Cross-vendor security alert triage and incident response — normalizes severity, runs containment playbooks, and builds incident timelines across whatever EDR/MDR/SIEM stack you have connected.
Run the exposure ranking for one client or the whole portfolio — open critical findings, unmitigated threats, MFA gaps, and stale EDR coverage
Build a client-facing incident summary for a given client and time window, assembling a chronological timeline across every connected security, PSA, and documentation tool
Sweep every connected security tool across all clients/tenants, normalize findings, and report the top most urgent items portfolio-wide
Use this agent when a security incident needs to be reconstructed into a single chronological timeline suitable for a client-facing incident report, pulling every relevant event across every connected security, PSA, and documentation tool for the client and time window in question. Trigger for: incident timeline, build incident report, what happened during this incident, incident reconstruction, reconstruct the incident, timeline of events, client incident report. Examples: "Build an incident timeline for Acme Corp's compromised account from yesterday", "What happened during incident INC-4821 — give me the full timeline", "I need a client-facing report on last week's malware incident"
Use this agent when a technician needs a morning read on everything that fired overnight across the connected EDR/MDR/SIEM stack, normalized into one ranked digest instead of five separate vendor consoles. Trigger for: overnight alerts, morning security review, what happened overnight, alert summary, overnight digest, security morning check, what fired last night. Examples: "Summarize what happened overnight", "Give me the morning security review", "What alerts came in while we were closed?"
Use this agent when the MSP needs a portfolio-wide read on which clients carry the most current security risk — open critical findings, unpatched or uncontained threats, MFA coverage gaps, and stale EDR/agent coverage — ranked so leadership or the security team can prioritize attention. Trigger for: tenant risk ranking, which clients are most exposed, portfolio risk review, exposure sweep, risk ranking, most at-risk clients, which client needs attention. Examples: "Which clients are most exposed right now?", "Run a portfolio risk review", "Rank our clients by security exposure"
Use this skill when triaging security alerts, incidents, or findings that come from more than one connected EDR/MDR/SIEM vendor and a single, comparable severity ranking is needed. Covers a common Critical/High/Medium/Low normalized model, how to map each vendor's native severity terminology (Huntress incident status, SentinelOne threat confidence, Blumira finding priority, CIPP alert queue severity, Blackpoint Cyber SOC severity, SaaS Alerts risk level, and others) into it, and how to discover which vendors are actually connected before assuming any one of them is present.
Use this skill when Business Email Compromise (BEC) is suspected or confirmed for a client. Covers how to detect the signs from CIPP/M365 audit logs and connected email security vendor alerts, the immediate response sequence (session revocation, forwarding-rule audit, mailbox rule cleanup, password reset, MFA re-enrollment), and how to document the incident timeline for a client-facing report.
Use this skill when a security incident has been confirmed or is highly suspected and immediate first-response containment steps are needed. Covers standard containment sequences for the most common MSP incident classes — compromised account, malware/ransomware detection, business email compromise, and exposed credential — including what to do first, the correct order of operations, and which connected tool family (RMM, EDR, CIPP/Entra, PSA) handles each step.
External network access
Connects to servers outside your machine
Uses power tools
Uses Bash, Write, or Edit tools
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
One command to supercharge Claude Code for MSP workflows.
/plugin marketplace add wyre-technology/msp-claude-plugins
Then restart Claude Code. That's it.
