find-cybersecurity-firm

Drive the ServiceGraph API (https://api.servicegraph.co) to find, shortlist, and enrich US cybersecurity firms via the pro_services dataset.

Always pin service_provided:cybersecurity — that's the only relevant structured tag in the live catalog. Older docs and the catalog source mention sub-tags like pen-testing and security-audit, but in the current release none of those exist as separate tags — cybersecurity is the broad catch-all and every sub-type (pen-testing, red-team, vCISO, SOC 2 readiness, IR retainer, IAM, cloud security, AppSec) is a keyword substring search on firm text. Confirm via /v1/datasets/pro_services/fields?include_values=1 once per session.

The industry tag also drifts between releases — newer catalogs may use industry:cybersecurity, older ones used industry:security. Confirm the value via /fields and pin both industry and service_provided:cybersecurity for safety.

Any HTTP client works (curl, fetch, requests). Examples below use curl.

When NOT to use this skill

• Consumer/personal cybersecurity ("my Gmail got hacked", "how do I secure my home wifi") — the catalog is B2B procurement only.
• In-house security hires (Security Engineer, CISO, SOC analyst).
• DIY/configuration questions ("how do I patch CVE-X", "configure firewall rules", "review this Terraform").
• Security-product comparisons (CrowdStrike vs SentinelOne, EDR vendors, SIEM vendors).
• Generic security knowledge ("explain zero-trust", "what is OWASP Top 10").
• Non-US firms / individual freelance pen-testers / bug-bounty hunters.

MCP server (preferred for authed calls)

If your harness has the ServiceGraph MCP server loaded (tools containing servicegraph), prefer those — OAuth 2.1 + PKCE keeps the token in the harness sandbox. Otherwise use the REST flow below.

API surface (dataset id: pro_services)

Every endpoint requires the bearer (Authorization: Bearer vk_…). No anonymous tier.

Endpoint	Cost	Use it for
GET /v1/datasets/pro_services/fields[?include_values=1]	free	Confirm industry value name and cybersecurity is in service_provided.
GET /v1/datasets/pro_services/check?filter=…	free	Validate filter.
POST /v1/datasets/pro_services/translate-intent	free	{intent} → DSL filter + sanity count.
GET /v1/datasets/pro_services/search?filter=…&limit=	free	Brief firm cards + per-row unlock hint + total.
GET /v1/datasets/pro_services/:apex	free	One row brief; detail only if unlocked.
POST /v1/datasets/pro_services/unlocks	10 credits / firm	{apexes:[...]} ≤100; atomic; 30-day TTL on detail.
GET /v1/me/credits	free	Balance.

Cost model. Discovery / validation / search / brief reads are free. Detail (url, phone, email, social, address, full platforms map) costs 10 credits per firm and lasts 30 days.

Auth

vk_* API keys minted in the dashboard. Keep the token out of the LLM context — never read .env* into your context; dispatch via shell.

1. Try the call first through a shell wrapper that sources .env.local:

   ( set -a; [ -f .env.local ] && . ./.env.local; set +a;
     curl -sS -H "Authorization: Bearer $SERVICEGRAPH_API_KEY" \
          'https://api.servicegraph.co/v1/datasets/pro_services/fields' )
   

2. On 401 prompt the user:

   "Open https://servicegraph.co/profile/api-keys, create a key, and add SERVICEGRAPH_API_KEY=vk_… to .env.local here (or export it). Tell me when done. Please don't paste the key into chat."

3. Retry after the user signals ready.

Filter DSL

GitHub-search-style.

filter   := orExpr
orExpr   := andExpr ("OR" andExpr)*
andExpr  := notExpr (("AND")? notExpr)*    # whitespace = implicit AND
notExpr  := ("NOT" | "-") notExpr | atom
atom     := "(" filter ")" | predicate
predicate:= IDENT op valueOrList | bareword
op       := ":" | "=" | ">=" | "<=" | ">" | "<"
valueOrList := value ("," value)*
value    := IDENT | NUMBER | tagAtEvidence
tagAtEvidence := IDENT "@" ("low"|"medium"|"high")
bareword := IDENT | NUMBER          # → keyword:<bareword>

Four rules that bite: AND binds tighter than OR (use parens); comma list = OR within one predicate; negation is -x or NOT x; bareword = keyword search (quote multi-word phrases).

Cybersecurity examples (validate yours with /check; replace cybersecurity with whatever /fields returns as the industry value):

industry:cybersecurity service_provided:cybersecurity
service_provided:cybersecurity pen-testing
service_provided:cybersecurity "security audit" "soc 2"
service_provided:cybersecurity vciso
service_provided:cybersecurity "incident response" retainer
service_provided:cybersecurity cloud aws
service_provided:cybersecurity "application security" sast
service_provided:cybersecurity rating>=4 has:clutch
service_provided:cybersecurity hipaa

The live catalog has no separate pen-testing / security-audit / appsec tags — pin service_provided:cybersecurity and treat all sub-types as keywords.

