Shield gives MSSPs a prevention-first network security capability that reduces analyst workload and improves customer outcomes. Shield blocks malicious traffic at the network layer using the Global Threat Engine.
Shield gives you the raw material: every killed event, every permitted destination, every new host and IP on the network. Export on your terms. Shape the story your clients want to read.
| Audience | MSSP integration and reporting teams |
|---|---|
| Problem | Need Shield data flowing into existing SIEM, ticketing, and reporting workflows |
| How Shield helps | Shield Command Hub exports to CSV, integrates with SIEM, and provides per-tenant reporting |
| Best fit | MSSPs running Splunk, Shield Sentinel, QRadar, or similar SIEM platforms |
| Next step | Talk to an Engineer |
Shield is built to feed your existing analyst workflow, not replace it. Standard exports go where you already work. Direct platform integrations are limited and we’re honest about that.
Shield exports event data via standard formats. Command Hub exports CSV and Excel for analyst workflows and customer reports. Shield OnPremise forwards via Syslog to your existing SIEM. Connection-level evidence is available for 72 hours of direct query.
No exposed API today. No native integrations to ticketing, PSA, RMM, or SOAR tools. No SSO on Command Hub. Partners bridge Shield to those workflows through standard exports today. Deeper platform integrations are on the roadmap.
Command Hub lays every Shield deployment side by side. Search, filter, and pull what you need without hopping between tools.
Every inbound and outbound connection across every Shield deployment. Killed, permitted, or observed, all timestamped and tenant-scoped.
Command Hub exports to CSV and Excel. Shield OnPremise forwards via Syslog. Your existing analyst workflow, your existing tools, no middleware.
Connection evidence stays accessible for 72 hours. Pull what matters into your own long-term store the way you do today.
Shield OnPremise forwards event data via Syslog to your existing SIEM. A standard ingestion path your team already knows, with no middleware.
Key fields documented. Recommended parsing patterns provided. Your engineers don’t need to reverse-engineer the schema.
Command Hub feeds analyst workflows. Shield OnPremise feeds SIEMs. Two paths, well documented, used by partners today.
Deeper platform integrations to ticketing, PSA, RMM, SOAR are on the roadmap. We’ll tell you when they land.
You own the client relationship. Shield arms you with the evidence. Daily operations, monthly rollups, quarterly reviews: the cadence is yours, the data is the same.
Every Shield deployment writes to the same connection record. Pull from it at any cadence your clients want.
Build a weekly digest for your SMB clients. A monthly executive summary for your mid-market. A quarterly board-ready rollup for enterprise. Same source data, three different stories.
This is a feature of how partners work with Shield, not a limitation. You own the client relationship; Shield supplies the evidence.
Standard templates partners use to convert Shield’s raw evidence into customer-ready reports. Use them as-is or adapt them to your brand.
Threat blocks, traffic patterns, suspicious endpoints, and risk reduction summary. The standard rhythm your clients expect.
Executive summary plus technical appendix from a 7-to-14 day deployment. Customer-ready language. Recommended next actions.
Suggested KPIs partners showcase: threats blocked per period, alert volume reduction, analyst time saved, downtime avoided. All sourced from Shield evidence.
Every connection Shield blocks or permits is backed by detail-level record. When a client, auditor, or insurer asks what happened, the answer is already in the tenant.
Pull evidence the way an auditor wants to see it: timestamped, per-connection, with source and destination intact. No custom parsers, no weird blobs.
Every permitted or killed connection has an evidence trail. Shield does not process GDPR or HIPAA-regulated data as part of its operation, so those frameworks don’t apply to it.
Shield OnPremise supports syslog output for sending real-time Shield traffic blocking log events to a remote syslog server or SIEM tool. This is the primary integration path for MSSPs who need Shield event data in Splunk, QRadar, Sentinel, or any SIEM that ingests standard syslog.
Detailed message format examples and field definitions are available in the Shield OnPrem Syslog technical note. Contact your Intrusion solutions engineer for the full documentation.
Request Syslog Technical Documentation →RECOMMENDED NEXT STEP