How Integrations Work
When you connect an integration, Wirespeed automatically:- Syncs your data — We pull user directories, endpoint inventories, and detection history to build context about your environment
- Ingests detections — Security alerts flow into Wirespeed in real-time from your detection platforms
- Enriches and triages — Each detection is automatically enriched with context and triaged using our verdict system
- Takes action — Based on your configured verdicts, Wirespeed can contain threats, notify users via chat ops, or escalate to your team
All integrations use secure OAuth or API tokens. We request only the permissions necessary to deliver our service and never store credentials in plain text.
Webhook Rate Limiting
Integrations that deliver data via webhooks are subject to a rate limit of 600 requests per minute per team. If a team exceeds this limit, Wirespeed will respond with HTTP429 Too Many Requests until the rate drops below the threshold. This protects the platform from misconfigured or overly aggressive webhook sources.
If you encounter rate limiting, check whether the source system is sending duplicate or unnecessary events and reduce the webhook frequency accordingly.
Beta Integrations
Some integrations are marked as beta while we refine their capabilities. Beta integrations work for detection ingestion, asset syncing, and manual actions, but have one important limitation: Beta integrations are labeled in the platform. Once an integration graduates from beta, auto-containment will apply normally.Integration Categories
Detection Sources
EDR, XDR, and SIEM platforms that generate security alerts
User Directories
Identity providers that define your users and their attributes
Endpoint Management
MDM and endpoint platforms that inventory your devices
Communication
Chat and messaging platforms for user verification
Ticketing
Ticket systems for case management and escalation
Enrichment
Threat intelligence and data enrichment services
Detection Sources
Detection sources are the foundation of Wirespeed. These integrations provide the security alerts that Wirespeed automatically triages and responds to. Connect your EDR, XDR, identity protection, or SIEM platform to get started.AWS
CloudTrail and GuardDuty security events
Check Point Harmony
Unified endpoint and email security
CrowdStrike Falcon
Endpoint detection and incident response
Darktrace
AI-powered network detection and response
Google Alert Center
Google Workspace security alerts
Google Security Center
Google Cloud security findings
Halcyon
Anti-ransomware detection and response
Horizon3 NodeZero
Autonomous pentesting and attack simulation validation
Jamf Protect
Mac-focused endpoint security
Microsoft 365
Defender for Endpoint, Entra ID Protection, Sentinel, and more
Mimecast
Email security and threat protection
Okta
Identity threat detection
Palo Alto Networks Cortex
Cortex XDR/XSIAM alert ingestion and endpoint management
Orca Security
Cloud security posture and workload protection
SafeBreach
Breach and attack simulation
SentinelOne
Autonomous endpoint protection platform
Thinkst Canary
Honeypot-based intrusion detection
Vectra
Network detection and response
Wiz
Cloud security findings and vulnerability ingestion
Wordfence
WordPress security and firewall
User Directories
User directories help Wirespeed understand your organization. We sync users, groups, roles, and managers to enrich detections with context and enable features like VIP protection, chat ops escalation, and user containment.Cisco Duo
Multi-factor authentication directory
Google Workspace
Google directory and sign-in logs
Microsoft 365
Entra ID (Azure AD) directory sync
Okta
Universal directory and SSO
Endpoint Management
Endpoint management integrations provide device inventory and health data. Wirespeed uses this information to identify critical assets, correlate detections with device context, and enable endpoint containment actions.CrowdStrike Falcon
Host management and isolation
Halcyon
Endpoint inventory and agent status
Jamf Pro
Apple device management
Kandji
Modern Apple MDM
ManageEngine
AD audit and endpoint monitoring
Microsoft Intune
Cloud-based endpoint management
SentinelOne
Endpoint inventory and containment
Communication
Communication integrations enable Chat Ops—Wirespeed’s ability to verify suspicious activity directly with your users. When a detection requires user verification, we reach out through your existing communication channels.Email-based user notification
Custom SMTP
Send emails from your own domain
Microsoft Teams
In-app chat ops experience
Slack
Direct message users for verification
SMS verification is available as an add-on to any communication integration for enhanced identity verification. Learn more about SMS Chat Ops.
Ticketing
Ticketing integrations sync Wirespeed cases with your existing ticket management system. Cases and detections can automatically create tickets, and updates flow bidirectionally.ConnectWise PSA
Professional services automation
Halo ITSM
IT service management ticketing and case sync
Jira Cloud
Atlassian’s cloud-hosted Jira
Jira Data Center
Self-hosted Jira deployment
Enrichment
Enrichment integrations provide additional context and threat intelligence to enhance detection triage. These services help identify known-bad indicators and provide reputation data.Have I Been Pwned
Credential breach detection
IPinfo
IP address geolocation and ASN data
Reversing Labs
File reputation and malware analysis
Log Forwarding
For platforms without native integrations, Wirespeed supports standard log forwarding protocols and network-based telemetry sources. These allow you to send security events from any source, including firewalls, network devices, and log aggregation platforms.1Password
Password manager audit and sign-in events
Bitwarden
Organization events and user activity
Box
Cloud content management events
Check Point Firewall (Quantum)
Next-gen firewall and network security events
Cisco Meraki
Cloud-managed network security
Cisco Secure Access
DNS-layer security
Cisco Umbrella
DNS-layer security
Fortinet FortiAnalyzer
Centralized log and analytics
Fortinet FortiGate
Next-gen firewall security events
Generic JSON
Webhook-based JSON ingestion
Generic Syslog
CEF and standard syslog formats
HYAS Protect
Adversary infrastructure intelligence
Microsoft On-Prem AD
On-premises Active Directory
Microsoft Sign-In Logs
Standalone Entra ID sign-in data
ServiceNow
Change request validation for planned maintenance workflows
SonicWall
Next-gen firewall security events
Windows Event Logs
Windows event forwarding
Zscaler ZPA (Syslog)
ZPA App Connector syslog forwarding
Getting Started
Ready to connect your first integration? Here’s the recommended order:Connect a User Directory
Start with Microsoft 365, Google Workspace, or Okta to import your users and organizational structure.
Add a Detection Source
Connect your primary security platform—Microsoft Defender, CrowdStrike, or SentinelOne are great starting points.
Enable Communication
Set up Slack or Microsoft Teams to enable Chat Ops for user verification.
Configure Containment
Review your containment settings to enable automated threat response.
Need help setting up an integration? Use the Chat button in the Wirespeed platform to talk directly with our engineers, or email support@wirespeed.co.