Getting Started
Quick Start Architecture
AI Agents
MSP Hunter Threat Researcher Tech Support Compliance Agent Account Manager Onboarding Agent
Compliance
HIPAA SOC 2 PCI-DSS NIST
Guides
First 30 Days Client Onboarding Scaling
API
Overview Endpoints

Client Onboarding with Gridlock

📖 MSP Guide 22 min read Updated June 2026

This guide covers every step of the client onboarding workflow in Gridlock — from creating the client organization record to delivering the first security report. The entire process takes approximately 10 minutes of active work per client. The Onboarding Agent handles the rest automatically in the background.

Follow the sections in order for a first onboarding. Once you have done it two or three times, you will naturally compress several steps together. Experienced Gridlock MSPs typically onboard a new client in a single 8-minute session.

What You Need Before Starting

Have the following ready before you begin: the client's primary domain name, their industry vertical, and a contact name and email address at the client organization. You do not need network credentials, VPN access, or administrative credentials at this stage. The Onboarding Agent works from publicly available data for the initial sweep. Internal asset discovery (via the optional connector) can be added after the initial onboarding is complete.

Overview: The Automated Onboarding Flow

Gridlock's onboarding is designed around a single principle: get a client from zero to a working security baseline in under 10 minutes, without requiring any action from the client themselves. The Onboarding Agent drives this process from start to finish, handing off to you only at decision points that require human judgment.

The flow has five automated phases that run sequentially after you create the client record:

Phase 1 — Asset Discovery (0–3 minutes): The Onboarding Agent enumerates the client's public attack surface using DNS lookups, certificate transparency logs, port scanning, and service banner detection. It maps every reachable hostname, IP address, and open service associated with the client's primary domain.

Phase 2 — Security Baseline (3–5 minutes): Each discovered asset is evaluated against a set of baseline security checks: TLS/SSL configuration quality, DNS security records (SPF, DMARC, DKIM), certificate expiry, known-bad service configurations, and HTTP security headers. The results produce the client's initial security score.

Phase 3 — CVE Correlation (5–7 minutes): The Threat Researcher agent cross-references every detected software version against the NVD vulnerability database. Any matching CVEs are attached to the relevant asset with CVSS score, severity band, and a plain-English description of the risk.

Phase 4 — Compliance Pre-Assessment (7–9 minutes): Using the client's industry vertical and the compliance frameworks you have assigned, the Compliance Agent performs a preliminary gap assessment against the applicable control set. This is not a full audit, but it produces a working compliance score and identifies the highest-priority control gaps.

Phase 5 — Report Generation (9–10 minutes): The Account Manager agent compiles the results from phases 1 through 4 into an Onboarding Summary report. This report is ready to deliver to the client immediately, or to use internally as the starting point for your remediation planning.

~10 min Total onboarding time per client
<2 min Active work required from you
0 Actions required from the client
5 Automated analysis phases

Step 1: Creating a New Client Organization

Every client in Gridlock is represented as an Organization. Organizations are isolated from one another — an agent scan, report, or finding associated with one client cannot be seen from another client's context, even by users with Admin access who navigate between accounts.

Creating the organization record

In the dashboard, navigate to Clients → Add Client. The form has four required fields and several optional ones. Fill in the following:

Optional but recommended fields:

Domain Ownership Verification

Gridlock performs port scanning and service probing against the domains you enter. Only add domains that belong to the client you are onboarding. You are responsible for ensuring you have authorization to scan each domain. Gridlock logs all scan activity with timestamps and your account credentials for compliance and audit purposes.

Saving and triggering the sweep

Click Save & Start Onboarding. This creates the organization record and immediately queues the Onboarding Agent for the first asset discovery sweep. You will see a status indicator on the client card change to Scanning within a few seconds.

You do not need to stay on this page. The sweep runs in the background. Gridlock will send you a notification (via your configured alert channel) when the sweep completes and the initial results are ready to review.

Step 2: Running the Onboarding Agent

The Onboarding Agent runs automatically after you save the client record. You can also trigger it manually at any time from Agents → Onboarding Agent → Run for Client. This section explains what the agent does during each phase so you understand the results when they appear.

Asset discovery

The agent begins with DNS enumeration: it resolves A, AAAA, CNAME, MX, NS, and TXT records for the primary domain and all subdomains it can discover through permutation, certificate transparency logs, and passive DNS sources. Each resolved hostname is then probed for open ports across a standard MSP-relevant port set (20, 21, 22, 23, 25, 53, 80, 110, 143, 389, 443, 445, 3306, 3389, 5900, 8080, 8443, and others based on detected service types).

For each open port, the agent grabs the service banner and attempts to identify the software name and version. This is what feeds the CVE correlation step. Accurate version detection is critical to the quality of the vulnerability findings — the more precise the banner, the more specific the CVE match.

