Most MSP cold outreach is indistinguishable from noise. A sequence of emails about how you have been helping businesses like theirs with IT and security. A LinkedIn message asking if they have considered upgrading their cybersecurity posture. A cold call that opens with “how are you handling your IT today.” None of it gives the prospect a reason to respond, because none of it demonstrates that you know anything specific about their situation — which means they have no reason to believe you can help with it.
External recon data changes this equation. Before you send a single message, you can know things about a prospect’s environment that are both specific and actionable: whether their email domain is missing DMARC policy, whether their SSL certificate is expiring or using a deprecated cipher, whether executive email addresses have appeared in breach datasets, whether they are running services on ports visible to the public internet that suggest an unpatched infrastructure. That data is not obtained through any unauthorized access — it is what any external party, including a threat actor, can see about their organization without credentials.
Using that data in outreach — correctly — turns a cold contact into a professional peer sharing actionable intelligence. Using it incorrectly turns a cold contact into something that reads like a threat, a gotcha, or an intrusion. The difference is almost entirely in framing.
What External Recon Data Actually Tells You
The categories of externally visible data most useful for MSP prospecting fall into five areas, each of which suggests a different conversation opener and a different compliance or business risk angle.
Email authentication posture. SPF, DKIM, and DMARC records are publicly queryable DNS records that tell you whether an organization has implemented email authentication controls. A missing or misconfigured DMARC record means the domain can be spoofed — an attacker can send email that appears to come from the organization’s exact domain with no technical barrier. This finding is relevant to HIPAA (information integrity), CMMC (configuration management), PCI DSS (authentication requirements), and basic cyber insurance underwriting. It is also extremely common: the majority of SMB domains have either no DMARC record or a DMARC record in monitoring mode rather than enforcement, which provides zero protection against spoofing.
SSL certificate condition. SSL certificate expiry, weak cipher suites, and mixed-content configurations are externally visible. An expired or soon-to-expire SSL certificate means the organization’s website will generate browser warnings — a visible customer-facing failure that most decision-makers care about immediately. Weak cipher suites are more relevant for compliance-obligated clients: PCI DSS 4.0 has explicit requirements around deprecated TLS versions, and a client running TLS 1.0 or 1.1 on their payment-facing application is out of compliance.
Credential breach exposure. Dark web breach datasets contain email addresses from known data breaches across thousands of services. An executive or employee whose email address appears in breach data has had credentials exposed — potentially including passwords that are being reused on corporate accounts. For compliance-obligated clients, this is direct evidence of the kind of credential exposure that leads to business email compromise, and it is the type of specific, named finding that makes an outreach message feel like intelligence rather than a pitch.
Exposed services and open ports. Shodan and SecurityTrails index publicly visible services and open ports across the internet. An organization with RDP, SMB, or administrative interfaces exposed to the public internet without appropriate access controls is running a configuration that is directly targeted by automated scanning tools within minutes of exposure. For regulated clients, an exposed administrative service is an access control finding that maps directly to CMMC, HIPAA, and NIST CSF requirements. For any client, it is a concrete, specific vulnerability you can reference before any engagement begins.
HTTP security headers. HTTP security header configuration — Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and others — is visible in any web server response. Missing or misconfigured security headers are relevant to web application compliance requirements under PCI DSS 4.0 and are a standard finding in web application security assessments. For a client who handles payments or sensitive data through a web interface, missing headers are a low-cost, high-visibility finding that demonstrates awareness of their specific environment.
→ The free security tools page provides purpose-built checks across all of these categories — external vulnerability scan, dark web breach check, SSL analyzer, SPF/DKIM/DMARC checker, DNS security audit, HTTP security headers check, and a security posture scorecard — without requiring any internal access to the prospect’s environment.
What to Say — and What Not to Say
The frame that works: you ran a check, you found something specific, you wanted to share it because it is relevant to the prospect’s situation, and you are offering a short conversation to walk through what you found and what it means. Professional, peer-level, non-threatening.
The frame that does not work: you found a vulnerability, they are at risk, you can fix it if they call you now. This reads as a scare tactic whether it is intended as one or not, and it immediately positions you as someone trying to close a deal rather than someone trying to help. Sophisticated buyers — the ones you want — will not respond to it, and the ones who do will often be the ones most likely to cancel when the urgency wears off.
Specific things to avoid:
- Do not say “your network has vulnerabilities” — this is vague and sounds like a threat.
- Do not say “we found serious security issues with your systems” — “serious” is a judgment that belongs after the conversation, not in the opening line.
- Do not send a long list of findings in the cold message — one specific, relevant finding is more effective than ten findings that feel like a report no one asked for.
- Do not frame the check as something you do to everybody — frame it as something you did because they are a prospect you are reaching out to. It should feel like a professional courtesy, not a form letter with a mail-merge variable.
- Do not lead with the worst finding you found — lead with the most relevant one to their compliance or business situation.
What does work:
- One specific finding, stated in plain English, connected to a business or compliance consequence the prospect recognizes.
- An offer to walk through the full results — not a demand for a meeting, but an invitation to a conversation that has something concrete to discuss.
