Reconcile the MSSP against ground truth.

About the customer

The customer is an organization with several hundred to several thousand endpoints across multiple locations, with security operations contracted to an MSSP under a 24x7 / business-hours / co-managed arrangement. Identity is Entra ID, Okta, or Google Workspace; EDR is CrowdStrike, SentinelOne, or Defender for Endpoint; the SIEM is Sentinel, Splunk, or the MSSP’s house platform. Security leadership reports to the CISO, IT director, or VP of IT.

MSSP relationships are political. Customer name and MSSP name are templated until written attribution is on file; the customer asked to anonymize the vendor by default.

The Challenge

The board had asked the CISO a question they couldn’t answer cleanly: “are we covered?” The MSSP delivered a monthly report with ticket counts, MTTR, and a green dashboard, but the customer’s internal team had no independent way to validate any of it. Were the tickets the MSSP closed actually closed? Were detections on the right log sources? Was anything happening on the endpoint, identity, or cloud surface that the MSSP simply wasn’t seeing because the log wasn’t piped in?

Replacing the MSSP wasn’t on the table — the contract had time remaining, renewal was scheduled, and the internal team didn’t have headcount to take SOC operations in-house. What the customer needed was an oversight tier: independent ingest of the same telemetry the MSSP was working from (plus the log sources they weren’t), with reconciliation against the MSSP’s ticket export, and a dashboard the CISO could put in front of the board.

The Solution

Intelligent IT deployed AiT SOC Sentinel against the customer’s existing telemetry stack. Sentinel ingests directly from the EDR API, the IdP audit logs, the cloud control planes (AWS, Azure, GCP, M365, Workspace), and the network egress log, then reconciles every ingested event against the MSSP’s ticket export on a nightly cadence. The reconciliation engine answers three specific questions: which events did the MSSP triage and close, which did they triage and escalate, and which never appeared in their queue at all (the blind-spot bucket).

Severity scoring uses the standard chart palette — critical in red, high in amber, informational in info-blue — carried over from the IG SaaS theme so the CISO’s board pack visually matches the rest of the IG-branded operations dashboards. The blind-spot bucket gets its own panel: each row is a log source the MSSP isn’t watching with a count of events seen in the last 30 days that, by Sentinel’s policy, would have qualified for a ticket.

Results

Outcome metrics over the first quarter / six months on AiT SOC Sentinel. Numbers below are templated; live metrics are confirmed from sentinel_event and mssp_export reconciliation tables.

All MSSP-attributed metrics use export reconciliation, not vendor-supplied dashboards.

What’s next

Phase 2 connects Sentinel directly to the IdP and EDR for active response — not just oversight — on a defined set of high-confidence detections (e.g. token theft → forced session revoke). Phase 3 expands the reconciliation engine across the customer’s vendor stack: every security tool’s alert flow gets reconciled against ground truth, not just the MSSP’s.

• MSSP renewal armed with quantified blind-spot data and reconciled ticket history
• Active response on top-quartile detections (forced revoke, host isolate)
• Compliance / audit prep: Sentinel’s reconciliation log is the evidence trail
• Co-managed SOC pivot: optionally shift from oversight to first-tier triage in-product

In their words

About Intelligent IT

Intelligent IT (a brand of Intelligent Group) builds AiT SOC Sentinel as the SOC oversight tier of the AiT product suite. Sentinel doesn’t replace the MSSP — it gives the customer the independent telemetry, reconciliation, and blind-spot visibility needed to manage the MSSP relationship as a CISO rather than a passenger.