find-cybersecurity-firm
Use whenever the user wants to find, shortlist, vet, or enrich US cybersecurity firms — pen-testing/red team, security audits, vCISO, SOC 2 readiness, incident response, managed SOC, IAM, cloud security, and AppSec. Triggers on "find me a pen-testing firm for our SOC 2 audit", "shortlist three vCISO services for our healthcare-tech startup", "we need an incident response retainer", or "pull contact info for these 8 security firm domains", even when described indirectly (we got breached, prepare us for the compliance audit, get us SOC 2 ready). Drives the ServiceGraph API (api.servicegraph.co) — a 100k+ US firm catalog filterable by industry, services, location, size, ratings. Skip in-house security hires, "how do I patch CVE-X" or "configure firewall Y" DIY questions, security-product reviews (CrowdStrike vs SentinelOne, etc.), generic security knowledge questions, consumer/personal security advice, non-US firms, individual freelancers and bug-bounty hunters.
适合你,如果需要为安全审计或合规项目寻找合适的网络安全公司。
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add nostrband/servicegraph/find-cybersecurity-firmcurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- nostrband/servicegraph/find-cybersecurity-firmnpx oh-my-skill verify nostrband/servicegraph/find-cybersecurity-firm怎么用
技能原文 SKILL.md
find-cybersecurity-firm
Drive the ServiceGraph API (https://api.servicegraph.co) to find, shortlist, and enrich US cybersecurity firms via the pro_services dataset.
Always pin service_provided:cybersecurity — that's the only relevant structured tag in the live catalog. Older docs and the catalog source mention sub-tags like pen-testing and security-audit, but in the current release none of those exist as separate tags — cybersecurity is the broad catch-all and every sub-type (pen-testing, red-team, vCISO, SOC 2 readiness, IR retainer, IAM, cloud security, AppSec) is a keyword substring search on firm text. Confirm via /v1/datasets/pro_services/fields?include_values=1 once per session.
The industry tag also drifts between releases — newer catalogs may use industry:cybersecurity, older ones used industry:security. Confirm the value via /fields and pin both industry and service_provided:cybersecurity for safety.
Any HTTP client works (curl, fetch, requests). Examples below use curl.
When NOT to use this skill
- Consumer/personal cybersecurity ("my Gmail got hacked", "how do I secure my home wifi") — the catalog is B2B procurement only.
- In-house security hires (Security Engineer, CISO, SOC analyst).
- DIY/configuration questions ("how do I patch CVE-X", "configure firewall rules", "review this Terraform").
- Security-product comparisons (CrowdStrike vs SentinelOne, EDR vendors, SIEM vendors).
- Generic security knowledge ("explain zero-trust", "what is OWASP Top 10").
- Non-US firms / individual freelance pen-testers / bug-bounty hunters.
MCP server (preferred for authed calls)
If your harness has the ServiceGraph MCP server loaded (tools containing servicegraph), prefer those — OAuth 2.1 + PKCE keeps the token in the harness sandbox. Otherwise use the REST flow below.
API surface (dataset id: pro_services)
Every endpoint requires the bearer (Authorization: Bearer vk_…). No anonymous tier.
| Endpoint | Cost | Use it for | |---|---|---| | GET /v1/datasets/pro_services/fields[?include_values=1] | free | Confirm industry value name and cybersecurity is in service_provided. | | GET /v1/datasets/pro_services/check?filter=… | free | Validate filter. | | POST /v1/datasets/pro_services/translate-intent | free | {intent} → DSL filter + sanity count. | | GET /v1/datasets/pro_services/search?filter=…&limit= | free | Brief firm cards + per-row unlock hint + total. | | GET /v1/datasets/pro_services/:apex | free | One row brief; detail only if unlocked. | | POST /v1/datasets/pro_services/unlocks | 10 credits / firm | {apexes:[...]} ≤100; atomic; 30-day TTL on detail. | | GET /v1/me/credits | free | Balance. |
Cost model. Discovery / validation / search / brief reads are free. Detail (url, phone, email, social, address, full platforms map) costs 10 credits per firm and lasts 30 days.
Auth
vk_* API keys minted in the dashboard. Keep the token out of the LLM context — never read .env* into your context; dispatch via shell.
- Try the call first through a shell wrapper that sources
.env.local:
``bash ( set -a; [ -f .env.local ] && . ./.env.local; set +a; curl -sS -H "Authorization: Bearer $SERVICEGRAPH_API_KEY" \ 'https://api.servicegraph.co/v1/datasets/pro_services/fields' ) ``
- On
401prompt the user:
"Open https://servicegraph.co/profile/api-keys, create a key, and addSERVICEGRAPH_API_KEY=vk_…to.env.localhere (or export it). Tell me when done. Please don't paste the key into chat."
- Retry after the user signals ready.
Filter DSL
GitHub-search-style.
filter := orExpr
orExpr := andExpr ("OR" andExpr)*
andExpr := notExpr (("AND")? notExpr)* # whitespace = implicit AND
notExpr := ("NOT" | "-") notExpr | atom
atom := "(" filter ")" | predicate
predicate:= IDENT op valueOrList | bareword
op := ":" | "=" | ">=" | "<=" | ">" | "<"
valueOrList := value ("," value)*
value := IDENT | NUMBER | tagAtEvidence
tagAtEvidence := IDENT "@" ("low"|"medium"|"high")
bareword := IDENT | NUMBER # → keyword:<bareword>
Four rules that bite: AND binds tighter than OR (use parens); comma list = OR within one predicate; negation is -x or NOT x; bareword = keyword search (quote multi-word phrases).
