Manage SentinelOne XDR security operations across MSP environments: triage alerts, hunt threats using natural language, inventory endpoints and cloud assets, assess vulnerabilities and CVEs, and audit cloud security posture (AWS, Azure, GCP, K8s) with automated agents and commands.
Triage new and unresolved SentinelOne alerts by severity
Asset inventory summary by surface type across managed environments
Threat hunting via Purple AI and PowerQuery execution
Deep investigation of a specific SentinelOne alert with timeline and context
Cloud security posture review with compliance gap analysis
Use this agent when an MSP needs to audit and harden SentinelOne endpoint configuration across client sites — not to investigate active threats, but to proactively identify gaps before attackers can exploit them. Trigger for: endpoint hardening, policy compliance, SentinelOne policy audit, agent health review, exclusion audit, protection mode check, unprotected agents, coverage gaps, vulnerability exposure, misconfiguration audit, posture hardening, SentinelOne configuration review. Examples: "Audit our SentinelOne configuration for all clients and find any hardening gaps", "Which endpoints are running in Detect-only mode instead of Protect?", "Find endpoints with outdated agents across the fleet", "Generate a hardening report for the quarterly review"
Use this agent when an MSP needs to autonomously hunt for threats across client endpoints using SentinelOne. Trigger for: IOC sweep, threat hunt, indicator sweep, PowerQuery hunt, lateral movement investigation, ransomware indicators, C2 beaconing, MITRE ATT&CK TTP analysis, incident investigation, endpoint forensics, malware triage, suspicious activity deep-dive. Examples: "Hunt for signs of lateral movement across all clients", "Sweep for this file hash across our endpoints", "Investigate the suspicious PowerShell alert on ACME-WS-042"
Use this skill when working with SentinelOne alerts - triaging new alerts, investigating specific alerts, searching by severity or status, reviewing alert timelines, and managing alert workflows across MSP client environments. Covers all alert tools, severity levels, status values, view types, GraphQL filter syntax, and cursor-based pagination.
Use this skill when working with the SentinelOne Purple MCP tools - available tools, connection setup, uvx-based installation, Service User token authentication, transport modes, dual API architecture (GraphQL and REST), rate limits, error handling, and best practices. Covers all 23 Purple MCP tools organized by domain.
Use this skill when working with SentinelOne unified asset inventory - endpoints, cloud resources, identities, and network-discovered devices. Covers inventory tools, surface types, REST API with offset-based pagination, filter types, asset fields, and inventory audit workflows for MSP client environments.
Use this skill when working with SentinelOne XSPM misconfigurations - cloud security posture management across AWS, Azure, GCP, Kubernetes, identity, and infrastructure-as-code. Covers misconfiguration detection, compliance standards, MITRE ATT&CK mappings, remediation steps, evidence details, and posture review workflows for MSP clients.
Use this skill when working with SentinelOne Purple AI - natural language cybersecurity investigation, threat hunting, behavioral anomaly analysis, MITRE ATT&CK TTP mapping, and PowerQuery generation. Covers the purple_ai tool, best practices for prompting, common investigation queries, and integration with PowerQuery execution.
Uses power tools
Uses Bash, Write, or Edit tools
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
One command to supercharge Claude Code for MSP workflows.
/plugin marketplace add wyre-technology/msp-claude-plugins
Then restart Claude Code. That's it.