- A short, specific call-to-action: fifteen or twenty minutes, on a named day or two, to walk through the findings together.
- A tone that reads like a peer sharing information they thought was worth passing along — not a vendor trying to qualify a lead.
Three Outreach Angles That Work in Practice
Angle 1 — Email authentication and business email compromise risk
Best for: Any organization that sends invoices, contracts, or client communications by email. Healthcare practices, legal firms, financial advisors, defense contractors. Universally applicable, high relevance regardless of compliance framework.
The finding: DMARC record is missing or set to p=none (monitoring only, no enforcement). The domain can be spoofed.
The opener: “I ran a quick check on [domain.com]’s email authentication settings before reaching out. Your DMARC record is currently set to monitoring only, which means someone could send email that appears to come from your exact domain — your clients would see it as coming from you with no technical indicator that it is fraudulent. It is a straightforward fix, but I wanted to flag it before reaching out. Happy to walk through the full check if you have fifteen minutes — are you free [day] or [day]?”
Why it works: The prospect immediately recognizes the business consequence — their clients receiving fraudulent invoices that look exactly like theirs. It does not require any security background to understand why that is bad. The fix is concrete and achievable, which prevents the response of “that sounds like a lot of work.” The opening checks — and the offer to share the full results — frame the relationship as one where you are already doing work on their behalf before they have agreed to anything.
Angle 2 — Credential breach exposure
Best for: Organizations where a named executive or a significant number of employees appear in breach datasets. Healthcare, legal, financial — any environment where a compromised credential reaching regulated data is a reportable event.
The finding: One or more email addresses from the domain appear in known breach datasets.
The opener: “I ran a dark web breach check on [company name]’s domain before reaching out — [X] email addresses from your organization appear in known breach datasets. That does not necessarily mean those accounts have been compromised, but it means those credentials have been exposed in some context. For a [healthcare practice / defense contractor / financial firm], that is the kind of finding worth knowing about before an auditor or an insurer asks about it. Happy to share the full results and walk through what they mean — do you have twenty minutes this week?”
Why it works: Naming the count without naming the specific addresses strikes the right balance — it is specific enough to be credible but does not feel like you are publishing their employees’ personal information in a cold email. The compliance angle — an auditor or insurer asking about it — grounds the conversation in external pressure rather than hypothetical risk. The offer to share the full results creates a reason to get on the call.
Angle 3 — Exposed services for compliance-obligated clients
Best for: Defense contractors, manufacturing firms, healthcare IT environments — any organization where externally visible administrative services represent a direct compliance finding rather than just a theoretical risk.
The finding: RDP, SMB, or an administrative console visible on a public-facing IP associated with the organization’s domain.
The opener: “I ran an external scan on [company name]’s public IP range before reaching out — there are a few services visible from the internet that caught my attention, including [service name] on [port], which is the kind of thing that shows up as a direct finding in a CMMC assessment. I did not go beyond what any external party can see, but I wanted to flag it. If you have fifteen minutes, I can walk through the full scan results and what they would look like in a formal compliance review — are you available [day]?”
Why it works: The explicit statement that you did not go beyond what any external party can see is important — it preempts the “how did you access our systems” question that this type of outreach sometimes triggers. Naming the specific service and port is more credible than a vague reference to “issues we found.” The compliance consequence — this shows up in a CMMC assessment — immediately reframes the finding as a business risk rather than a technical detail.
How to Move From a Finding to a Booked Call
The cold message gets a response. Now what?
The goal of the first response is not to sell anything. It is to get to a twenty-minute call where you share the full results, confirm their compliance situation, and determine whether there is a gap you can help close. Everything before that call is setup. Do not try to close anything in email.
When a prospect responds — even if the response is skeptical or asking what you found — the reply has one job: make it easy to get to the call. “Happy to send you the full report — I can also walk through it with you, which makes it easier to ask questions about specific items. Do you have fifteen minutes on [day] at [time], or [alternative]?” Two specific time options, not a link to a calendar. Options are easier to respond to than open-ended scheduling requests.
On the call itself, the structure that moves toward a discovery engagement rather than a dead end has three parts. First, walk through the external findings — share the screen if you can, present the report, let the prospect see exactly what you found and exactly how you found it. This transparency about the process removes any residual concern about how you obtained the data. Second, ask the compliance question: “Are you under any specific compliance obligations — CMMC, HIPAA, cyber insurance requirements — where these findings would be relevant?” The answer tells you the scope and urgency of the engagement. Third, close to next step: “Based on what we found externally, I would want to run a fuller internal assessment to see how this compares to what is happening inside the network. Would you be open to scheduling that?”
The self-assessment is a useful bridge between the external findings conversation and the fuller internal engagement. A prospect who has just seen their external posture score and heard the compliance implications is primed to spend five minutes on the self-assessment — which generates a branded report that covers both external and self-reported internal posture, gives them something concrete to share internally, and gives you a second data point to reference in the follow-up.
The sequence that produces the fastest close — the ad click to verbal agreement in under 24 hours that the Revenue Engine is designed around — works because the prospect has seen evidence before they ever talk to a person. The external findings, the self-assessment report, the compliance implication — by the time they are on a call, the decision to engage is already substantially made. The call is confirmation and scoping, not persuasion.