What the Agent Discovers
  • Public-facing IP addresses and associated hostnames
  • Open TCP ports and service banners with version strings
  • DNS email security records: SPF, DMARC, DKIM presence and validity
  • SSL/TLS certificate details: expiry date, issuer, cipher suite grade, SANs
  • HTTP security headers: HSTS, CSP, X-Frame-Options, Referrer-Policy
  • Web server technology fingerprints (Apache, Nginx, IIS, etc.)
  • CMS and application framework indicators (WordPress version, Drupal, etc.)

Security baseline scoring

After discovery, the agent evaluates each asset against a set of weighted baseline checks. The checks are grouped into five categories, each contributing to the overall security score:

Compliance pre-assessment

The Compliance Agent maps the asset inventory and baseline findings against the control requirements of each assigned framework. For a freshly onboarded client, the pre-assessment focuses on the subset of controls that are directly observable from the external scan — roughly 30 to 40 percent of the total control set depending on the framework.

Controls that require internal evidence (policy documents, access control lists, training records) are flagged as Pending Evidence rather than failed. This gives the client credit for controls they likely already satisfy even though Gridlock cannot verify them externally. You can update these manually as you collect evidence from the client.

Pre-Assessment vs. Full Assessment

The onboarding pre-assessment is not a formal compliance audit and should not be presented to the client as one. It is a working starting point that identifies the highest-priority gaps. A full compliance assessment, including evidence collection and control testing, typically requires 2 to 4 weeks of engagement. The pre-assessment gets you and the client to a shared understanding of the baseline in 10 minutes.

Step 3: Interpreting the First Scan Results

When the Onboarding Agent sweep completes, the client's dashboard populates with findings. The volume and severity of findings varies considerably by client. A small professional services firm with a single domain might have 8 findings; a mid-market company with 15 subdomains and a legacy stack might have 60. Neither number is inherently good or bad at this stage.

Reading the security score

The security score is displayed prominently on the client's overview page as a number from 0 to 100. The score is calculated from the five weighted categories described in the previous section. Use the following bands to frame the score when discussing it with clients:

0 – 39 Critical posture. Multiple high-severity findings likely including exposed services or known-exploitable CVEs. Immediate remediation conversation required.
40 – 59 Poor posture. Common baseline misconfigurations present (missing DMARC, weak TLS, expired certificates). Typical starting point for clients with no prior security investment.
60 – 74 Fair posture. Most critical gaps are addressed but medium-severity findings need attention. Expected range for clients who have taken basic security steps.
75 – 100 Good to excellent posture. Well-configured environment. Focus shifts to compliance depth and fine-tuning rather than remediation of critical gaps.

The vast majority of new clients score between 40 and 65 on initial assessment. A low score at onboarding is not a cause for alarm — it is an opportunity. Frame it as a before picture; the upward trend over the following weeks is the value you are delivering.

Identifying gaps and critical findings

Below the score, findings are listed in a prioritized table sorted by severity (Critical, High, Medium, Low, Informational). For each finding you will see:

On the first scan, focus your triage on the following finding categories in order:

  1. Critical CVEs on public-facing services: Any CVE with CVSS 9.0 or higher attached to a service exposed on a public IP. These represent the highest probability of active exploitation. Create a remediation ticket immediately.
  2. Exposed administrative interfaces: RDP (port 3389), SSH (port 22), or database ports (3306, 1433, 5432) accessible from the public internet. These are common ransomware entry points and should be restricted as a first priority.
  3. Missing or invalid DMARC: A missing DMARC record means the client's domain can be spoofed in phishing emails. This is both a security risk and a compliance gap under most frameworks. It is also a low-effort, high-impact fix.
  4. Expiring TLS certificates: Any certificate expiring within 30 days. Certificate expiry causes outages, not just security issues, which makes it easy to explain urgency to clients.
  5. High CVEs on public services: CVSS 7.0 to 8.9. Schedule remediation within the next two weeks.
Do Not Share Raw Findings Directly with Clients

The findings view is designed for your internal triage, not client communication. Raw findings list technical vulnerability details including CVE identifiers, CVSS scores, and affected service versions. Sending this list to a client without context often causes alarm disproportionate to actual risk. Use the report generation workflow (covered in Step 7) to produce a properly framed client-facing document instead.

Tagging findings during initial triage

As you review findings, tag each one with a status. This improves the quality of subsequent scans by teaching the agents which findings are meaningful in this specific environment:

Step 4: Configuring Per-Client Settings

After the initial scan, configure the per-client settings that control how Gridlock monitors and reports on this client going forward. Navigate to the client's organization page and open the Settings tab.

