Claude Code-powered multi-tenant SecOps for MSSPs | LimaCharlie demo

The unit of work stops being the tenant

A security product built for one enterprise treats a customer as the world. A service provider does not have a world, it has thousands of them. The demo opens on exactly this gap: when you run 5,000 tenants, each carries its own stack, its own integrations, its own change management, its own set of things worth detecting. LimaCharlie has always leaned on infrastructure as code, multi-tenancy, and an API-first design to make that bearable, and the Agentic SecOps Workspace, released a couple of weeks before this session, is pitched as the next move in that same line. The argument worth taking seriously is not that AI is impressive. It is that for a provider, the only AI that matters is one that scales the same way the underlying platform already does, and gets billed in a way that survives contact with thousands of customers.

That billing point is where most AI tooling quietly falls apart, and the demo puts it first for a reason. If you are charged per token, you cannot forecast anything. How many tokens is a tenant worth? How many alerts? Multiply an unknown by 5,000 and the model is dead in the water for a provider. The workspace instead charges a flat fee per analyst per month, everything included. LimaCharlie does not treat the AI as a product it sells at all. It treats it as another operator, the same way the API and the web interface are operators, which is why there is no separate SKU to negotiate. You can bring your own subscription or API keys if you want, and the demo deliberately surfaces what an equivalent API-key run would have cost so the tradeoff is visible rather than hidden.

Not a chatbot, a machine with hands

The interface is text going back and forth, which invites the wrong assumption. The session spends real energy killing it. This is not the online chat model wrapped in a security skin. It is Claude Code, the version built to run on an actual box, here on Linux, which is the difference between a thin hermetic assistant customized use case by use case and a general-purpose Swiss Army knife the operator can wield across the whole job. The claim attached to that is specific: 100 percent of what you can do with the LimaCharlie stack is exposed to the model as tools, and the model is left to find its own way to the goal you hand it. These are not use cases built and priced one at a time. They are everything, at once, across the stack.

The reason this is not marketing is that the demos cross domains a single-purpose tool could not. The session opens, pointedly, with a task that has nothing to do with security: review every tenant the operator can access and find billing outliers. The agent queries the organizations, inspects billing, and comes back with candidates and reasons. In larger environments the recurring finding is telling. One tenant is ingesting all of its Azure logs while the rest pull only audit logs, a likely misconfiguration costing an extra hundred dollars a month, and the agent offers to fix it. Starting there is a deliberate choice. The AI SOC companies all advertise alert triage and a chat window. A provider's most expensive time sinks are often not security at all, they are the unglamorous configuration and administrative work that more junior staff cannot do only because they lack the context, not because the task is sensitive.

The same generality shows up when the operator asks the agent, in plain English, to take them by the hand through configuring Azure Blob Storage, a thing they have never done. The agent asks what kind of audit logs are involved, whether export is already set up, whether credentials exist, then points to the right Azure URLs and flags the security tradeoffs along the way. On the security side, the operator asks for research on OpenClaw vulnerabilities, a hunt across all tenants, and detection rules, explicitly because they want to learn rather than be handed a black box. The agent researches the threat, writes a to-do list, hunts across six organizations for OpenClaw processes, gateway connections, installation paths tied to clawhub skills, and a distributed atomic stealer, then produces elaborate rules complete with a CVE and reference links, even tagging affected sensors. Two more instructions close the loop. Forward detections from every tenant into a new n8n reporting instance, and report one user's permissions across every tenant and group. Each is a single sentence that fans out across the whole estate.

Why an open, permissioned agent is the defensible version

The thing that makes this safe to deploy is also the thing that makes it ownable. The capabilities are not secret sauce locked in a walled garden. They are skills published in the lc-ai repository, written in plain English Markdown, readable and editable. If your team has a standard operating procedure for onboarding a data source or wiring up ServiceNow or a ticketing system, an analyst can describe it in English and the agent will operate against it. You can run the same skills with Claude Code locally on your own box. Nothing about the workspace is the only door in.

That openness only works because the agent can do more than read. It can apply changes, onboard data sources, push rules to every tenant. So the control surface has to be real, and LimaCharlie's answer is its permission system, which is granular down to individual actions and now carries a dedicated AI grant. Holding the right to configure a data source on a tenant is not the same as holding the right to let the AI do it for you. That second permission is separate and explicit, per user or group. A CFO can be given AI access to billing with no power to change anything, while operators are vetted before they are allowed to act through the agent. The point the session keeps circling is that this is a tool, and like any tool it makes good analysts faster and lets junior ones operate above their experience, the way coding agents made good developers more powerful without replacing them. For a provider, that combination, full reach across every tenant, every capability exposed as a tool, skills you can read and rewrite, and a permission model that decides exactly who may let the AI act, is what turns AI from a feature you rent into operations you own.