User Protection Package
The User Protection package is a $3/managed user/month bundle that gives MSPs complete visibility and protection for every end-user without requiring a full SIEM deployment.
What's Included
| Feature | Included |
|---|---|
| Security Awareness Training | ✓ |
| Phishing simulation | ✓ |
| Dark web monitoring (HIBP) | ✓ |
| M365 posture monitoring | ✓ |
| DMARC reports | ✓ |
| Full SIEM / alert pipeline | — (full platform) |
| Vulnerability management | — (full platform) |
| GRC compliance assessments | — (full platform) |
| Threat hunting | — (full platform) |
| Shadow AI detection | — (full platform) |
Managed Users
A managed user is one of your client's end-users who you are actively protecting. This is the unit of billing for the User Protection package.
Adding Managed Users
Manual entry — Enter individual email addresses from the Security console.
CSV import — Upload a spreadsheet with a column of email addresses.
M365 sync — Connect the client's Microsoft 365 tenant (see M365 Posture). Users from the connected tenant are automatically available as managed users.
Security Awareness Training (SAT)
Training campaigns assign security education content to managed users. Supported content types:
| Type | Description |
|---|---|
| Course | Multi-module interactive course |
| Video | Video-based training with completion tracking |
| Quiz | Knowledge-check quiz with configurable passing score |
| Policy Acknowledgement | User reads and acknowledges a security policy |
Campaign lifecycle: Draft → Active → Paused → Completed
Completion rates and due dates are tracked per campaign. See SAT Training for full details.
Phishing Simulation
Phishing campaigns test users by sending simulated phishing emails. Five template types are available:
- Credential Harvest
- Malicious Attachment
- Link Click
- Data Entry
- Reply To
Users who click are automatically enrolled in remedial training. Click rate and report rate are tracked per campaign. See Phishing Simulation for full details.
Dark Web Monitoring
Monitored emails are checked against the HaveIBeenPwned (HIBP) API v3 for known data breaches and paste exposures.
- Automated schedule: Every 12 hours
- On-demand: Click "Check HIBP" on any individual monitor
- Findings: Breach name, date, data classes exposed, password exposure flag
- Workflow: New → Acknowledged → Resolved
See Dark Web Monitoring for full details.
M365 Posture
Connected Microsoft 365 tenants are monitored for 10 types of suspicious events:
| Event Type | What it Detects |
|---|---|
| Suspicious Sign-in | Anomalous login patterns |
| OAuth App Consent | New OAuth application grants |
| Email Forwarding | External forwarding rules added |
| Admin Role Change | Privileged role assignments |
| MFA Failure Spike | Unusual MFA failure volume |
| Bulk Download | Mass file downloads |
| Sharing Policy Change | External sharing policy modifications |
| New Admin Added | New administrator accounts |
| Suspicious Inbox Rule | Delete-all or auto-forward inbox rules |
| Guest User Added | New guest user invitations |
Each event is severity-rated (Critical / High / Medium / Low) and surfaced in the Events tab. Users with multiple events are ranked by risk score in the User Risk tab.
See M365 Posture for connection instructions.
DMARC Reports
DMARC aggregate (RUA) reports are parsed and displayed per sending domain. Metrics include:
- 30-day pass rate
- Total message volume
- Unauthorized sender count
- Per-sender DKIM/SPF pass/fail breakdown
- Policy trend timeline (last 30 days)
See Email Security for full details.