Sub-type → keyword mapping (all sub-types are keyword-only):

User asks for	Use
Pen test / red team	pen-testing, "red team"
Security audit / assessment	audit, assessment
vCISO / fractional CISO	vciso, "fractional ciso"
SOC 2 readiness	"soc 2", readiness
Incident response / forensics	"incident response", forensics, "ir retainer"
Cloud security	"cloud security", aws, gcp, azure
Identity / IAM	iam, identity
Application security / SAST/DAST	"application security", appsec, sast, dast
Compliance frameworks	pci, hipaa, "iso 27001", nist

Identifying firms — apex

Firms are identified by their apex domain (mandiant.com, not www.mandiant.com/about).

Recipes

A. Pen test for SOC 2

User: "Pen-testing firm for our SOC 2 audit."

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+pen-testing+"soc 2"&limit=10
# Present, get pick of 3. "Unlocking 3 = 30 credits, 30-day TTL."
POST /v1/datasets/pro_services/unlocks
  { "apexes": ["firm-a.com", "firm-b.com", "firm-c.com"] }

B. vCISO for a healthcare-tech startup

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+vciso+(healthcare OR hipaa)&limit=10

C. Incident response retainer

User: "Incident response retainer in case we get breached."

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"incident response"+retainer&limit=10

If thin, drop retainer — most IR firms offer retainer engagements as standard.

D. Cloud security + AWS + HIPAA

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+cloud+aws+hipaa&limit=10

E. Indirect intent — "we got breached"

User: "We got hit with ransomware last week — we need help fast."

That's emergency IR:

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"incident response"+ransomware&limit=10

Skip validation; present briefs immediately given urgency.

F. AppSec / SAST

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"application security"+(sast OR "code review")&limit=10

G. SOC 2 readiness ahead of enterprise sales

GET /v1/datasets/pro_services/search?filter=service_provided:cybersecurity+"soc 2"+(readiness OR preparation)&limit=10

H. BYO apex list — enrich domains

User pastes 8–20 cybersecurity firm domains:

1. GET /v1/datasets/pro_services/:apex per domain — free brief (404 = not in catalog, no charge).
2. User picks N to fully enrich. POST /unlocks = 10×N credits, atomic, detail returned.
3. Re-runs within 30-day TTL are free.

Gotchas

• Always pin the cybersecurity service tag. Without it, pen-testing / vciso / appsec keywords leak into IT-services rows that mention security.
• Confirm the industry value name via /fields — older catalogs used industry:security, newer ones may use industry:cybersecurity. Don't hardcode.
• Refuse consumer-personal asks. "My Gmail got hacked", "how do I secure my home wifi", "should I use a VPN" — not B2B procurement.
• DIY/configuration questions ("patch CVE-X", "configure firewall rules", "review this Terraform") are NOT procurement.
• Security-product comparisons (EDR, SIEM, identity providers) are NOT procurement either.
• "Hire a security engineer / CISO" is recruiting, not procurement of a firm. Refuse.
• Bug-bounty / freelance pen-testers are out of scope (catalog is firm-level only).
• Sub-types are keyword-only. Multi-word sub-types split into ANDed barewords unless quoted ("incident response" → one phrase).
• Briefs DO include apex, name, location, ratings. They DON'T include url, phone_primary, email_primary, legal_name, address_full, full platforms — those require an unlock.
• not_found / not_in_dataset 404 = not in pro_services. Skip; not charged.
• Unlock is atomic. N apexes either all charge (up to 10×N credits) or none on 402.
• Within-TTL re-views are free (was_cached:true).

Errors

JSON envelope: {"error": {"code": "...", "message": "..."}}.

Status	Code	What to do
400	filter_parse_error	position included; fix and re-validate with /check.
400	kind_in_filter	Strip any kind: from filter — URL is authoritative.
400	field_not_in_dataset	Drop the disallowed field.
400	invalid_apex	Re-normalize.
401	unauthorized / invalid_audience	Re-prompt for fresh vk_….
402	insufficient_credits	needed and balance in payload; nothing charged.
404	not_found / not_in_dataset	Skip; not charged.
429	rate_limited	Honor Retry-After.

End-to-end example

User: "Three pen-testing firms for our SOC 2 audit, 4-star ratings, ideally with HIPAA experience for a healthcare-tech context."

GET /v1/datasets/pro_services/fields?include_values=1
GET /v1/datasets/pro_services/check?filter=service_provided:cybersecurity+pen-testing+"soc 2"+hipaa+rating>=4
GET /v1/datasets/pro_services/search?filter=...&limit=10
# Present briefs. "Unlocking 3 = 30 credits, 30-day TTL."
POST /v1/datasets/pro_services/unlocks
  { "apexes": ["firm-a.com", "firm-b.com", "firm-c.com"] }
GET /v1/me/credits