Blackpoint Incident Response
The functional Blackpoint tool surface today is read-only and centers on detections and the assets they fire against. This skill walks the investigation flow: tenant → asset → detections → vulnerabilities, plus dark-web and external-vulnerability cross-references.
API Tools
Tenants
| Tool | Purpose |
|---|---|
blackpoint_tenants_list | Partner's customer tenants |
blackpoint_tenants_get | Detail for one tenant |
Assets
| Tool | Purpose |
|---|---|
blackpoint_assets_list | Assets for a tenant |
blackpoint_assets_get | Detail for one asset |
blackpoint_assets_search | Search assets by name / identifier |
blackpoint_assets_relationships | Asset relationships (parent / child / related) |
Detections
| Tool | Purpose |
|---|---|
blackpoint_detections_list | Detections for the tenant / asset scope |
blackpoint_detections_get | Full detail for one detection |
Vulnerabilities
| Tool | Purpose |
|---|---|
blackpoint_vulnerabilities_list | Known vulnerabilities for the scope |
blackpoint_vulnerabilities_scans_list | Recent scan results |
blackpoint_vulnerabilities_darkweb_list | Dark-web exposure findings |
blackpoint_vulnerabilities_external_list | External (internet-facing) vulnerabilities |
Common Workflows
Walk a detection end-to-end
- Identify the tenant:
blackpoint_tenants_list→blackpoint_tenants_get. - List recent detections:
blackpoint_detections_list. - Pick the detection of interest:
blackpoint_detections_get. - Pivot to the affected asset:
blackpoint_assets_getandblackpoint_assets_relationships. - Cross-reference vulnerabilities on that asset:
blackpoint_vulnerabilities_list.
Per-tenant exposure rollup
blackpoint_tenants_getto confirm scope.blackpoint_vulnerabilities_external_listfor internet-facing exposure.blackpoint_vulnerabilities_darkweb_listfor credential / data leakage.blackpoint_vulnerabilities_scans_listfor recent scan history.- Roll up: count by severity, age, and asset. Surface anything high-severity with no recent scan.
Asset relationship map
blackpoint_assets_searchto find the entry asset.blackpoint_assets_relationshipsto enumerate connected assets.- For each related asset, summarize detections and vulnerabilities to build a blast-radius view.
Multi-tenant detection sweep (partner view)
blackpoint_tenants_listto enumerate customers.- For each tenant, call
blackpoint_detections_listfor a recent window. - Roll up: detections per tenant, severity distribution, top detection types.
- Surface tenants with abnormal volume or new detection types as priority follow-ups.
Edge Cases
- Stub domains —
blackpoint_alerts_*,blackpoint_cloud_security_*,blackpoint_notifications_*,blackpoint_partners_*,blackpoint_threat_intel_*, andblackpoint_tickets_*are placeholders today and should not be invoked. Prefer the four functional domains. - Read-only — Any "respond" or "acknowledge" action must happen in the CompassOne portal; the MCP surface cannot mutate state yet.
- Asset identity drift — Re-imaged endpoints can produce two
asset records. Use
blackpoint_assets_searchand dedupe on hostname / serial before reporting.
Best Practices
- Always include tenant name in every output — partner-level work spans many customers and ambiguity bites.
- Pair detections with the associated asset and any related vulnerabilities in a single view; analysts should not have to chase the link themselves.
- For QBRs, pull the external-vulnerability list and dark-web list together — they tell complementary stories.
Related Skills
- api-patterns - Auth, hierarchy, pagination