Alert thresholds

Default alert thresholds apply to all clients unless you override them here. Review the following thresholds for each new client and adjust based on their risk profile and your knowledge of their environment:

Compliance frameworks

Assign one or more compliance frameworks to the client from Settings → Compliance. If the client has a specific audit requirement, select the exact framework version. If you are unsure, use the following as a starting guide:

Scan schedules

The default scan schedule runs once every 24 hours. Adjust the schedule based on the client's change velocity and risk tolerance:

Scan Capacity by Plan

Your plan tier controls the number of concurrent scans Gridlock can run. Starter: 5 concurrent. Pro: 25 concurrent. Ultimate: unlimited. If your client count exceeds your concurrent scan limit, Gridlock automatically queues scans and distributes them across the available window to ensure every client is scanned within its configured interval.

Step 5: Inviting Client Contacts

Gridlock supports a client portal that gives designated contacts at the client organization read-only access to their own security dashboard. This is one of the highest-value features for MSP client retention: clients who can see their own security data in real time renew at a significantly higher rate than those who receive only periodic email reports.

Enabling the client portal

Navigate to Clients → [Client Name] → Settings → Portal Access and toggle Client Portal on. By default, portal access is disabled for all new clients. Once enabled, you can invite contacts to the portal.

Adding a client contact

Click Invite Contact and enter the contact's name, email address, and their role at the client organization. The role field is for your reference only — all client portal users have the same permission level (read-only, scoped to their organization). The contact receives an invitation email with a link to set their password. The invitation link expires after 72 hours.

What client portal users can see:

What client portal users cannot see:

Controlling Finding Detail Visibility

You can control how much technical detail client portal users see on the findings page. Navigate to Settings → Portal → Finding Detail Level and choose between Summary (severity and recommended action only), Standard (includes CVE IDs and affected assets), or Full (all fields). Most MSPs use Summary for the initial onboarding period and move to Standard after the first QBR conversation.

Viewer-only vs. partner access

In some client relationships — particularly where the client has their own internal IT team — you may want to give the client team a slightly higher level of access that allows them to add notes and tag findings without being able to change settings or run agents. This is the Partner access level, distinct from the standard viewer role. Enable it from Settings → Portal → Access Level on the client's settings page.

Step 6: Setting Up Integrations for the Client

Gridlock integrates with the tools already in your MSP stack. Configuring integrations at the client level connects Gridlock's findings to the workflows your team actually uses. The most commonly configured integrations are PSA (Professional Services Automation) tools and RMM (Remote Monitoring and Management) platforms.

PSA integration: ConnectWise Manage

To connect a client's Gridlock account to a ConnectWise Manage company record, navigate to Clients → [Client Name] → Integrations → ConnectWise. You will need:

  1. Company ID: the ConnectWise Company ID (numeric) for the client record in your ConnectWise instance.
  2. Board and Status: the service board and default ticket status where Gridlock should create tickets. This can be different per client — for example, routing a high-compliance healthcare client's tickets to a dedicated security board while routing general clients to your standard service board.
  3. Priority Mapping: map Gridlock severity bands (Critical, High, Medium, Low) to ConnectWise priority levels. By default: Critical maps to Priority 1, High to Priority 2, Medium to Priority 3, Low to Priority 4.
  4. Auto-Create Tickets: choose whether Gridlock automatically creates tickets for new findings or only creates them when you click Create Ticket manually on a finding. For most MSPs, auto-create for High and above is the right default.

Once configured, any new Gridlock finding meeting the severity threshold will automatically create a ConnectWise ticket with the finding title, impact summary, recommended action, and a direct link back to the finding in the Gridlock dashboard. When the ticket is resolved in ConnectWise, the finding in Gridlock is automatically marked as remediated.

PSA integration: Autotask

The Autotask integration works identically to the ConnectWise integration. Navigate to Clients → [Client Name] → Integrations → Autotask. You will need the Autotask Account ID for the client, the queue to route tickets to, and your preferred priority mapping. The bi-directional sync (ticket resolution triggers finding remediation in Gridlock) is also supported.

Shared PSA Credentials

PSA credentials are configured once at the MSP account level under Settings → Integrations. You do not need to re-enter API keys for each client. The per-client configuration only maps the Gridlock client account to the correct record in your PSA system.

RMM integration

Gridlock supports direct integration with several RMM platforms for internal asset discovery beyond what the external scan can reach. Supported platforms include ConnectWise Automate, NinjaRMM, Datto RMM, and Syncro. The RMM integration supplements the external asset discovery with:

To enable the RMM integration for a client, navigate to Clients → [Client Name] → Integrations → RMM, select your RMM platform, and enter the client's site or organization ID from your RMM. After connecting, the Onboarding Agent will run a supplementary internal sweep using the RMM data and update the asset inventory and findings accordingly.

