Security tooling is the most fragmented part of an MSP stack. One vendor for endpoints. Another for compliance. A third for monthly external scans. A firewall, an email security gateway, possibly more. Each vendor has its own portal. Each portal is its own alert queue. The customer asks "are we good?" and you have to open five tabs to answer.
Command Center normalizes every vendor — whatever's in your stack — into one alert model and one severity rollup. The page-load answer for "are we good?" becomes a number.
What gets surfaced
- Security overview tab — Critical / High / Medium / Low alert counts across every wired vendor, with per-company drill-in. Agents-online count for the EDR coverage. License-coverage breakdown.
- Per-company security pane — pulled into the Company detail page. Open incidents, recent runs, posture score, license seats consumed. One scroll instead of five tabs.
- Dashboard cluster — "Security Overview (4-up)" widget showing Critical / High / Med-Low / Agents Online. Individual KPI tiles for each severity also drag-and-droppable separately.
- Live alert state — open incidents pulled directly from each vendor's API, not cached for hours. The dashboard count matches the vendor portal count.
Already wired in (and we'll add yours)
Adapters already shipped — these are starting points, not the menu. Whatever security tool you run today (or three years from now), we build the adapter during your build phase if it isn't already in the catalog. Same severity model, same dashboard rollup, same per-company drill-in.
- Huntress — EDR, ITDR, and SIEM products from one Huntress tenant. Incident severity normalized to Critical / High / Medium / Low. Agent-online count rolled up per company.
- vPenTest (Vonahi) — monthly automated external + internal pen test runs. Findings normalized into the same severity model. Per-company run history.
- Cork — compliance / posture scoring per company. Surface the per-control state alongside other security signals.
- SonicWall — firewall event stream + appliance health. Surface firewall events as alerts in the same model.
- Check Point — adapter shape in place for tenants on Check Point. Per-customer integration wired on demand.
- Your vendor not listed? SentinelOne, CrowdStrike, Defender for Business, ThreatLocker, Sophos, Fortinet, Mimecast, Proofpoint — every EDR, EDR-replacement, posture tool, firewall, or email-security vendor with an API is in scope. Build phase, not upcharge if it's one of the 3 integrations included.
RBAC and customer visibility
Security data is scoped strictly: scoped agents (assigned to specific companies) only see incidents for their scope. Admins / management / finance see everything. Customer-facing portal can optionally expose Huntress incidents to the customer themselves — useful for clients on a security-forward plan who want to see their own posture without having to be granted vendor-portal access.
Adapter pattern, not vendor lock-in
Every vendor goes through the same adapter contract — same shape for "list incidents", "get posture", "list agents". Adding a new EDR vendor (SentinelOne, CrowdStrike, Defender for Business) is a build-time conversation: write the adapter, wire it in. The UI and dashboard widgets don't care which vendor the data came from. That's the architectural choice that keeps the dashboard from sprawling into a "Huntress tab, then a Cork tab, then a vPenTest tab" mess.
Honest limits
- Read-only across vendors — Command Center surfaces alerts and posture. It does not isolate hosts, push EDR responses, or change firewall rules. Those still happen in the vendor's own portal — by the human, with full audit trail.
- Severity normalization is opinionated — vendor labels don't always map cleanly to Critical / High / Med / Low. Mapping rules are configurable in Settings → Integrations → <vendor> so the tenant can override the defaults.
- Scan-cadence tools refresh on scan completion — monthly external pen test data, for example, updates when a scan finishes, not in real time.
- Some vendor APIs throttle aggressively — adapter cache TTLs (5–15 minutes) prevent fanout-storm patterns regardless of the vendor.
Pricing
Flat monthly pricing — no per-seat fees, no per-vendor surcharge. See current pricing on the homepage →
Ready to talk?
The first call is a 30-minute discovery — we map which security vendors you run, how you want severity mapped, and which dashboard tiles your team will actually look at every morning. No commitment, no sales pressure.
Questions first? Email [email protected] or read the FAQ.