MySecutec workflows & playbook¶
This guide explains what MySecutec is for and the common jobs people do
with it — phrased as natural-language questions you can ask an AI agent driving
the mysecutec CLI, with the command sequences each maps to and how to read the
results.
New to the agent setup? Read
AGENTS.mdfirst — it covers auth, JSON-first conventions, and the mutation guardrails the workflows below rely on.
What is MySecutec?¶
MySecutec is Secutec's managed-security platform. It pulls many security signals into one asset + threat model so you can see, prioritise, and act on your risk from a single place. The modules:
| Module | Answers the question |
|---|---|
| Assets (TAM) | What do we own, and how important is each thing? |
| Threats (TAM) | What's wrong, how bad, and what have we done about it? |
| XDR | What are our endpoints detecting? |
| ASM | What does our attack surface look like from outside? |
| LCM | Whose credentials have leaked? |
| DNM | Is our data / brand exposed on the dark net? |
| M365 / MSC | Is our Microsoft 365 tenant configured securely? |
| SDNS | What malicious DNS is being blocked? |
| ATH | What is advanced threat hunting surfacing? |
| IVS | What identified vulnerabilities exist? |
| TPRM / Bitsight | What's our third-party / external security rating? |
| PDK | What phishing targets our brand? |
Everything funnels into threats attached to assets. That's the key mental model: prioritise by threat severity × asset importance.
The three levers that drive prioritisation¶
- Severity —
critical>high>medium>low>info. - Status —
system_status(what the platform thinks) anduser_status(what you've decided: unsolved / accepted / false_positive / solved). Unsolved + high severity is the work queue. - Asset value —
business_value(1–5) andpublic_facing. A critical threat on a public, business-value-5 asset outranks the same threat on an internal value-1 asset.
Getting the most out of it (operating principles)¶
- Ask for counts, not pages.
threats aggregateandthreats filterreturn server-side totals instantly — far better than paging throughlist. - Let JSON + jq do the joining.
list -o json | jq -r '.threats[].id'feeds straight into bulk commands. - Prioritise, don't enumerate. Filter by severity + unsolved + public-facing before looking at individual records.
- Act in bulk, safely. Triage many findings at once with
threats status; it confirms first and reports per-ID success/failure. - Export for offline / sharing.
export create→export downloadgives a CSV for spreadsheets, audits, or tickets. - Partners: pick your context. Impersonate the right org before querying; data is scoped to the active impersonation.
Workflow 1 — "Show me what needs my attention most urgently" ⭐¶
The flagship triage workflow. Urgency = high-severity, unsolved threats on important, exposed assets, plus fresh exposure (leaked creds, dark-net).
An agent should run, in order:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | |
How to read it: report the count of critical+high unsolved threats first (that's the headline), then list the top few by CVSS, flagging any on public-facing or business-value-5 assets as "do these first." Mention any spike in leaked credentials or dark-net PII as a separate urgent track.
Example shape (one test org): 54 critical + 346 high threats, 791 unsolved overall, across 4,548 assets, with 130 leaked-credential records and 16 dark-net PII items. The agent's job is to turn that into "here are the 10 things to look at this morning."
Workflow 2 — Triage and disposition (investigate → decide → act)¶
Once you know what's urgent, work the queue:
1 2 3 4 5 6 7 8 9 10 11 | |
Bulk status changes confirm before running (or pass --yes) and report how many
succeeded vs failed per ID.
Workflow 3 — Posture / exposure overview (the exec or board view)¶
"Give me the headline security numbers."
1 2 3 4 5 6 7 8 | |
Summarise as a scorecard: assets monitored, threats by severity, % unsolved, leaked credentials, dark-net items, Bitsight grade.
Workflow 4 — Asset inventory & hygiene¶
"What do we own, and is it tagged correctly?"
1 2 3 4 5 6 7 8 9 | |
Good business_value / public_facing hygiene is what makes Workflow 1's
prioritisation meaningful.
Workflow 5 — Leaked-credential response¶
"Whose credentials are out there, and from which breaches?"
1 2 3 4 5 | |
Then drive resets/notifications off the affected accounts. This data is sensitive — report aggregates by default, raw records only when asked.
Workflow 6 — Dark-net & brand monitoring¶
1 2 3 4 5 | |
Workflow 7 — Microsoft 365 security review¶
1 2 3 4 5 6 | |
Find the tenant_id from the tenant asset (assets list --type tenant -o json).
Workflow 8 — Trends, reporting & evidence¶
"How are we trending, and give me something I can share."
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
Exports and reports are asynchronous: create/generate queue the job;
poll list until it's ready, then download.
Workflow 9 — Partner / MSP (many organisations)¶
1 2 3 4 5 | |
Always tell the user which org the numbers belong to, and clear impersonation afterwards.
Workflow 10 — Notifications & settings¶
1 2 3 4 5 | |
Cheat sheet: question → command¶
| You ask… | Start with… |
|---|---|
| What needs attention now? | threats list --severity critical --severity high --user-status unsolved --sort -cvss_score |
| How many critical threats? | threats aggregate --group-by severity |
| Break X down by Y | threats aggregate --group-by <field> --module <m> |
| What's wrong with this asset? | assets threats <asset_id> |
| Are we leaking credentials? | lcm kpis then lcm breaches |
| Are we on the dark net? | dnm overview then dnm pii |
| What's our external rating? | tprm bitsight |
| Mark these as handled | threats status --stdin --user-status <s> |
| Give me a CSV / PDF | export create … / report generate … |
| Look at client X (partner) | impersonate <org_id> |