This guide covers every step of the client onboarding workflow in Gridlock — from creating the client organization record to delivering the first security report. The entire process takes approximately 10 minutes of active work per client. The Onboarding Agent handles the rest automatically in the background.
Follow the sections in order for a first onboarding. Once you have done it two or three times, you will naturally compress several steps together. Experienced Gridlock MSPs typically onboard a new client in a single 8-minute session.
Have the following ready before you begin: the client's primary domain name, their industry vertical, and a contact name and email address at the client organization. You do not need network credentials, VPN access, or administrative credentials at this stage. The Onboarding Agent works from publicly available data for the initial sweep. Internal asset discovery (via the optional connector) can be added after the initial onboarding is complete.
Gridlock's onboarding is designed around a single principle: get a client from zero to a working security baseline in under 10 minutes, without requiring any action from the client themselves. The Onboarding Agent drives this process from start to finish, handing off to you only at decision points that require human judgment.
The flow has five automated phases that run sequentially after you create the client record:
Phase 1 — Asset Discovery (0–3 minutes): The Onboarding Agent enumerates the client's public attack surface using DNS lookups, certificate transparency logs, port scanning, and service banner detection. It maps every reachable hostname, IP address, and open service associated with the client's primary domain.
Phase 2 — Security Baseline (3–5 minutes): Each discovered asset is evaluated against a set of baseline security checks: TLS/SSL configuration quality, DNS security records (SPF, DMARC, DKIM), certificate expiry, known-bad service configurations, and HTTP security headers. The results produce the client's initial security score.
Phase 3 — CVE Correlation (5–7 minutes): The Threat Researcher agent cross-references every detected software version against the NVD vulnerability database. Any matching CVEs are attached to the relevant asset with CVSS score, severity band, and a plain-English description of the risk.
Phase 4 — Compliance Pre-Assessment (7–9 minutes): Using the client's industry vertical and the compliance frameworks you have assigned, the Compliance Agent performs a preliminary gap assessment against the applicable control set. This is not a full audit, but it produces a working compliance score and identifies the highest-priority control gaps.
Phase 5 — Report Generation (9–10 minutes): The Account Manager agent compiles the results from phases 1 through 4 into an Onboarding Summary report. This report is ready to deliver to the client immediately, or to use internally as the starting point for your remediation planning.
Every client in Gridlock is represented as an Organization. Organizations are isolated from one another — an agent scan, report, or finding associated with one client cannot be seen from another client's context, even by users with Admin access who navigate between accounts.
In the dashboard, navigate to Clients → Add Client. The form has four required fields and several optional ones. Fill in the following:
acmecorp.com). Do not include a protocol prefix or trailing slash.
Optional but recommended fields:
10.10.0.0/16), enter them now. These are used if you later install the
optional network connector for internal asset discovery.
Gridlock performs port scanning and service probing against the domains you enter. Only add domains that belong to the client you are onboarding. You are responsible for ensuring you have authorization to scan each domain. Gridlock logs all scan activity with timestamps and your account credentials for compliance and audit purposes.
Click Save & Start Onboarding. This creates the organization record and immediately queues the Onboarding Agent for the first asset discovery sweep. You will see a status indicator on the client card change to Scanning within a few seconds.
You do not need to stay on this page. The sweep runs in the background. Gridlock will send you a notification (via your configured alert channel) when the sweep completes and the initial results are ready to review.
The Onboarding Agent runs automatically after you save the client record. You can also trigger it manually at any time from Agents → Onboarding Agent → Run for Client. This section explains what the agent does during each phase so you understand the results when they appear.
The agent begins with DNS enumeration: it resolves A, AAAA, CNAME, MX, NS, and TXT records for the primary domain and all subdomains it can discover through permutation, certificate transparency logs, and passive DNS sources. Each resolved hostname is then probed for open ports across a standard MSP-relevant port set (20, 21, 22, 23, 25, 53, 80, 110, 143, 389, 443, 445, 3306, 3389, 5900, 8080, 8443, and others based on detected service types).
For each open port, the agent grabs the service banner and attempts to identify the software name and version. This is what feeds the CVE correlation step. Accurate version detection is critical to the quality of the vulnerability findings — the more precise the banner, the more specific the CVE match.
After discovery, the agent evaluates each asset against a set of weighted baseline checks. The checks are grouped into five categories, each contributing to the overall security score:
p=none receives half credit; p=reject or
p=quarantine receives full credit), DKIM presence.
The Compliance Agent maps the asset inventory and baseline findings against the control requirements of each assigned framework. For a freshly onboarded client, the pre-assessment focuses on the subset of controls that are directly observable from the external scan — roughly 30 to 40 percent of the total control set depending on the framework.
Controls that require internal evidence (policy documents, access control lists, training records) are flagged as Pending Evidence rather than failed. This gives the client credit for controls they likely already satisfy even though Gridlock cannot verify them externally. You can update these manually as you collect evidence from the client.
