aid: expel
url: https://raw.githubusercontent.com/api-evangelist/expel/refs/heads/main/apis.yml
name: Expel
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- Cybersecurity
- MDR
- Managed Detection and Response
- SOC
- SIEM
- Workbench
description: Expel is a managed detection and response (MDR) provider that delivers 24x7 security operations across endpoint,
  network, cloud, SaaS, identity, Kubernetes, and phishing surfaces. Customers and integration partners interact with Expel
  primarily through Workbench, Expel's investigation and case-management platform, which exposes a gated REST API for sending
  signals in from third-party tools and pulling alerts, investigations, and remediation actions back out into SIEMs, SOARs,
  and ticketing systems.
created: '2026-05-23'
modified: '2026-05-23'
specificationVersion: '0.19'
apis:
- aid: expel:expel-workbench-api
  name: Expel Workbench API
  tags:
  - Investigations
  - Alerts
  - Remediation
  - MDR
  humanURL: https://workbench.expel.io
  baseURL: https://workbench.expel.io/api
  properties:
  - url: https://workbench.expel.io
    type: Portal
    title: Expel Workbench (gated)
  - url: https://expel.com/integrations/
    type: Integrations
  description: The Expel Workbench API is a gated REST API used by customers and technology partners to integrate with the
    Expel MDR platform. The API powers ingest of signals from endpoint, cloud, SIEM, identity, and SaaS tools, surfaces Expel
    analyst investigations, alerts, findings, and remediation recommendations, and supports outbound integrations into customer
    SIEM, SOAR, ITSM, and notification systems. Access is provisioned to Expel customers and partners via the Workbench portal.
common:
- type: LinkedIn
  url: https://www.linkedin.com/company/expel
- type: Website
  url: https://expel.com/
- type: Portal
  url: https://workbench.expel.io
  title: Expel Workbench
- type: Integrations
  url: https://expel.com/integrations/
- type: Blog
  url: https://expel.com/blog/
- type: Resources
  url: https://expel.com/resources/
- type: ContactSales
  url: https://expel.com/contact/
- type: Careers
  url: https://expel.com/careers/
- type: Partners
  url: https://expel.com/partners/
- type: PrivacyPolicy
  url: https://expel.com/privacy-policy/
- type: TermsOfService
  url: https://expel.com/terms-of-use/
- type: Features
  data:
  - name: MDR for Cloud
    description: 24x7 managed detection and response across AWS, Azure, and Google Cloud
  - name: MDR for SaaS
    description: Detection and response across Microsoft 365, Google Workspace, Okta, and other SaaS platforms
  - name: MDR for Kubernetes
    description: Container and Kubernetes-aware detection and response
  - name: Phishing
    description: Managed phishing triage, investigation, and remediation
  - name: Threat Hunting
    description: Proactive hunting across customer telemetry by Expel analysts
  - name: Vulnerability Prioritization
    description: Risk-based vulnerability prioritization tied to threat context
  - name: Workbench
    description: Investigation, case-management, and analytics platform with REST API for customers and integration partners
- type: UseCases
  data:
  - name: 24x7 SOC Outsourcing
    description: Augment or replace an internal SOC with Expel's analysts and Workbench platform
  - name: Cloud Security Monitoring
    description: Continuous monitoring and incident response across multi-cloud environments
  - name: Phishing Triage and Response
    description: Automated and analyst-assisted phishing investigation and remediation
  - name: SIEM and SOAR Augmentation
    description: Use Expel as the analyst layer on top of existing SIEM and SOAR investments
  - name: Compliance and Reporting
    description: Use Workbench data and reports to support SOC2, PCI, and other compliance regimes
- type: Integrations
  data:
  - name: AWS
    description: Native MDR integrations for AWS accounts, GuardDuty, and related cloud signals
  - name: Microsoft Azure
    description: MDR coverage and integrations for Azure, Entra ID, and Microsoft Defender
  - name: Google Cloud
    description: MDR coverage for Google Cloud workloads and security signals
  - name: Microsoft 365
    description: SaaS detection and response coverage for Microsoft 365 tenants
  - name: Google Workspace
    description: SaaS detection and response coverage for Google Workspace tenants
  - name: SIEM Platforms
    description: Bidirectional integrations with Splunk, Sentinel, Chronicle, and other SIEMs
  - name: EDR Platforms
    description: Workbench connectors for CrowdStrike, SentinelOne, Microsoft Defender, and other EDR tools
  - name: Identity Providers
    description: Integrations with Okta, Entra ID, and other identity providers for identity-centric detections
- type: LLMsTxt
  url: https://expel.com/llms.txt
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com