |
| 6 | "Lightweight agent, no policy tuning, no admin overhead." | "Same lightweight model on endpoints. Plus we add firewall, identity, and cloud, no rip-and-replace." |
| 7 | "Identity threat detection for Microsoft 365 included." | "We do M365 plus Google Workspace, Okta, Azure AD, and Entra. Identity isn't only Microsoft." |
| 8 | "Security awareness training included." | "Training is a tick-box. We track whether it's working, on the customer's actual data." |
| 9 | "Free education for the community, we publish what others hide." | "We publish what happened TO YOUR CUSTOMER, in their report." |
| 10 | "Per-endpoint pricing makes the math obvious for MSPs." | "Per-endpoint pricing is great at 50 seats, painful at 500, crippling at 2,000. We're per-tenant, predictable as you grow." |
Battle card · Top Global Vendor 3
Singularity XDR/EDR leader, Purple AI assistant, "AI SIEM" via Singularity Data Lake, per-GB priced. 10 of their sales lines · our counter.
| # | Top Global Vendor 3 says | ThreatDefence answer |
|---|---|---|
| 1 | "Unified AI security platform, endpoint, cloud, SIEM, identity." | "Their SIEM piece is priced per gigabyte of data ingested, same Splunk problem the customer is trying to escape." |
| 2 | "Industry-leading Purple AI agent, natural-language query, get an answer." | "Purple AI is a query translator. Our AI does the whole triage and tells the customer what to do." |
| 3 | "Autonomous response at machine speed." | "Their autonomous response is endpoint-only. Ours contains across identity, firewall, email, and cloud too." |
| 4 | "Singularity Data Lake, ingest any source, correlate across the stack." | "The data lake is per-GB billed. A customer with firewall + email + identity + cloud easily hits a $1M annual bill." |
| 5 | "Gartner Leader for EPP six years running." | "Gartner Leader for endpoint. Not a SIEM Leader. Not an MDR Leader. We do all three." |
| 6 | "AI-first SOC, analysts spend less time, find more." | "We're a full managed SOC out of the box. Theirs is mostly self-service unless you add a separate Vigilance Respond MDR contract." |
| 7 | "Singularity is open, third-party integrations welcomed." | "Welcomed at a per-GB cost. We bundle every integration into the same flat fee." |
| 8 | "From endpoint to cloud to identity, one console." | "Same scope, no per-GB tax, no separate MDR contract." |
| 9 | "Real-time XDR detection across attack surfaces." | "Real-time AND contained, by the same team. They alert. We act." |
| 10 | "Enterprise-grade telemetry, autonomous response." | "Enterprise visibility, full SOC service, MSP pricing - that's the deal-closer for customers between 100 and 2,000 seats." |
Battle card · Top Global Vendor 4
Microsoft-native cloud SIEM. Strong Azure/Entra/M365 alignment. Per-GB ingest pricing. 10 of their sales lines · our counter.
| # | Top Global Vendor 4 says | ThreatDefence answer |
|---|---|---|
| 1 | "You're already a Microsoft shop, Top Global Vendor 4 sits where your data already is." | "Top Global Vendor 4 is a self-service SIEM. You'd still need to hire two analysts and a hunter just to operate it." |
| 2 | "Defender XDR raw data ingest is free into Top Global Vendor 4." | "Defender raw data is free. Everything else - sign-in logs, audit, network, third-party - is per-GB metered." |
| 3 | "Up to 5 MB / user / day free for key security logs." | "Five megabytes a day per user is barely a yawn. Real customer ingest is 200 GB+ a day. The free tier is marketing." |
| 4 | "Best SIEM for Azure / M365 / Entra environments." | "If the customer is 100% Microsoft, that's true. If they have AWS, Google, Okta, Fortinet, Top Global Vendor 4 needs paid connectors for each. We include them." |
| 5 | "MCP-driven agentic defence, AI tools you can compose." | "Their agentic pitch is a developer toolkit. Ours is a working triage agent on every alert today." |
| 6 | "Commitment tiers reduce cost 52% over PAYG." | "Commitment tiers cap the discount. Overage goes back to PAYG rates. A growing business gets bitten exactly when they should be celebrating growth." |
| 7 | "Cost-effective security data lake, purpose-built." | "Cost-effective vs Splunk, maybe. Not cost-effective vs us. And the customer still needs to pay an MSSP to actually operate it." |
| 8 | "Native KQL for hunters who already know it." | "Most mid-market customers don't have a KQL hunter on staff. We give them the answer, not the query language." |
| 9 | "Top Global Vendor 4 + Defender = one Microsoft security stack." | "One vendor, one stack, all your eggs in one basket. Plus you still need to pay someone to operate it. We're a partner, not a platform vendor." |
| 10 | "Compliance and regulatory alignment via Azure controls." | "Same controls coverage. Plus data residency in your country, analysts in your country, no US CLOUD Act exposure." |
Telemetry coverage
What each vendor ingests natively, at no extra cost.