The onboarding pre-assessment is not a formal compliance audit and should not be presented to the client as one. It is a working starting point that identifies the highest-priority gaps. A full compliance assessment, including evidence collection and control testing, typically requires 2 to 4 weeks of engagement. The pre-assessment gets you and the client to a shared understanding of the baseline in 10 minutes.
When the Onboarding Agent sweep completes, the client's dashboard populates with findings. The volume and severity of findings varies considerably by client. A small professional services firm with a single domain might have 8 findings; a mid-market company with 15 subdomains and a legacy stack might have 60. Neither number is inherently good or bad at this stage.
The security score is displayed prominently on the client's overview page as a number from 0 to 100. The score is calculated from the five weighted categories described in the previous section. Use the following bands to frame the score when discussing it with clients:
The vast majority of new clients score between 40 and 65 on initial assessment. A low score at onboarding is not a cause for alarm — it is an opportunity. Frame it as a before picture; the upward trend over the following weeks is the value you are delivering.
Below the score, findings are listed in a prioritized table sorted by severity (Critical, High, Medium, Low, Informational). For each finding you will see:
On the first scan, focus your triage on the following finding categories in order:
The findings view is designed for your internal triage, not client communication. Raw findings list technical vulnerability details including CVE identifiers, CVSS scores, and affected service versions. Sending this list to a client without context often causes alarm disproportionate to actual risk. Use the report generation workflow (covered in Step 7) to produce a properly framed client-facing document instead.
As you review findings, tag each one with a status. This improves the quality of subsequent scans by teaching the agents which findings are meaningful in this specific environment:
After the initial scan, configure the per-client settings that control how Gridlock monitors and reports on this client going forward. Navigate to the client's organization page and open the Settings tab.
Default alert thresholds apply to all clients unless you override them here. Review the following thresholds for each new client and adjust based on their risk profile and your knowledge of their environment:
Assign one or more compliance frameworks to the client from Settings → Compliance. If the client has a specific audit requirement, select the exact framework version. If you are unsure, use the following as a starting guide:
The default scan schedule runs once every 24 hours. Adjust the schedule based on the client's change velocity and risk tolerance:
Your plan tier controls the number of concurrent scans Gridlock can run. Starter: 5 concurrent. Pro: 25 concurrent. Ultimate: unlimited. If your client count exceeds your concurrent scan limit, Gridlock automatically queues scans and distributes them across the available window to ensure every client is scanned within its configured interval.
Gridlock supports a client portal that gives designated contacts at the client organization read-only access to their own security dashboard. This is one of the highest-value features for MSP client retention: clients who can see their own security data in real time renew at a significantly higher rate than those who receive only periodic email reports.
Navigate to Clients → [Client Name] → Settings → Portal Access and toggle Client Portal on. By default, portal access is disabled for all new clients. Once enabled, you can invite contacts to the portal.
Click Invite Contact and enter the contact's name, email address, and their role at the client organization. The role field is for your reference only — all client portal users have the same permission level (read-only, scoped to their organization). The contact receives an invitation email with a link to set their password. The invitation link expires after 72 hours.
What client portal users can see:
What client portal users cannot see:
You can control how much technical detail client portal users see on the findings page. Navigate to Settings → Portal → Finding Detail Level and choose between Summary (severity and recommended action only), Standard (includes CVE IDs and affected assets), or Full (all fields). Most MSPs use Summary for the initial onboarding period and move to Standard after the first QBR conversation.
In some client relationships — particularly where the client has their own internal IT team — you may want to give the client team a slightly higher level of access that allows them to add notes and tag findings without being able to change settings or run agents. This is the Partner access level, distinct from the standard viewer role. Enable it from Settings → Portal → Access Level on the client's settings page.
Gridlock integrates with the tools already in your MSP stack. Configuring integrations at the client level connects Gridlock's findings to the workflows your team actually uses. The most commonly configured integrations are PSA (Professional Services Automation) tools and RMM (Remote Monitoring and Management) platforms.
To connect a client's Gridlock account to a ConnectWise Manage company record, navigate to Clients → [Client Name] → Integrations → ConnectWise. You will need:
Once configured, any new Gridlock finding meeting the severity threshold will automatically create a ConnectWise ticket with the finding title, impact summary, recommended action, and a direct link back to the finding in the Gridlock dashboard. When the ticket is resolved in ConnectWise, the finding in Gridlock is automatically marked as remediated.
The Autotask integration works identically to the ConnectWise integration. Navigate to Clients → [Client Name] → Integrations → Autotask. You will need the Autotask Account ID for the client, the queue to route tickets to, and your preferred priority mapping. The bi-directional sync (ticket resolution triggers finding remediation in Gridlock) is also supported.
PSA credentials are configured once at the MSP account level under Settings → Integrations. You do not need to re-enter API keys for each client. The per-client configuration only maps the Gridlock client account to the correct record in your PSA system.