→ The 48-Hour Security Revenue Engine walks through the full workflow — how evidence-led outreach, free tools, and a structured follow-up sequence combine to move a cold prospect to signed MRR in under two business days.
The Workflow in Practice: Five Prospects Per Week
Here is what a realistic, sustainable external recon prospecting workflow looks like at the individual account manager level. The goal is not volume for its own sake — it is a repeatable process that produces quality first contacts with specific, evidence-backed openers.
Monday: Identify five target companies in your compliance vertical — defense contractors, healthcare practices, whatever your primary segment is. Pull their domains. Run the external check suite on each: SPF/DKIM/DMARC, SSL, dark web breach, HTTP headers. Takes about twenty minutes total with purpose-built tooling.
Monday–Tuesday: Review the results for each target and identify the single most relevant finding for each one — the finding most likely to resonate based on their industry and probable compliance obligations. Write a personalized opener for each using the frameworks above. Send.
Wednesday: Follow up on any non-responses with the day-two touchpoint referencing a second finding from the check. Keep it to one sentence plus a call to action.
Thursday–Friday: Take any response conversations to calls. For non-responses after two touches, move them to a longer-cycle compliance deadline nurture sequence rather than continuing to cold-message.
At five per week, fifty weeks per year, that is 250 targeted, evidence-backed cold contacts annually — each of which has a specific, documented finding attached to it rather than a generic security pitch. The response rate on specific, finding-anchored outreach is consistently higher than generic security messaging, and the quality of the conversations that result is better because the prospect already knows what you found before they agree to talk.
To see how the full external check suite, self-assessment workflow, and Revenue Engine fit together as a system — and how the platform’s OSINT and external scanning integrates with ongoing client security monitoring — book a 30-minute demo.
Frequently Asked Questions
Is it legal to run external scans on a prospect’s domain before engaging them?
The checks described in this article — DNS record queries, SSL certificate inspection, HTTP header checks, dark web breach database lookups, and passive OSINT through tools like Shodan — all operate on publicly available information. They do not require credentials, do not involve accessing internal systems, and do not exceed what any external party can see about an organization’s public-facing infrastructure. This is fundamentally different from active network scanning that probes internal systems or bypasses access controls. The legal and ethical line is between passive observation of publicly visible information and active intrusion into systems you are not authorized to access. Everything in this article stays firmly on the passive observation side. When in doubt, consult your legal counsel on what is appropriate in your jurisdiction and for your specific tooling.
How do I handle the prospect who asks “how did you get this information?”
Answer directly and without defensiveness: “All of this data is publicly visible — it is what any external party, including a threat actor, can see about your organization without any credentials or special access. We run these checks on every prospect we reach out to as a courtesy — it helps us make sure the conversation is relevant to what you are actually facing.” That answer is transparent, accurate, and reframes the question from “did you do something unauthorized” to “oh, this is information that is visible to everyone.” Most prospects find the latter more concerning than the former.
What if the external check turns up nothing significant?
First, that is relatively rare — most SMB domains have at least one of the common findings. Second, a clean external check is itself a useful data point: it tells you the prospect has done some basic hygiene on their perimeter, which means the more interesting conversation is about whether their internal controls and compliance posture match their external appearance. “Your external posture is cleaner than most companies your size — which usually means the gaps are internal. We have found that externally clean environments often have significant AD or cloud identity issues that are not visible from outside. Would you be open to a conversation about what an internal review would show?” That is a different opener, but it still leads to a qualified conversation.
How do I avoid sounding like a threat actor in my outreach?
Three things: identify yourself and your company clearly in the first sentence, explain the professional context for the check before stating the finding, and offer to share rather than withhold. “We found serious vulnerabilities in your network” sounds threatening because it withholds specifics and implies leverage. “I ran a quick external check before reaching out — [specific finding] came back, which I wanted to flag” sounds like professional due diligence because it is transparent about what you did and why. The distinction is between demonstrating knowledge and implying threat. Everything in the framing guidance in this article is designed to stay on the right side of that line.
Should I send the full report in the cold email or save it for the call?
Save the full report for the call, or offer to send it in exchange for the meeting. Attaching a full scan report to a cold email — especially from an unknown sender — is likely to trigger spam filters, is likely to be ignored if it arrives, and removes the primary incentive for the prospect to get on a call with you. The cold message should reference one specific finding and offer to walk through the rest. “I have the full results if you want to go through them” is a reason to schedule a call. A PDF attachment to an unsolicited email is something someone closes without reading.
How do I scale this without it becoming a copy-paste process that loses the personalization?
The personalization is in the finding, not the prose. The message template can be largely consistent — the opener, the offer, the call to action. What is personalized is the specific finding you lead with, the compliance framework you reference based on their industry, and any other context you have from research (recent contract wins, changes in leadership, new regulatory announcements in their sector). A well-structured template with one personalized finding reference per prospect reads as specific even if the surrounding language is standardized. The goal is not to rewrite every word — it is to ensure that the prospect cannot look at the email and reasonably conclude that it was sent to a thousand people at once.