Documentation: mcp.wyre.ai
Thirty-three vendor-specific plugins with domain knowledge for PSA, RMM, documentation, security, accounting, CRM, and productivity tools:
| Plugin | Description |
|---|---|
| Autotask PSA | Kaseya Autotask PSA - tickets, service calls, CRM, projects, contracts, billing |
| Datto RMM | Datto remote monitoring - devices, alerts, jobs, patches |
| IT Glue | IT documentation - organizations, assets, passwords, flexible assets |
| Hudu | IT documentation - companies, assets, articles, passwords, websites |
| RocketCyber | Managed SOC - incidents, agents, events, threat detection |
| Syncro | All-in-one PSA/RMM - tickets, customers, assets, invoicing |
| Atera | RMM/PSA platform - tickets, agents, customers, alerts, SNMP/HTTP monitors |
| SuperOps.ai | Modern PSA/RMM with GraphQL - tickets, assets, clients, runbooks |
| HaloPSA | Enterprise PSA with OAuth - tickets, clients, assets, contracts |
| Liongard | Configuration monitoring - environments, inspections, systems, detections, alerts |
| ConnectWise Manage | Industry-leading PSA - tickets, companies, contacts, projects, time (cloud and self-hosted) |
| ConnectWise Automate | Enterprise RMM - computers, clients, scripts, monitors, alerts |
| NinjaOne | NinjaOne RMM - devices, organizations, alerts, ticketing |
| SalesBuildr | Sales CRM - contacts, companies, opportunities, quotes |
| Pax8 | Cloud marketplace - companies, products, subscriptions, orders, invoices |
| Xero | Accounting - contacts, invoices, payments, accounts, reports |
| QuickBooks Online | Accounting - customers, invoices, expenses, payments, reports |
| Microsoft 365 | M365 admin - users, mailboxes, Teams, OneDrive, licensing, security |
| Rootly | Incident management - incidents, alerts, on-call, AI analysis, postmortems |
| Huntress | Managed threat detection and response - agents, incidents, reports |
| Blumira | Cloud SIEM - detections, findings, alerts, automated response |
| SentinelOne | XDR platform - endpoints, threats, incidents, Purple AI integration |
| Abnormal Security | AI-native email security - threats, cases, abuse mailbox |
| Avanan | Check Point Harmony Email & Collaboration - email security, DLP |
| Ironscales | AI-powered anti-phishing - incidents, simulations, threat intel |
| Mimecast | Email security - message tracking, threat protection, compliance |
| SpamTitan | Email security by TitanHQ - spam filtering, quarantine, policies |
| Proofpoint | Targeted Attack Protection - threat intel, campaigns, forensics |
| KnowBe4 | Security awareness training - phishing simulations, PhishER, training |
| HubSpot | CRM platform - contacts, companies, deals, tickets, marketing |
| PandaDoc | Document automation - proposals, quotes, e-signatures, templates |
| BetterStack | Uptime monitoring and on-call - monitors, incidents, heartbeats |
| PagerDuty | Incident management and on-call - incidents, services, escalations |
Plus shared skills for MSP terminology, ticket triage, cross-vendor incident correlation, and billing reconciliation.
SaaS Alerts - SaaS security monitoring and alerting for M365 / Google Workspace: alerts, events, anomaly detection, and multi-tenant response
Claude plugins for Checkpoint Harmony Email & Collaboration (Avanan) - email security, anti-phishing, threat detection, quarantine management
Vendor-agnostic MSP skills — terminology, ticket triage, incident correlation, and billing reconciliation
Claude plugins for Better Stack - uptime monitoring, incident management, status pages, on-call schedules, and log management (Logtail) for MSPs
Claude plugins for KnowBe4 - security awareness training, phishing simulation, user risk management
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin secops-packCross-vendor engineering reliability operations — on-call handoffs, incident postmortems, deploy health, and error-budget tracking across whatever incident-management, observability, and platform tools you have connected.
Harness-native ECC operator layer - 67 agents, 278 skills, 94 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses
Upstash Context7 MCP server for up-to-date documentation lookup. Pull version-specific documentation and code examples directly from source repositories into your LLM context.
Comprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
Consult multiple AI coding agents (Gemini, OpenAI, Grok, Perplexity, plus codex, antigravity, and grok CLIs when installed) to get diverse perspectives on coding problems
Comprehensive startup business analysis with market sizing (TAM/SAM/SOM), financial modeling, team planning, and strategic research