Expel logo

Expel

Expel is a managed detection and response (MDR) provider that delivers 24x7 security operations across endpoint, network, cloud, SaaS, identity, Kubernetes, and phishing surfaces. Customers and integration partners interact with Expel primarily through Workbench, Expel's investigation and case-management platform, which exposes a gated REST API for sending signals in from third-party tools and pulling alerts, investigations, and remediation actions back out into SIEMs, SOARs, and ticketing systems.

1 APIs 7 Features
CybersecurityMDRManaged Detection and ResponseSOCSIEMWorkbench

Expel publishes 1 API on the APIs.io network. Tagged areas include Cybersecurity, MDR, Managed Detection and Response, SOC, and SIEM.

Expel’s developer surface includes developer portal, engineering blog, and 8 more developer resources.

APIs

Expel Workbench API

The Expel Workbench API is a gated REST API used by customers and technology partners to integrate with the Expel MDR platform. The API powers ingest of signals from endpoint, c...

Features

MDR for Cloud

24x7 managed detection and response across AWS, Azure, and Google Cloud

MDR for SaaS

Detection and response across Microsoft 365, Google Workspace, Okta, and other SaaS platforms

MDR for Kubernetes

Container and Kubernetes-aware detection and response

Phishing

Managed phishing triage, investigation, and remediation

Threat Hunting

Proactive hunting across customer telemetry by Expel analysts

Vulnerability Prioritization

Risk-based vulnerability prioritization tied to threat context

Workbench

Investigation, case-management, and analytics platform with REST API for customers and integration partners

Use Cases

24x7 SOC Outsourcing

Augment or replace an internal SOC with Expel's analysts and Workbench platform

Cloud Security Monitoring

Continuous monitoring and incident response across multi-cloud environments

Phishing Triage and Response

Automated and analyst-assisted phishing investigation and remediation

SIEM and SOAR Augmentation

Use Expel as the analyst layer on top of existing SIEM and SOAR investments

Compliance and Reporting

Use Workbench data and reports to support SOC2, PCI, and other compliance regimes

Integrations

AWS

Native MDR integrations for AWS accounts, GuardDuty, and related cloud signals

Microsoft Azure

MDR coverage and integrations for Azure, Entra ID, and Microsoft Defender

Google Cloud

MDR coverage for Google Cloud workloads and security signals

Microsoft 365

SaaS detection and response coverage for Microsoft 365 tenants

Google Workspace

SaaS detection and response coverage for Google Workspace tenants

SIEM Platforms

Bidirectional integrations with Splunk, Sentinel, Chronicle, and other SIEMs

EDR Platforms

Workbench connectors for CrowdStrike, SentinelOne, Microsoft Defender, and other EDR tools

Identity Providers

Integrations with Okta, Entra ID, and other identity providers for identity-centric detections

Resources

🔗
LinkedIn
LinkedIn
🔗
Website
Website
🌐
Expel Workbench
Portal
📰
Blog
Blog
🔗
Resources
Resources
🔗
ContactSales
ContactSales
🔗
Careers
Careers
🔗
Partners
Partners
📜
PrivacyPolicy
PrivacyPolicy
📜
TermsOfService
TermsOfService