✓ native, no extra cost · ◐ paid add-on or custom connector · ✗ not natively supported
| Telemetry source | ThreatDefence | Top Global Vendor 1 | Top Global Vendor 2 | Top Global Vendor 3 | Top Global Vendor 4 |
|---|---|---|---|---|---|
| Endpoint EDR | ✓ | ✓ | ✓ | ✓ | ◐ |
| Endpoint DFIR | ✓ | ◐ | ✗ | ✗ | ✗ |
| Network IDS / NDR | ✓ | ◐ | ✗ | ✗ | ◐ |
| Firewalls | ✓ | ◐ | ✗ | ✗ | ◐ |
| Email gateway | ✓ | ✓ | ◐ | ◐ | ✓ |
| Identity providers | ✓ | ✓ | ◐ | ◐ | ✓ |
| Cloud audit | ✓ | ✓ | ✗ | ◐ | ✓ |
| SaaS audit | ✓ | ✓ | ◐ | ◐ | ✓ |
| Dark-web feeds (leak sites, paste sites, credential dumps) | ✓ | ◐ | ✗ | ✗ | ✗ |
| External Attack Surface (EASM, asset discovery) | ✓ | ◐ | ✗ | ✗ | ✗ |
| Vulnerability mgmt (Tenable, KEV, EPSS, ransomware-linked) | ✓ | ◐ | ✗ | ◐ | ◐ |
| Threat intel matched to customer assets | ✓ | ◐ | ◐ | ◐ | ◐ |
| MITRE ATT&CK coverage chart (visible per-customer) | ✓ | ◐ | ✗ | ◐ | ◐ |
Service coverage
What the customer gets beyond raw ingest.
✓ included · ◐ paid add-on / partial · ✗ not offered
| Capability | ThreatDefence | Top Global Vendor 1 | Top Global Vendor 2 | Top Global Vendor 3 | Top Global Vendor 4 |
|---|---|---|---|---|---|
| 24×7 SOC included in base | ✓ | ✓ | ✓ | ◐ | ✗ |
| AI auto-triage that closes alerts | ✓ | ◐ | ✓ | ✓ | ◐ |
| Incident response included | ✓ | ◐ | ◐ | ✗ | ✗ |
| Co-branded customer-facing portal | ✓ | ✗ | ◐ | ✗ | ✗ |
| Multi-tenant view for MSPs | ✓ | ◐ | ✓ | ◐ | ◐ |
| Monthly C-suite report (board-grade) | ✓ | ◐ | ✗ | ✗ | ✗ |
| Composite Risk Score / posture grade | ✓ | ◐ | ✗ | ✗ | ✗ |
| Cyber-insurer evidence packet | ✓ | ◐ | ✗ | ✗ | ✗ |
| Sovereign data residency (Australia) | ✓ | ✗ | ✗ | ✗ | ◐ |
Pricing model
How each vendor bills, and what hidden costs surface at renewal.
| Vendor | Model | Where the bill surprises the customer |
|---|---|---|
| ThreatDefence | Flat per-tenant, all-inclusive: SIEM + SOC + IR + reports + dark web + EASM + vuln + intel. | None, bundled. Per-tenant scales with seat band. |
| Top Global Vendor 1 | Per-endpoint MDR + Cloud Detection + Cloud Posture + Vulnerability + Awareness as separate modules. | Endpoint count inflates fast; Cloud Detection priced separately; renewal hikes 10–25%. |
| Top Global Vendor 2 | Per-endpoint EDR + per-mailbox M365 ITDR + per-seat training. | Stack adds up; doesn't include firewall, identity stack, EASM, vuln, cloud audit. |
| Top Global Vendor 3 | Per-agent EDR + Singularity Data Lake per-GB + Cloud Workload per-cwsec + Vigilance Respond add-on. | Per-GB SIEM cost is the Splunk trap; Vigilance MDR is a separate contract. |
| Top Global Vendor 4 | Per-GB ingest ($2.46–$5.20 PAYG; 52% off via daily-commitment tiers). | Per-GB scales linearly; commitment-tier overage at PAYG; customer still pays an MSSP to operate it. |
One-page business summary
Everything you sell, in business outcomes only. No platform names, no acronym soup, no competitor talk. Read it top to bottom in two minutes, say it in the meeting, print it and leave it behind.
SOC · you sell a 24×7 team, not a tool
What your customer gets: incidents contained the same hour, not the next business day- Real analysts at 3am, included in the base fee. Your customer's "we have 24×7 monitoring" checkbox on the insurance form becomes actually true.
- Detection in minutes. The average breach sits undetected for 200+ days. Tell your customer: every signal lands in one timeline, and the attack gets caught while it is still one host.
