Blackpoint Multi-Tenant Operations
The CompassOne partner account sees every customer tenant. This skill covers the partner-level operating loop: enumerate tenants, sweep across them, and roll up into a portfolio view.
The Partner-Tenant Model
Partner (the MSP)
└── Tenant (customer) ← blackpoint_tenants_list / _get
└── Asset
└── Detections / Vulnerabilities
Every partner-level operation starts the same way: enumerate tenants, then iterate. Never present partner output without tenant attribution on every row.
API Tools
| Tool | Purpose |
|---|---|
blackpoint_tenants_list | Enumerate customer tenants (filter by account, status, name search) |
blackpoint_tenants_get | Detail for one tenant |
blackpoint_detections_list | Detections — call once per tenant with tenant_id |
blackpoint_vulnerabilities_list | Vulnerabilities — call once per tenant |
blackpoint_vulnerabilities_external_list | External exposures per tenant |
blackpoint_vulnerabilities_darkweb_list | Dark-web exposures per tenant |
Common Workflows
Multi-tenant detection sweep
blackpoint_tenants_list— enumerate all customers.- For each tenant,
blackpoint_detections_listfiltered to a recent window andstatusin {new,investigating}. - Roll up: detections per tenant, severity distribution, top detection types.
- Flag tenants with abnormal volume — a tenant well above its apparent baseline is itself the signal.
Portfolio exposure rollup (QBR prep)
- Enumerate tenants.
- Per tenant, pull
blackpoint_vulnerabilities_list,blackpoint_vulnerabilities_external_list, andblackpoint_vulnerabilities_darkweb_list. - Build a per-tenant scorecard: fix-now vulnerability count, external-exposure count, dark-web count.
- Rank tenants by exposure so the MSP knows where to spend remediation effort.
Morning queue triage
- Enumerate tenants.
- Sweep
newdetections from the last 24h across all of them. - Rank by severity, then tenant impact, then recency.
- Produce a shift-ready priority list (see the
alert-response-coordinatoragent).
Edge Cases
- Tenant scoping (403) — a partner may not have access to every tenant returned; a 403 on drill-down means scoping, not a bad token.
- Pagination at scale —
blackpoint_tenants_listand per-tenant detection lists can both paginate; fully page before claiming a count is complete. - Read-only — partner-level work here is reporting and triage; state changes happen in the CompassOne portal.
Best Practices
- Always start with
blackpoint_tenants_list— never hard-code a tenant set. - Carry tenant name on every output row; partner work is meaningless without attribution.
- Treat per-tenant volume as a signal, not just the raw detections.
- For QBRs, combine detection and exposure rollups into one per-tenant scorecard.
Related Skills
- incident-response - Drilling into one tenant's detections
- vulnerability-management - Exposure data per tenant
- api-patterns - Auth, hierarchy, pagination