Documentation: mcp.wyre.ai
Thirty-three vendor-specific plugins with domain knowledge for PSA, RMM, documentation, security, accounting, CRM, and productivity tools:
| Plugin | Description |
|---|---|
| Autotask PSA | Kaseya Autotask PSA - tickets, service calls, CRM, projects, contracts, billing |
| Datto RMM | Datto remote monitoring - devices, alerts, jobs, patches |
| IT Glue | IT documentation - organizations, assets, passwords, flexible assets |
| Hudu | IT documentation - companies, assets, articles, passwords, websites |
| RocketCyber | Managed SOC - incidents, agents, events, threat detection |
| Syncro | All-in-one PSA/RMM - tickets, customers, assets, invoicing |
| Atera | RMM/PSA platform - tickets, agents, customers, alerts, SNMP/HTTP monitors |
| SuperOps.ai | Modern PSA/RMM with GraphQL - tickets, assets, clients, runbooks |
| HaloPSA | Enterprise PSA with OAuth - tickets, clients, assets, contracts |
| Liongard | Configuration monitoring - environments, inspections, systems, detections, alerts |
| ConnectWise Manage | Industry-leading PSA - tickets, companies, contacts, projects, time (cloud and self-hosted) |
| ConnectWise Automate | Enterprise RMM - computers, clients, scripts, monitors, alerts |
| NinjaOne | NinjaOne RMM - devices, organizations, alerts, ticketing |
| SalesBuildr | Sales CRM - contacts, companies, opportunities, quotes |
| Pax8 | Cloud marketplace - companies, products, subscriptions, orders, invoices |
| Xero | Accounting - contacts, invoices, payments, accounts, reports |
| QuickBooks Online | Accounting - customers, invoices, expenses, payments, reports |
| Microsoft 365 | M365 admin - users, mailboxes, Teams, OneDrive, licensing, security |
| Rootly | Incident management - incidents, alerts, on-call, AI analysis, postmortems |
| Huntress | Managed threat detection and response - agents, incidents, reports |
| Blumira | Cloud SIEM - detections, findings, alerts, automated response |
| SentinelOne | XDR platform - endpoints, threats, incidents, Purple AI integration |
| Abnormal Security | AI-native email security - threats, cases, abuse mailbox |
| Avanan | Check Point Harmony Email & Collaboration - email security, DLP |
| Ironscales | AI-powered anti-phishing - incidents, simulations, threat intel |
| Mimecast | Email security - message tracking, threat protection, compliance |
| SpamTitan | Email security by TitanHQ - spam filtering, quarantine, policies |
| Proofpoint | Targeted Attack Protection - threat intel, campaigns, forensics |
| KnowBe4 | Security awareness training - phishing simulations, PhishER, training |
| HubSpot | CRM platform - contacts, companies, deals, tickets, marketing |
| PandaDoc | Document automation - proposals, quotes, e-signatures, templates |
| BetterStack | Uptime monitoring and on-call - monitors, incidents, heartbeats |
| PagerDuty | Incident management and on-call - incidents, services, escalations |
Plus shared skills for MSP terminology, ticket triage, cross-vendor incident correlation, and billing reconciliation.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin sentineloneClaude plugins for Checkpoint Harmony Email & Collaboration (Avanan) - email security, anti-phishing, threat detection, quarantine management
Vendor-agnostic MSP skills — terminology, ticket triage, incident correlation, and billing reconciliation
Claude plugins for Better Stack - uptime monitoring, incident management, status pages, on-call schedules, and log management (Logtail) for MSPs
Claude plugins for KnowBe4 - security awareness training, phishing simulation, user risk management
Claude plugins for RunZero - asset discovery, network scanning, service inventory, OS fingerprinting, wireless detection, and vulnerability reporting for MSPs
Claude plugins for RocketCyber managed SOC - incidents, agents, accounts, threat detection
SentinelOne SecOps skills for Claude: PowerQuery threat hunting and STAR/Custom Detection rules; Management Console API; Singularity Data Lake API; SDL dashboards; log parsing (OCSF); Hyperautomation SOAR; z-score anomaly baselining; autonomous DFIR alert investigation (soc-investigator); and one-prompt SDL solutions: source onboarding, asset enrichment, UEBA, ingest health, detection exclusions, Risk-Based Alerting, alert noise reduction, and Detection as Code.
Advanced LimaCharlie skills for MSSP reporting, fleet coverage, threat intelligence, adapter management, IaC, onboarding, and HTML dashboards. Requires lc-essentials plugin.
Agentic SOC Platform integration for Claude Code
Sysdig's cloud security expertise, packaged as agent skills that work natively in your AI environment.
SentinelOne SecOps skills for Claude: PowerQuery threat hunting, Management Console API, Singularity Data Lake API, SDL dashboard authoring, SDL log parsing, Hyperautomation workflow generation, source-agnostic behavioral baselining with z-score anomaly detection, and packaged SDL solution deployment (data source onboarding to OCSF with device/user enrichment, dashboard, MITRE-mapped detections and a threat-response flow; plus asset enrichment of raw logs).