- The team that detects, contains. Processes killed, sessions revoked, IPs blocked, emails purged. Same hour, same analyst. Your customer never gets handed a to-do list mid-breach.
- No separate IR retainer. That is $60–150K a year your customer stops paying, and the damage stops at the first host instead of the first week.
SIEM · you sell enterprise visibility at MSP pricing
What your customer gets: enterprise-grade coverage at roughly 40% of the enterprise price- Every log in one place. Endpoint, identity, firewall, cloud, email, dark web, attack surface. Show your customer one screen instead of seven logins.
- Correlation, not alert spam. Three unrelated low-severity alerts become one recognised incident before the attacker's second hop.
- A flat fee per customer. No per-gigabyte meter, no renewal surprise. Their bill stops punishing their growth.
- Compliance evidence on demand. When the auditor asks, the export is ready. No scramble, no weekend.
Tools · you sell the whole stack in one box
What your customer gets: the +50% tooling tax disappears- One bill replaces ten line items. Network detection, attack-surface discovery, cloud posture checks, vulnerability management, dark-web monitoring, threat intel, deception, automated response, connectors, reporting. You sell the bundle, not a shopping list.
- Breach conditions caught in advance. Config changes on high-value assets, public cloud misconfigurations, identity drift, leaked credentials. Tell your customer: the door is closed before the attacker arrives.
- The 3 vulnerabilities that matter, not the 3,000. Live exploit data matched against their actual assets. Their patch team stops drowning.
- AI closes a third of the alert queue. Their team only sees what matters and gets their week back. Two analyst hires they never have to make.
Services · you sell what the business actually buys
What your customer gets: security their CFO and board can read, price and approve- A monthly report the board reads. One 0–100 score, an A–F grade, a 90-day trend and the three things to fix, in business English. Their CISO hands it straight to the board.
- Insurance evidence in five minutes. Renewal premiums drop 15–30% once controls are provable. Audit prep goes from weeks to an afternoon. Real money back to their CFO.
- Their own portal, your logo on it. Your customer's CIO logs in and sees their own posture, white-labelled to your MSP. Less support load on you, more trust from them.
- Running in days, not quarters. Pre-built connectors for what they already pay for. Connect on Monday, show them threats caught by Friday.
- Local data, local analysts. When their procurement asks where the data lives, you have the answer that closes regulated deals.
Tell the CFO: one contract, one team to call, one predictable bill. Detection in minutes instead of months. Cyber-insurance premium down 15–30%. Two analyst hires avoided. The +50% tooling tax gone. Total saving on a typical mid-market deal: six figures a year, every year, with the breach risk falling at the same time.
- "We see what your other tools don't."
- "Our AI does the noise. Our SOC does the response. Our reports do the board meeting."
- "Enterprise visibility, full SOC service, MSP pricing."
If your prospect remembers one line after the meeting, make it #3.
Customer handout
The leave-behind. Everything below speaks to your prospect, not to you. Print it, attach it to the follow-up email, or walk the page in the meeting.
One platform. One team. Your whole business defended.
Enterprise-grade security operations, delivered through your managed service provider, for one predictable monthly fee- Minutes from attack to containment. The average business takes 200+ days to find a breach. We catch it while it is still one machine.
- 24×7 real analysts watching. Not an answering service. A security operations centre reading your alerts at 3am.
- 1/3 of alerts resolved by AI. The noise never reaches your team. Only real threats get a human's attention, and they get it fast.
- 15–30% insurance premium saving. Insurers reward provable controls. The evidence packet is generated for you in minutes.
Your computers, identities, cloud, email, network, internet-facing systems, even criminal marketplaces where stolen passwords surface. Every signal stitched into one timeline, so an attack that walks between tools gets caught at the first hop.
The team that spots the threat shuts it down, the same hour. Machines isolated, sessions revoked, malicious email purged. Your staff never get handed a security to-do list at 2am, and you never need a separate incident-response contract.
A monthly report written in business English: one score out of 100, a letter grade, the trend, and the three things to fix next. Audit and insurance evidence handed over in minutes, not weeks.
24×7 security operations centre · Full log visibility · Network detection · Attack-surface discovery · Cloud posture checks · Vulnerability prioritisation · Dark-web monitoring · Threat intelligence · Automated response · Board-grade reporting.
Glossary - the acronyms, decoded
The terms that come up in a prospect call. One-sentence definitions written for IT MSP sales reps, not for security textbooks.
The team of human analysts watching alerts 24/7. We are the SOC; your client doesn't have to build one.
The searchable data lake that collects every log from every device and looks for trouble. The platform we run on.
SIEM + SOC + IR rolled into one service. What we sell. Sometimes called "managed SOC" or "SOC-as-a-Service".
What you become when you resell us. The CSO-equivalent function for your clients.
