find-cybersecurity-firm
Drive the ServiceGraph API (https://api.servicegraph.co) to find,
shortlist, and enrich US cybersecurity firms via the pro_services
dataset.
Always pin service_provided:cybersecurity — that's the only
relevant structured tag in the live catalog. Older docs and the
catalog source mention sub-tags like pen-testing and
security-audit, but in the current release none of those exist as
separate tags — cybersecurity is the broad catch-all and every
sub-type (pen-testing, red-team, vCISO, SOC 2 readiness, IR retainer,
IAM, cloud security, AppSec) is a keyword substring search on firm
text. Confirm via /v1/datasets/pro_services/fields?include_values=1
once per session.
The industry tag also drifts between releases — newer catalogs may
use industry:cybersecurity, older ones used industry:security.
Confirm the value via /fields and pin both industry and
service_provided:cybersecurity for safety.
Any HTTP client works (curl, fetch, requests). Examples below use curl.
When NOT to use this skill
- Consumer/personal cybersecurity ("my Gmail got hacked", "how do I secure my home wifi") — the catalog is B2B procurement only.
- In-house security hires (Security Engineer, CISO, SOC analyst).
- DIY/configuration questions ("how do I patch CVE-X", "configure firewall rules", "review this Terraform").
- Security-product comparisons (CrowdStrike vs SentinelOne, EDR vendors, SIEM vendors).
- Generic security knowledge ("explain zero-trust", "what is OWASP Top 10").
- Non-US firms / individual freelance pen-testers / bug-bounty hunters.
MCP server (preferred for authed calls)
If your harness has the ServiceGraph MCP server loaded (tools
containing servicegraph), prefer those — OAuth 2.1 + PKCE keeps the
token in the harness sandbox. Otherwise use the REST flow below.
API surface (dataset id: pro_services)
Every endpoint requires the bearer (Authorization: Bearer vk_…).
No anonymous tier.
| Endpoint | Cost | Use it for |
|---|---|---|
GET /v1/datasets/pro_services/fields[?include_values=1] | free | Confirm industry value name and cybersecurity is in service_provided. |
GET /v1/datasets/pro_services/check?filter=… | free | Validate filter. |
POST /v1/datasets/pro_services/translate-intent | free | {intent} → DSL filter + sanity count. |
GET /v1/datasets/pro_services/search?filter=…&limit= | free | Brief firm cards + per-row unlock hint + total. |
GET /v1/datasets/pro_services/:apex | free | One row brief; detail only if unlocked. |
POST /v1/datasets/pro_services/unlocks | 10 credits / firm | {apexes:[...]} ≤100; atomic; 30-day TTL on detail. |
GET /v1/me/credits | free | Balance. |
Cost model. Discovery / validation / search / brief reads are
free. Detail (url, phone, email, social, address, full platforms
map) costs 10 credits per firm and lasts 30 days.
Auth
vk_* API keys minted in the dashboard. Keep the token out of the
LLM context — never read .env* into your context; dispatch via
shell.
-
Try the call first through a shell wrapper that sources
.env.local:( set -a; [ -f .env.local ] && . ./.env.local; set +a; curl -sS -H "Authorization: Bearer $SERVICEGRAPH_API_KEY" \ 'https://api.servicegraph.co/v1/datasets/pro_services/fields' ) -
On
401prompt the user:"Open https://servicegraph.co/profile/api-keys, create a key, and add
SERVICEGRAPH_API_KEY=vk_…to.env.localhere (or export it). Tell me when done. Please don't paste the key into chat." -
Retry after the user signals ready.
Filter DSL
GitHub-search-style.
filter := orExpr
orExpr := andExpr ("OR" andExpr)*
andExpr := notExpr (("AND")? notExpr)* # whitespace = implicit AND
notExpr := ("NOT" | "-") notExpr | atom
atom := "(" filter ")" | predicate
predicate:= IDENT op valueOrList | bareword
op := ":" | "=" | ">=" | "<=" | ">" | "<"
valueOrList := value ("," value)*
value := IDENT | NUMBER | tagAtEvidence
tagAtEvidence := IDENT "@" ("low"|"medium"|"high")
bareword := IDENT | NUMBER # → keyword:<bareword>
Four rules that bite: AND binds tighter than OR (use parens);
comma list = OR within one predicate; negation is -x or NOT x;
bareword = keyword search (quote multi-word phrases).
Cybersecurity examples (validate yours with /check; replace
cybersecurity with whatever /fields returns as the industry value):
industry:cybersecurity service_provided:cybersecurity
service_provided:cybersecurity pen-testing
service_provided:cybersecurity "security audit" "soc 2"
service_provided:cybersecurity vciso
service_provided:cybersecurity "incident response" retainer
service_provided:cybersecurity cloud aws
service_provided:cybersecurity "application security" sast
service_provided:cybersecurity rating>=4 has:clutch
service_provided:cybersecurity hipaa
The live catalog has no separate pen-testing / security-audit /
appsec tags — pin service_provided:cybersecurity and treat all
sub-types as keywords.
Sub-type → keyword mapping (all sub-types are keyword-only):
| User asks for | Use |
|---|---|
| Pen test / red team | pen-testing, "red team" |
| Security audit / assessment | audit, assessment |
| vCISO / fractional CISO | vciso, "fractional ciso" |
| SOC 2 readiness | "soc 2", readiness |
| Incident response / forensics | "incident response", forensics, "ir retainer" |
| Cloud security | "cloud security", aws, gcp, azure |
| Identity / IAM | iam, identity |
| Application security / SAST/DAST | "application security", appsec, sast, dast |
| Compliance frameworks | pci, hipaa, "iso 27001", nist |
Identifying firms — apex
Firms are identified by their apex domain (mandiant.com, not
www.mandiant.com/about).
Recipes
A. Pen test for SOC 2
User: "Pen-testing firm for our SOC 2 audit."
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+pen-testing+"soc 2"&limit=10
# Present, get pick of 3. "Unlocking 3 = 30 credits, 30-day TTL."
POST /v1/datasets/pro_services/unlocks
{ "apexes": ["firm-a.com", "firm-b.com", "firm-c.com"] }
B. vCISO for a healthcare-tech startup
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+vciso+(healthcare OR hipaa)&limit=10
C. Incident response retainer
User: "Incident response retainer in case we get breached."
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"incident response"+retainer&limit=10
If thin, drop retainer — most IR firms offer retainer engagements as standard.
D. Cloud security + AWS + HIPAA
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+cloud+aws+hipaa&limit=10
E. Indirect intent — "we got breached"
User: "We got hit with ransomware last week — we need help fast."
That's emergency IR:
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"incident response"+ransomware&limit=10
Skip validation; present briefs immediately given urgency.
F. AppSec / SAST
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"application security"+(sast OR "code review")&limit=10
G. SOC 2 readiness ahead of enterprise sales
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"soc 2"+(readiness OR preparation)&limit=10
H. BYO apex list — enrich domains
User pastes 8–20 cybersecurity firm domains:
GET /v1/datasets/pro_services/:apexper domain — free brief (404 = not in catalog, no charge).- User picks N to fully enrich.
POST /unlocks= 10×N credits, atomic, detail returned. - Re-runs within 30-day TTL are free.
Gotchas
- Always pin the cybersecurity service tag. Without it,
pen-testing/vciso/appseckeywords