Which clients carry the most security risk, what is driving that risk, and where you should focus remediation first. Generated by AI via Proxuma Power BI MCP server.
Which clients carry the most security risk, what is driving that risk, and where you should focus remediation first. Generated by AI via Proxuma Power BI MCP server.
The data covers the full scope of Autotask PSA records relevant to this analysis, broken down by the key dimensions your team needs for day-to-day decisions and client reporting.
Who should use this: Security teams, compliance officers, and MSP owners managing risk
How often: Weekly for security posture, monthly for compliance reporting, on-demand for audits
Which clients carry the most security risk, what is driving that risk, and where you should focus remediation first. Generated by AI via Proxuma Power BI MCP server.
EVALUATE
ROW(
"TotalDevices", COUNTROWS('BI_Datto_Rmm_Devices'),
"TotalOnline", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Devices'),
'BI_Datto_Rmm_Devices'[online] = TRUE()),
"TotalOffline", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Devices'),
'BI_Datto_Rmm_Devices'[online] = FALSE()),
"UnresolvedAlerts", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Alerts'),
'BI_Datto_Rmm_Alerts'[resolved] = FALSE()),
"CriticalUnresolved", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Alerts'),
'BI_Datto_Rmm_Alerts'[resolved] = FALSE(),
'BI_Datto_Rmm_Alerts'[priority] = "Critical"),
"HighUnresolved", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Alerts'),
'BI_Datto_Rmm_Alerts'[resolved] = FALSE(),
'BI_Datto_Rmm_Alerts'[priority] = "High")
)Composite score (0-100) based on three weighted factors: unresolved alerts (40%), offline device % (35%), SLA breach rate (25%)
| Risk Factor | Value |
|---|---|
| Devices | 6,953 |
| Offline | 3,558 (51.2%) |
| Alerts | 135,387 |
| Tenants | 45 |
| Status Checks | 8,100 |
EVALUATE ROW("TotalDevices", COUNTROWS('BI_Datto_Rmm_Devices'), "OfflineDevices", CALCULATE(COUNTROWS('BI_Datto_Rmm_Devices'), 'BI_Datto_Rmm_Devices'[online] = FALSE()), "TotalAlerts", COUNTROWS('BI_Datto_Rmm_Alerts'), "ManagedTenants", COUNTROWS('BI_Lighthouse_Tenant'), "StatusRecords", COUNTROWS('BI_Lighthouse_Status'))Three donut charts showing the distribution of each risk factor across the portfolio
EVALUATE
ADDCOLUMNS(
VALUES('BI_Datto_Rmm_Alerts'[priority]),
"TotalAlerts", CALCULATE(COUNTROWS('BI_Datto_Rmm_Alerts')),
"Unresolved", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Alerts'),
'BI_Datto_Rmm_Alerts'[resolved] = FALSE())
)
ORDER BY [Unresolved] DESCEach site broken down by total devices, online/offline split, unresolved alerts, and SLA first-response and resolution rates
| Client | Devices | Online | Offline | Offline % | Alerts | FR Met | Res Met |
|---|---|---|---|---|---|---|---|
| Foster Inc | 1,355 | 515 | 840 | 62.0% | 979 | 63.5% | 64.7% |
| Client A | 715 | 225 | 490 | 68.5% | 699 | N/A | N/A |
| Martinez Contreras Rios | 145 | 107 | 38 | 26.2% | 318 | 30.7% | 47.3% |
| Price-Gomez | 127 | 76 | 51 | 40.2% | 92 | 31.7% | N/A |
| Wall PLC | 320 | 114 | 206 | 64.4% | 34 | 73.6% | N/A |
EVALUATE
ADDCOLUMNS(
VALUES('BI_Datto_Rmm_Devices'[site_name]),
"Online", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Devices'),
'BI_Datto_Rmm_Devices'[online] = TRUE()),
"Offline", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Devices'),
'BI_Datto_Rmm_Devices'[online] = FALSE()),
"UnresolvedAlerts", CALCULATE(
COUNTROWS('BI_Datto_Rmm_Alerts'),
'BI_Datto_Rmm_Alerts'[resolved] = FALSE())
)
ORDER BY [UnresolvedAlerts] DESCThree client sites score above 70 on the composite risk index, putting them in the High category. Two more sit between 50 and 70, classified as Medium risk. The scoring weights unresolved alerts at 40%, offline device percentage at 35%, and SLA breach rate at 25%.
Foster Inc is the highest-risk site in the portfolio. It carries 979 unresolved RMM alerts, 840 offline devices out of 1,355 total (62% ghost rate), and SLA first-response is met only 63.5% of the time. That combination means a large number of devices are unmonitored, a large number of alerts are unactioned, and when tickets do come in, response times are slow. Every one of those factors extends the window an attacker has to move laterally.
