Skip to main content

System Agents

The One Agents ships with four pre-built system agents that activate automatically with every new account. They represent The One Stack's opinionated best practices for MSP operations — the automation that every MSP should have running on day one.

System agents are read-only. You can pause them, override them per-event with a custom agent, or clone them to create a customized version. You cannot edit or delete the originals.

Dispatch Agent

ID: agent_system_dispatch Trigger: psa:ticket.created (fires on every new PSA ticket) Category: Service Desk Default model: Standard (GPT-4o mini, 20 credits/ticket)

The Dispatch Agent is the backbone of your service desk automation. Every time a new ticket is created, Dispatch runs a three-step workflow:

What It Does

Step 1 — AI Classification (Standard, 20 credits) Analyzes the ticket subject, type, description, and client context. Returns a structured classification:

  • priority — Re-scores the ticket priority. If a client submitted a P3 ticket that reads like a P1 (e.g., "The whole office can't print" vs. "Ransomware spreading across the network"), Dispatch corrects it.
  • categorynetwork, security, hardware, software, user_access, or general
  • required_skillsenior, network, security, or general — used to route to the right technician queue
  • urgency_notes — Brief explanation of the routing decision
  • draft_response — A professional first-response email ready to send to the client

Step 2 — Update Ticket Calls the PSA API to apply the AI-determined priority, category, and marks the ticket as ai_classified: true. Your technicians see a pre-triaged ticket — no manual triage queue.

Step 3 — Add First Response Posts Dispatch's drafted first-response email as a public note on the ticket. Your client receives an immediate, professional acknowledgment. Technicians can edit and send, or let it go out automatically if your PSA is configured for auto-response.

Impact

At 100 tickets per week, Dispatch:

  • Eliminates manual triage for 100 tickets
  • Drafts 100 first-response emails
  • Catches misclassified priorities before they breach SLA
  • Costs 2,000 credits/week — 8,000/month

Customizing Dispatch

Clone the Dispatch Agent if you want to:

  • Add a Branch step that routes security-category tickets to a dedicated security queue
  • Add a Notification step that pages a specific technician for hardware failures at a particular client
  • Modify the AI prompt to match your organization's ticket categories exactly
  • Change the model to quick (5 credits) for simple request-type tickets only

Guardian Agent

ID: agent_system_guardian Trigger: defend:alert.fired (fires on every Defend security alert) Category: Security Default model: Standard (GPT-4o mini, 20 credits/alert)

The Guardian Agent bridges your EDR and your service desk. When Defend detects a threat, Guardian ensures it becomes a trackable, actionable work item — not a notification that gets lost.

What It Does

Step 1 — AI Alert Enrichment (Standard, 20 credits) Analyzes the alert description, severity, MITRE tactic, device, and client context. Returns a structured analysis:

  • severity — Re-scored priority (p1p4) reflecting the business impact, not just the raw detection score
  • should_page_oncalltrue for P1/P2 alerts
  • should_isolate_devicetrue only for confirmed ransomware or active breach scenarios
  • ticket_subject / ticket_description — Human-readable ticket content built from the technical alert data
  • client_notification — Optional client-facing communication if the situation warrants it

Step 2 — Create PSA Ticket Creates a security incident ticket in PSA with the AI-generated subject and description. Sets the source to defend_alert and links the original alert ID for cross-product traceability.

Step 3 — Page On-Call If should_page_oncall is true, creates an incident in The One On-Call, automatically paging the current on-call technician.

ℹ️The Guardian Agent does not automatically isolate devices. Isolation is a high-impact, potentially disruptive action. The stock agent flags should_isolate_device in the ticket for human review. Clone the agent and add an Approval Gate step if you want to add supervised device isolation to the workflow.

Customizing Guardian

The security response walkthrough in Building Custom Agents shows how to extend Guardian with device isolation, approval gates, and ransomware recovery steps.

Advisor Agent

ID: agent_system_advisor Trigger: Schedule — 0 8 * * MON-FRI (8 AM weekdays) Category: Client Success Default model: Quick (GPT-4o mini, 5 credits/run)

The Advisor Agent is your MSP's morning briefing. Every weekday morning at 8 AM, it generates a digest covering the things your team needs to know before the day starts.

What It Does

Step 1 — Build Morning Digest (Quick, 5 credits) Using the accumulated client context from all managed clients, Advisor generates a digest with:

  • Clients needing attention — overdue tickets, clients approaching SLA breach, new P1/P2 incidents from the last 24 hours
  • Financial alerts — overdue invoices, expiring contracts, recent payment failures
  • Security posture changes — clients whose compliance or posture scores dropped overnight, recent high-severity Defend alerts
  • Recommended actions — the top 3–5 things your team should prioritize today

The digest is delivered as a concise (under 300 word) push notification or email to all active technicians.

Cost

At 5 credits per run, 261 weekday runs per year, Advisor costs 1,305 credits annually — effectively free within any subscription tier.

Customizing Advisor

Clone Advisor to:

  • Add a Branch step that sends a separate urgent notification when the digest includes P1 items
  • Route the digest to a specific Slack channel via Relay rather than push notification
  • Change the schedule to include weekends for 24/7 MSPs

Client Context Builder

ID: agent_system_context_builder Trigger: psa:ticket.created (and expands to other triggers as it matures) Category: Operations Default model: None (no AI steps — pure data aggregation)

The Context Builder is the intelligence layer that makes all other agents smarter. It maintains a living profile for every managed client and injects that profile into every AI Reason step across the platform.

What It Does

When a new PSA ticket is created for a client, the Context Builder fetches the latest client data and refreshes the profile stored in the client_context container:

  • Open tickets and recent resolution history
  • Active Defend alerts and current security posture score
  • Device inventory and health status from RMM
  • Outstanding invoices and contract status from Books
  • Compliance status and recent findings from Security
  • CRM relationship health and upcoming renewals
  • On-Call schedule and recent incident history

This profile is available to all subsequent AI Reason steps as implicit context — agents don't need to query each product individually. When the Guardian Agent analyzes a Defend alert, it knows the client's security posture score, their Defend enrollment status, and whether they have outstanding security findings. When Dispatch drafts a first response, it knows the client's service history and contract tier.

Zero Credits

The Context Builder runs no AI steps. It's pure data aggregation via Product Action steps. It costs zero credits to run.

Why It Matters

Without client context, an AI classifying a ticket knows only what's in the ticket. With context, it knows the client has had 3 P1 incidents this month, their compliance score dropped 11 points last week, and their Defend subscription lapsed 2 days ago. The quality of AI reasoning — and thus the quality of every automated action — depends entirely on the richness of the context available.

ℹ️Client context profiles are stored in Cosmos DB with a 90-day TTL on stale entries. Profiles are refreshed on key trigger events, not on a fixed schedule. Clients with infrequent activity may have older context profiles. This is expected behavior — the Context Builder updates proactively when there's relevant activity to update from.