Sources

apis.yml Raw ↑ 
aid: expel
url: https://raw.githubusercontent.com/api-evangelist/expel/refs/heads/main/apis.yml
name: Expel
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- Cybersecurity
- MDR
- Managed Detection and Response
- SOC
- SIEM
- Workbench
description: Expel is a managed detection and response (MDR) provider that delivers 24x7 security operations across endpoint,
  network, cloud, SaaS, identity, Kubernetes, and phishing surfaces. Customers and integration partners interact with Expel
  primarily through Workbench, Expel's investigation and case-management platform, which exposes a gated REST API for sending
  signals in from third-party tools and pulling alerts, investigations, and remediation actions back out into SIEMs, SOARs,
  and ticketing systems.
created: '2026-05-23'
modified: '2026-05-23'
specificationVersion: '0.19'
apis:
- aid: expel:expel-workbench-api
  name: Expel Workbench API
  tags:
  - Investigations
  - Alerts
  - Remediation
  - MDR
  humanURL: https://workbench.expel.io
  baseURL: https://workbench.expel.io/api
  properties:
  - url: https://workbench.expel.io
    type: Portal
    title: Expel Workbench (gated)
  - url: https://expel.com/integrations/
    type: Integrations
  description: The Expel Workbench API is a gated REST API used by customers and technology partners to integrate with the
    Expel MDR platform. The API powers ingest of signals from endpoint, cloud, SIEM, identity, and SaaS tools, surfaces Expel
    analyst investigations, alerts, findings, and remediation recommendations, and supports outbound integrations into customer
    SIEM, SOAR, ITSM, and notification systems. Access is provisioned to Expel customers and partners via the Workbench portal.
common:
- type: LinkedIn
  url: https://www.linkedin.com/company/expel
- type: Website
  url: https://expel.com/
- type: Portal
  url: https://workbench.expel.io
  title: Expel Workbench
- type: Integrations
  url: https://expel.com/integrations/
- type: Blog
  url: https://expel.com/blog/
- type: Resources
  url: https://expel.com/resources/
- type: ContactSales
  url: https://expel.com/contact/
- type: Careers
  url: https://expel.com/careers/
- type: Partners
  url: https://expel.com/partners/
- type: PrivacyPolicy
  url: https://expel.com/privacy-policy/
- type: TermsOfService
  url: https://expel.com/terms-of-use/
- type: Features
  data:
  - name: MDR for Cloud
    description: 24x7 managed detection and response across AWS, Azure, and Google Cloud
  - name: MDR for SaaS
    description: Detection and response across Microsoft 365, Google Workspace, Okta, and other SaaS platforms
  - name: MDR for Kubernetes
    description: Container and Kubernetes-aware detection and response
  - name: Phishing
    description: Managed phishing triage, investigation, and remediation
  - name: Threat Hunting
    description: Proactive hunting across customer telemetry by Expel analysts
  - name: Vulnerability Prioritization
    description: Risk-based vulnerability prioritization tied to threat context
  - name: Workbench
    description: Investigation, case-management, and analytics platform with REST API for customers and integration partners
- type: UseCases
  data:
  - name: 24x7 SOC Outsourcing
    description: Augment or replace an internal SOC with Expel's analysts and Workbench platform
  - name: Cloud Security Monitoring
    description: Continuous monitoring and incident response across multi-cloud environments
  - name: Phishing Triage and Response
    description: Automated and analyst-assisted phishing investigation and remediation
  - name: SIEM and SOAR Augmentation
    description: Use Expel as the analyst layer on top of existing SIEM and SOAR investments
  - name: Compliance and Reporting
    description: Use Workbench data and reports to support SOC2, PCI, and other compliance regimes
- type: Integrations
  data:
  - name: AWS
    description: Native MDR integrations for AWS accounts, GuardDuty, and related cloud signals
  - name: Microsoft Azure
    description: MDR coverage and integrations for Azure, Entra ID, and Microsoft Defender
  - name: Google Cloud
    description: MDR coverage for Google Cloud workloads and security signals
  - name: Microsoft 365
    description: SaaS detection and response coverage for Microsoft 365 tenants
  - name: Google Workspace
    description: SaaS detection and response coverage for Google Workspace tenants
  - name: SIEM Platforms
    description: Bidirectional integrations with Splunk, Sentinel, Chronicle, and other SIEMs
  - name: EDR Platforms
    description: Workbench connectors for CrowdStrike, SentinelOne, Microsoft Defender, and other EDR tools
  - name: Identity Providers
    description: Integrations with Okta, Entra ID, and other identity providers for identity-centric detections
maintainers:
- FN: Kin Lane
  email: [email protected]