Client A ranks second with 699 unresolved alerts and a 68.5% offline rate across 715 devices. No SLA data is available for this site, which is itself a red flag. If tickets are being raised but not tracked against SLA targets, there is no mechanism to measure response quality.
Martinez Contreras Rios scores high for a different reason. Their device count is small (145), and the offline rate is moderate at 26.2%. But they have 318 unresolved alerts across those 145 devices, giving them an alert density of 2.19 alerts per device. Their SLA first-response rate of 30.7% means nearly 70% of tickets miss the initial response target. That combination of dense alerts and slow response is a high-risk pattern.
Wall PLC has a strong SLA first-response rate (73.6%) but a 64.4% offline rate. Their risk comes from device hygiene, not from operational responsiveness. The 206 offline devices out of 320 total suggest a cleanup project that never happened, or a site with seasonal or decommissioned hardware still registered in RMM.
5 priorities based on the findings above
Start with the 49 critical and 70 high-priority alerts across the portfolio. Foster Inc likely holds the majority of these. Group them by alert type: patch failures, disk space warnings, and offline heartbeat failures are the most common patterns in RMM data. Resolve duplicates, suppress known-good false positives, and escalate the rest. 979 alerts is noise until you classify it. Once classified, the real number of actionable items is usually 15-20% of the total.
Foster Inc has 840 offline devices. Client A has 490. Wall PLC has 206. An offline device in RMM means it is either decommissioned (and should be removed), powered off (and missing patches), or disconnected from the network (and potentially compromised). Run a report comparing RMM device lists against Active Directory or your asset management tool. Remove anything that has been offline for more than 90 days. The remaining offline devices need investigation.
Client A has 699 unresolved alerts and a 68.5% offline rate but no SLA data. Either their tickets are not being tracked in Autotask, or the SLA configuration is missing for this client. Without SLA data, you have no way to measure whether your team is responding to their issues in a reasonable timeframe. Add SLA targets for Client A this week so the next report includes response and resolution metrics.
318 unresolved alerts across 145 devices is an alert density of 2.19 per device. That is unusually high and suggests either a systemic issue (failed patch policy, misconfigured monitoring) or a site-wide event that generated a flood of alerts that were never resolved. Pull the alert creation dates. If most of these alerts appeared in a short window, you are looking at an incident. If they accumulated gradually, you are looking at an operational gap.
Both sites have SLA first-response rates below 32%. That means more than two-thirds of their tickets are not being acknowledged within the agreed timeframe. Slow first-response extends the exposure window for every security-related ticket. Check whether these sites are routed to the correct dispatch queue and whether the team is aware of the SLA targets. A 30% first-response rate is a process failure, not a capacity issue.
The composite score combines three factors: unresolved RMM alerts (weighted 40%), offline device percentage (35%), and SLA first-response breach rate (25%). Each factor is normalized to a 0-100 scale based on the portfolio range, then multiplied by its weight. A site with the most unresolved alerts, highest offline percentage, and worst SLA performance would score close to 100.
Any alert in Datto RMM where the resolved flag is set to false. This includes alerts that were acknowledged but not closed, alerts that auto-generated and were never triaged, and alerts from devices that went offline before the issue was addressed. The count reflects the current state, not historical volume.
An offline device in your RMM is a device you cannot patch, monitor, or protect. If it is still powered on somewhere on the client's network, it is running outdated software with known vulnerabilities. Ghost devices are one of the most common entry points in MSP-related security incidents because they sit outside your normal patch and monitoring cycles.
N/A means no SLA data is available for that client in the Autotask PSA dataset. Either the client does not have SLA targets configured, their tickets are not being tracked against an SLA, or the data link between Autotask and Power BI is not capturing SLA metrics for that site. This is itself a risk factor because it means response quality is unmeasured.
Yes. Connect Proxuma Power BI to your Datto RMM and Autotask accounts, add an AI tool (Claude, ChatGPT, or Copilot) via MCP, and ask the same question. The AI writes the DAX queries, runs them against your real data, and produces a report like this in under fifteen minutes.
Weekly for operational teams managing alert queues and device health. Monthly for account managers preparing QBRs. Immediately after a major patch cycle, security incident, or client onboarding to establish a baseline. The data refreshes in real time through Power BI, so the report always reflects the current state.
Connect Proxuma Power BI to your PSA, RMM, and M365 environment, use an MCP-compatible AI to ask questions, and generate custom reports - in minutes, not days.
See more reports Get started