Webhook and Slack/Teams notifications

For per-client notification routing — for example, sending this client's High findings to a dedicated Slack channel shared with the client — navigate to Clients → [Client Name] → Integrations → Notifications and add a webhook URL. All Gridlock events for this client (new findings, resolved findings, scan completions, report availability) will be posted to the configured webhook in a structured JSON format compatible with Slack's incoming webhook API.

Step 7: Delivering the First Security Report

The first report you deliver to a new client sets the tone for the entire relationship. It should communicate three things clearly: what you found, what it means, and what you plan to do about it. The Onboarding Summary report template is designed specifically for this conversation.

Generating the Onboarding Summary report

Navigate to Reports → Generate Report and select the client. Choose the Onboarding Summary template. This template produces a polished, client-ready document that includes:

Before generating the report, review the executive summary draft in the preview pane. The Account Manager agent writes the summary from the scan data, but you should verify that the framing is appropriate for your specific client relationship. If the tone is too alarming for a client who expects a softer introduction, edit the summary directly in the preview before generating the final PDF.

Reviewing before delivery

Run through the following checklist before delivering the report to the client:

Delivering the report

You have three delivery options:

  1. Download PDF: generates a PDF you can attach to an email or present in a meeting. Most appropriate for initial onboarding conversations where you want to walk through the findings live.
  2. Share via Client Portal: publishes the report to the client's portal where they can view it at any time. Use this if the client has portal access configured and you want them to be able to reference the report later.
  3. Send via Email: Gridlock sends the report directly from your configured sending domain (requires email configuration in Settings). The email includes a brief summary message and a link to view the full report in the client portal.
Onboarding Report Best Practice

Schedule a 30-minute call with the client when you deliver the first report. Walking through the findings together — even remotely — is far more effective than sending a PDF and waiting for questions. Use the call to explain the security score bands, prioritize the top three actions together, and set expectations for what the next 30 days look like. Clients who have this conversation at onboarding have a significantly higher 12-month retention rate.

Common Onboarding Issues and Solutions

The following issues come up regularly when onboarding new clients. Most have straightforward resolutions that do not require support.

The sweep completes but the asset inventory is empty or very sparse

This typically means the primary domain has aggressive DNS rate limiting, or the client has parked a domain that has no public-facing services. Check the following:

A finding appears for a service the client says does not exist

This is almost always a banner detection issue: a service is returning a version string from a different piece of software, or the port is responding in a way that looks like a known service to the scanner. Tag the finding as a False Positive, select "Inaccurate version detection" as the reason, and add a note explaining what the port actually is. The finding will be suppressed in future scans.

Alternatively, the service may be real but the client is unaware of it. Shadow IT and forgotten legacy services are common findings at onboarding. Before tagging as false positive, confirm with the client that the port genuinely has no active service.

The compliance pre-assessment score seems too low

The pre-assessment score is based only on observable evidence from the external scan. It does not account for policies, procedures, access controls, or other controls that exist in the client's environment but are not detectable from outside. The most common cause of a low initial score is that the Compliance Agent is correctly marking unverifiable controls as Pending Evidence rather than Met.

To improve the score quickly, go to Compliance → Control Gaps for the client and look for controls marked Pending Evidence. For each control where you know the client satisfies the requirement (e.g., they have MFA enabled on their email system, or they have a written security policy), mark it as Met and attach any available evidence (a screenshot, a policy document, or a brief note). This immediately updates the compliance score to reflect reality.

The Onboarding Agent sweep is taking longer than expected

Sweep duration scales with the number of assets discovered. A client with a large number of subdomains or a complex service environment may take 10 to 15 minutes instead of the typical 3 to 5. If a sweep appears to be stalled for more than 30 minutes, navigate to Agents → Onboarding Agent → Status and check the activity log. Common causes of delays:

If the status log shows no activity for more than 15 minutes, click Restart Sweep to re-queue the agent.

PSA ticket creation is failing

When ticket creation to ConnectWise or Autotask fails, an error is logged under Clients → [Client Name] → Integrations → Activity Log. The most common causes are:

Client portal invitation email was not received

Invitation emails come from the sending domain configured under Settings → Email. If the client reports not receiving the invitation:

Onboarding Checklist

Use this checklist for every new client onboarding. A complete onboarding should take approximately 10 minutes of active work per client.

Before you start

Organization setup

After the sweep completes

Integrations and access

First report

Onboarding Complete

Once all checklist items are marked, the client is fully onboarded. From this point, all six AI agents are active for the client: the Onboarding Agent monitors for new assets, the Threat Researcher runs daily CVE correlation, the Compliance Agent tracks framework progress, the Tech Support agent is available for ticket automation, the Account Manager monitors health and churn risk, and the MSP Hunter can use this client's profile to find similar prospects. You do not need to take any further action for ongoing monitoring — the agents handle it.