Antivirus, evolved. Watches what processes are doing on laptops/servers. CrowdStrike, Microsoft Defender for Endpoint. We ingest its alerts.
Same idea, on the wire. Watches traffic patterns for lateral movement, exfil, command-and-control. We do this in-house.
Vendor marketing for EDR + NDR + cloud + email under one console. We provide XDR-grade visibility without locking you into one stack.
Scanning the internet from the outside to find your client's exposed assets - the IPs, ports, domains an attacker would scan first. Bundled with our service.
Playbooks that auto-execute when an alert fires - kill a process, revoke a token, isolate a host. We do this; the buyer doesn't need a separate SOAR product.
The industry list of how attackers operate, by tactic and technique. Every alert we raise maps to a MITRE technique so a CISO can see coverage at a glance.
CISA's catalogue of CVEs that are actually being exploited right now. We surface KEV-matching vulnerabilities first because they're the highest-risk.
A 0-100 score for how likely a given vulnerability is to be exploited in the next 30 days. Helps your client patch the dangerous 5% instead of all 1,000.
IOC = "this file hash is bad". IOA = "this behaviour is bad". We use both; IOAs catch the unknowns.
The steps an attacker walks: recon → initial access → privilege escalation → lateral movement → exfil. The data lake lets us walk it backwards after the fact.
One platform, many client tenants, each fully separated. Your client's data is never visible to another client's analysts.
Co-pilot: WEI suggests a verdict, the analyst approves. Auto-pilot: WEI triages the whole queue alone. Switchable per tenant.
The AI agent that investigates every alert, writes a verdict, attaches evidence and either escalates or closes. Named so it sounds like a colleague.
A free licence for your own internal use (your office, your team's laptops) so you can demo the platform live to prospects.
FAQ - the questions your team will ask us
Sales-rep questions, not prospect questions. For "what objections will the client raise and how do I answer them", see Common objections.
How long does it take to onboard a new client tenant?
3-5 business days for a standard tenant. Day 1: provision the tenant + Keycloak SSO. Day 2-3: connect their data sources (endpoints, firewalls, M365, cloud). Day 4: baseline detection rules tune in. Day 5: handover + go-live with your client's CISO.
Can I co-brand the platform for my MSP?
Yes - white-label is standard. Your logo, your domain (e.g. soc.yourmsp.com.au), your colours on the client-facing portal and reports. Backend stays on ThreatDefence infrastructure; your client never knows.
What's the minimum contract length?
12 months. Per-tenant flat fee. No per-GB ingest. No per-alert charge. No "we found something" IR escalation invoice. Predictable for you, predictable for your client.
How does deal registration work?
Email partners@threatdefence.com with the prospect name, your MSP, and the deal stage. We confirm within 24h that the deal is registered to you for 90 days, renewable. No portal login needed.
What if my client already has a SIEM (Splunk, Top Global Vendor 4, Sumo)?
Two options. Replace - we ingest everything they already feed into the existing SIEM, plus the parts the existing SIEM can't see (network, identity, dark web). The +50% tooling tax goes away. Or complement - we run alongside, our SOC watches their existing SIEM via API. They keep their investment, you add 24/7 watch + AI triage on top.
What MDF / co-marketing is available?
Per-quarter co-marketing budget against signed clients. Covers joint webinars, co-branded content, paid social. Email partners@threatdefence.com with your campaign idea and the deal it supports.
Do you have a reseller discount?
Tiered by ARR you bring. Silver / Gold / Platinum. Discount applies to the per-tenant fee; you keep the margin between our wholesale price and your client's retail price. Ask your account manager for the current schedule.
Can I get an NFR licence for my own team?
Yes. Two NFR tenants per partner so you can run our service against your own MSP infrastructure - both for demos and for protecting your own business. Onboard your team in the same 3-5 days as a paying tenant.
How do I demo the platform to a prospect?
Three options. Live in your NFR tenant (most convincing - real alerts from your own environment). Live in a sandbox tenant we pre-populate with realistic data. Recorded walkthrough from the platform team. Email partners@threatdefence.com to request.
How do I escalate a customer issue?
P1 (production down / active breach): the SOC pager - number is in your onboarding pack. P2-P4: support@threatdefence.com. Response SLAs are in the partner agreement.
What about compliance certifications?
ISO 27001, SOC 2 Type II, Essential Eight ML2 (Australia). Audit pack is available on request - one PDF you can hand to your client's procurement or insurer. Ask partners@threatdefence.com.
Where are the data centres?
Australian customer data lives in Sydney AWS regions. US/EMEA tenants available on request. Data residency is contracted and never crosses borders without your client's written agreement.
How do I keep up to date with new features?
Monthly partner newsletter (opt-in via partners@threatdefence.com). Major product changes go out 4 weeks before they ship so you can brief your clients first.