Gridlock supports direct integration with several RMM platforms for internal asset discovery beyond what the external scan can reach. Supported platforms include ConnectWise Automate, NinjaRMM, Datto RMM, and Syncro. The RMM integration supplements the external asset discovery with:
To enable the RMM integration for a client, navigate to Clients → [Client Name] → Integrations → RMM, select your RMM platform, and enter the client's site or organization ID from your RMM. After connecting, the Onboarding Agent will run a supplementary internal sweep using the RMM data and update the asset inventory and findings accordingly.
For per-client notification routing — for example, sending this client's High findings to a dedicated Slack channel shared with the client — navigate to Clients → [Client Name] → Integrations → Notifications and add a webhook URL. All Gridlock events for this client (new findings, resolved findings, scan completions, report availability) will be posted to the configured webhook in a structured JSON format compatible with Slack's incoming webhook API.
The first report you deliver to a new client sets the tone for the entire relationship. It should communicate three things clearly: what you found, what it means, and what you plan to do about it. The Onboarding Summary report template is designed specifically for this conversation.
Navigate to Reports → Generate Report and select the client. Choose the Onboarding Summary template. This template produces a polished, client-ready document that includes:
Before generating the report, review the executive summary draft in the preview pane. The Account Manager agent writes the summary from the scan data, but you should verify that the framing is appropriate for your specific client relationship. If the tone is too alarming for a client who expects a softer introduction, edit the summary directly in the preview before generating the final PDF.
Run through the following checklist before delivering the report to the client:
You have three delivery options:
Schedule a 30-minute call with the client when you deliver the first report. Walking through the findings together — even remotely — is far more effective than sending a PDF and waiting for questions. Use the call to explain the security score bands, prioritize the top three actions together, and set expectations for what the next 30 days look like. Clients who have this conversation at onboarding have a significantly higher 12-month retention rate.
The following issues come up regularly when onboarding new clients. Most have straightforward resolutions that do not require support.
This typically means the primary domain has aggressive DNS rate limiting, or the client has parked a domain that has no public-facing services. Check the following:
acme.com but you entered acmecorp.com, the
sweep will return minimal results.
This is almost always a banner detection issue: a service is returning a version string from a different piece of software, or the port is responding in a way that looks like a known service to the scanner. Tag the finding as a False Positive, select "Inaccurate version detection" as the reason, and add a note explaining what the port actually is. The finding will be suppressed in future scans.
Alternatively, the service may be real but the client is unaware of it. Shadow IT and forgotten legacy services are common findings at onboarding. Before tagging as false positive, confirm with the client that the port genuinely has no active service.
The pre-assessment score is based only on observable evidence from the external scan. It does not account for policies, procedures, access controls, or other controls that exist in the client's environment but are not detectable from outside. The most common cause of a low initial score is that the Compliance Agent is correctly marking unverifiable controls as Pending Evidence rather than Met.
To improve the score quickly, go to Compliance → Control Gaps for the client and look for controls marked Pending Evidence. For each control where you know the client satisfies the requirement (e.g., they have MFA enabled on their email system, or they have a written security policy), mark it as Met and attach any available evidence (a screenshot, a policy document, or a brief note). This immediately updates the compliance score to reflect reality.
Sweep duration scales with the number of assets discovered. A client with a large number of subdomains or a complex service environment may take 10 to 15 minutes instead of the typical 3 to 5. If a sweep appears to be stalled for more than 30 minutes, navigate to Agents → Onboarding Agent → Status and check the activity log. Common causes of delays:
If the status log shows no activity for more than 15 minutes, click Restart Sweep to re-queue the agent.
When ticket creation to ConnectWise or Autotask fails, an error is logged under Clients → [Client Name] → Integrations → Activity Log. The most common causes are:
Invitation emails come from the sending domain configured under Settings → Email. If the client reports not receiving the invitation:
Use this checklist for every new client onboarding. A complete onboarding should take approximately 10 minutes of active work per client.
Once all checklist items are marked, the client is fully onboarded. From this point, all six AI agents are active for the client: the Onboarding Agent monitors for new assets, the Threat Researcher runs daily CVE correlation, the Compliance Agent tracks framework progress, the Tech Support agent is available for ticket automation, the Account Manager monitors health and churn risk, and the MSP Hunter can use this client's profile to find similar prospects. You do not need to take any further action for ongoing monitoring — the agents handle it.
Deep dive into what the Onboarding Agent discovers, how to tune scan profiles, and how to add assets manually.
Week-by-week guide to getting maximum value from Gridlock in your first month as an MSP.
Framework setup, gap analysis workflows, evidence collection, and generating audit-ready reports.
CVE correlation, MITRE ATT&CK mapping, and configuring daily threat briefing delivery for each client.
Client health scoring, churn risk indicators, expansion opportunity detection, and report scheduling.
What changes when you manage 50+ clients and how to prepare Gridlock workflows for scale.