Cybersecurity examples (validate yours with /check; replace cybersecurity with whatever /fields returns as the industry value):
industry:cybersecurity service_provided:cybersecurity service_provided:cybersecurity pen-testing service_provided:cybersecurity "security audit" "soc 2" service_provided:cybersecurity vciso service_provided:cybersecurity "incident response" retainer service_provided:cybersecurity cloud aws service_provided:cybersecurity "application security" sast service_provided:cybersecurity rating>=4 has:clutch service_provided:cybersecurity hipaa
The live catalog has no separate pen-testing / security-audit / appsec tags — pin service_provided:cybersecurity and treat all sub-types as keywords.
Sub-type → keyword mapping (all sub-types are keyword-only):
| User asks for | Use | |---|---| | Pen test / red team | pen-testing, "red team" | | Security audit / assessment | audit, assessment | | vCISO / fractional CISO | vciso, "fractional ciso" | | SOC 2 readiness | "soc 2", readiness | | Incident response / forensics | "incident response", forensics, "ir retainer" | | Cloud security | "cloud security", aws, gcp, azure | | Identity / IAM | iam, identity | | Application security / SAST/DAST | "application security", appsec, sast, dast | | Compliance frameworks | pci, hipaa, "iso 27001", nist |
Identifying firms — apex
Firms are identified by their apex domain (mandiant.com, not www.mandiant.com/about).
Recipes
A. Pen test for SOC 2
User: "Pen-testing firm for our SOC 2 audit."
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+pen-testing+"soc 2"&limit=10
# Present, get pick of 3. "Unlocking 3 = 30 credits, 30-day TTL."
POST /v1/datasets/pro_services/unlocks
{ "apexes": ["firm-a.com", "firm-b.com", "firm-c.com"] }
B. vCISO for a healthcare-tech startup
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+vciso+(healthcare OR hipaa)&limit=10
C. Incident response retainer
User: "Incident response retainer in case we get breached."
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"incident response"+retainer&limit=10
If thin, drop retainer — most IR firms offer retainer engagements as standard.
D. Cloud security + AWS + HIPAA
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+cloud+aws+hipaa&limit=10
E. Indirect intent — "we got breached"
User: "We got hit with ransomware last week — we need help fast."
That's emergency IR:
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"incident response"+ransomware&limit=10
Skip validation; present briefs immediately given urgency.
F. AppSec / SAST
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"application security"+(sast OR "code review")&limit=10
G. SOC 2 readiness ahead of enterprise sales
GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"soc 2"+(readiness OR preparation)&limit=10
H. BYO apex list — enrich domains
User pastes 8–20 cybersecurity firm domains:
GET /v1/datasets/pro_services/:apexper domain — free brief (404 = not in catalog, no charge).- User picks N to fully enrich.
POST /unlocks= 10×N credits, atomic, detail returned. - Re-runs within 30-day TTL are free.
Gotchas
- Always pin the cybersecurity service tag. Without it,
pen-testing/vciso/appseckeywords leak into IT-services rows that mention security. - Confirm the industry value name via
/fields— older catalogs usedindustry:security, newer ones may useindustry:cybersecurity. Don't hardcode. - Refuse consumer-personal asks. "My Gmail got hacked", "how do I secure my home wifi", "should I use a VPN" — not B2B procurement.
- DIY/configuration questions ("patch CVE-X", "configure firewall rules", "review this Terraform") are NOT procurement.
- Security-product comparisons (EDR, SIEM, identity providers) are NOT procurement either.
- "Hire a security engineer / CISO" is recruiting, not procurement of a firm. Refuse.
- Bug-bounty / freelance pen-testers are out of scope (catalog is firm-level only).
- Sub-types are keyword-only. Multi-word sub-types split into ANDed barewords unless quoted (
"incident response"→ one phrase). - Briefs DO include
apex,name, location, ratings. They DON'T includeurl,phone_primary,email_primary,legal_name,address_full, fullplatforms— those require an unlock. not_found/not_in_dataset404 = not inpro_services. Skip; not charged.- Unlock is atomic. N apexes either all charge (up to 10×N credits) or none on 402.
- Within-TTL re-views are free (
was_cached:true).
Errors
JSON envelope: {"error": {"code": "...", "message": "..."}}.
| Status | Code | What to do | |---|---|---| | 400 | filter_parse_error | position included; fix and re-validate with /check. | | 400 | kind_in_filter | Strip any kind: from filter — URL is authoritative. | | 400 | field_not_in_dataset | Drop the disallowed field. | | 400 | invalid_apex | Re-normalize. | | 401 | unauthorized / invalid_audience | Re-prompt for fresh vk_…. | | 402 | insufficient_credits | needed and balance in payload; nothing charged. | | 404 | not_found / not_in_dataset | Skip; not charged. | | 429 | rate_limited | Honor Retry-After. |
End-to-end example
User: "Three pen-testing firms for our SOC 2 audit, 4-star ratings, ideally with HIPAA experience for a healthcare-tech context."
GET /v1/datasets/pro_services/fields?include_values=1
GET /v1/datasets/pro_services/check?filter=service_provided:cybersecurity+pen-testing+"soc 2"+hipaa+rating>=4
GET /v1/datasets/pro_services/search?filter=...&limit=10
# Present briefs. "Unlocking 3 = 30 credits, 30-day TTL."
POST /v1/datasets/pro_services/unlocks
{ "apexes": ["firm-a.com", "firm-b.com", "firm-c.com"] }
GET /v1/me/credits