BreachScan Outbound Playbook

New Strategy

Breach-led prospecting: Find exposed businesses, reach their MSP

← Back to RiskSense

The Hard Truth: Why Cold Breach Outreach Usually Fails

Before we design the outreach, we need to understand why the obvious approach doesn't work:

What They See

Subject: "Security Alert: Your data found on dark web"

Their immediate thought:

  • • "This is definitely a scam"
  • • "This is a phishing email"
  • • "They're trying to scare me into buying something"
  • • "Delete and block"

Why They Think That

• They get 10 scam emails a day with similar subject lines

• Legitimate security companies don't cold-email

• "We found your data" = classic extortion setup

• They have zero context on who we are

• Trust is literally at zero — worse than zero

The Problem: The more "urgent" and "security-focused" our message, the MORE it looks like the scams they're trained to ignore. We have to approach this completely differently.

Stakeholder Psychology Map

Stakeholder 1: Business Owner / Office Manager

Their Mental State

  • • Busy — 200 emails today
  • • Skeptical — seen it all before
  • • Defensive — "IT handles this"
  • • Anxious — what if it IS real?
  • • Annoyed — another vendor pitch

Their Fears

  • • "Is this extortion?"
  • • "Will I look stupid if I forward this?"
  • • "What if I ignore it and something happens?"
  • • "I don't understand this tech stuff"
  • • "Is this going to cost me money?"

What Would Earn Trust

  • • No ask whatsoever
  • • Easy to verify we're legit
  • • Explanation of why we're doing this
  • • They can ignore it if they want
  • • Feels like a person, not a campaign

Stakeholder 2: Their IT Person / MSP

Their Mental State

  • • Territorial — "who's talking to my client?"
  • • Defensive — "are they saying I missed this?"
  • • Suspicious — "what's the vendor angle?"
  • • Busy — juggling 50 clients
  • • Opportunistic — always looking for upsells

Their Fears

  • • "Client will think I'm not doing my job"
  • • "Is this vendor trying to steal my client?"
  • • "Will this create work for me?"
  • • "Is this data even legit?"
  • • "Am I being set up to look bad?"

What Would Earn Trust

  • • Make them look good, not bad
  • • Give them the tool, not the pitch
  • • No direct client contact (they control it)
  • • Help them upsell, not compete
  • • Respect the relationship

The Step-by-Step Flow

Ultimate Goal: Get MSPs Subscribing to RiskSense

1
Scan Domains
Find breached businesses
2
Call Business
Discover who handles IT
3
Fork
MSP / Internal IT / HR
4
Gift Value
Free report, no pressure
5
Convert
MSP subscribes
Key Insight: You can't skip the phone call. Online research won't reliably tell you who manages their IT. The call IS the discovery — and it's also your first touchpoint to establish trust.

Step 1: Find Breached Businesses

Scan 1,000-2,000 business domains daily with BreachScan. Identify those with breached credentials.

Target Domains

NZ professional services, 20-200 employees

Qualification

Must have actual breached credentials, not just domain exposure

Output

List of breached businesses ready for outreach

Step 2: The Discovery Call

Call the Business — This IS the Discovery

You won't find who manages their IT from LinkedIn or website footers. You have to call and ask.

Opening Script:

"Hi, can I speak to whoever handles your IT?"

What Happens Next

They Give You a Name

"That's John, I'll put you through"

→ You've got your IT contact

They Say It's Outsourced

"We use [MSP Company Name]"

→ Gold — you have the MSP

They Block You

"What's this regarding?"

→ Call back, try HR route

The HR Backup Route

If reception blocks you, call back and ask for HR instead:

"Hi, could I speak to someone in HR? It's about cybersecurity training."

Security training IS an HR concern. This gets you to a decision maker who can either help directly or connect you to whoever handles IT.

Step 3: Fork Based on What You Learn

Path A: They Have an MSP

Best outcome

You now know who manages their IT.

1. Contact the MSP directly

2. Gift them a breach report for their client

3. MSP looks like a hero to their client

4. MSP comes back to us for more

Goal: MSP subscribes to RiskSense so they can do this for all clients

Path B: Internal IT Person

Direct conversation

They have someone in-house who handles IT.

1. "We found your data in a breach"

2. Offer the free report

3. Ask if they work with any IT partners

4. Plant the seed for RiskSense

Goal: Either direct sale, or intro to their MSP contacts

Path C: HR Route

Training angle

You got through via the training angle.

1. "We help with security awareness"

2. "We also found breach data on your company"

3. "Who should I share this with?"

4. Get intro to IT decision maker

Goal: Get to the IT contact or MSP name

Core Principle: Give Value, Ask Nothing, Let Them Come To Us

🎁

Give First

Full report, no strings attached

🚫

No Pressure

No demos, no follow-up calls booked

🚪

Open Door

They reach out when ready

The Psychology: When someone gives you something valuable with no ask, you feel obligated to reciprocate. When they ask for something immediately, you feel manipulated. We're playing the long game — build goodwill, wait for them to come to us.

Path A: Reaching the MSP (After You Have Their Name)

Once you know who manages the business's IT, contact the MSP directly with a gift — not a pitch.

MSP-First Email: "Gift" Positioning

Subject: Breach data for one of your clients (free intel)

Hey [First Name],

I run security research at RiskSense. We scan breach databases to help businesses know when their data is exposed.

I came across a company I believe is one of your clients — [Client Name]. We found [X] employee credentials from their domain in a recent breach dump.

I've attached a report with the details. Figured you'd want to know so you can advise them on password resets, MFA, etc.

No strings attached — just thought it'd be useful for you.

Cheers,
[Your name]
RiskSense | risksense.cloud

P.S. If you want, I can run scans on your other clients too. Free for MSP partners. But no pressure — this report is yours either way.

Why This Works

✓ Makes MSP look good — they get to be the one who tells their client

✓ No ask — report is attached, not gated behind a call

✓ Soft offer — "I can scan your other clients" is buried in P.S.

✓ Easy to verify — they can check risksense.cloud

✓ No pressure — "no strings attached" is explicit

✓ Reciprocity — they feel obligated to at least reply

MSP Response Scenarios

Scenario A: "Thanks, this is helpful"

They appreciated it. Now we nurture.

"Glad it helped! Let me know if you want me to run a few more of your clients through. Takes 30 seconds per domain, and I can send you the reports directly. Cheers."

Goal: Get them to send us more domains → builds habit → they become dependent on us for breach intel.

Scenario B: "Who are you? How did you get this?"

They're suspicious but engaged. Good sign.

"Fair question. We're RiskSense — security awareness for MSPs. We scan public breach databases (same data attackers have access to) and notify businesses proactively. Found [Client] in a recent dump and figured you'd want to know. Happy to jump on a call if you want to verify us, but no pressure."

Goal: Build trust through transparency. Offer call but don't push.

Scenario C: "Can you scan more clients?"

They're hooked. This is the ideal outcome.

"Absolutely. Send me a list of domains and I'll run them through. If you want, I can also show you how we do this — we have a partner portal where you can run scans yourself and generate branded reports. But happy to do it for you in the meantime."

Goal: Get them using us regularly → natural transition to partner program.

Scenario D: No response

They didn't reply. Most won't. That's fine.

Wait 2 weeks. Then: "Hey [Name], just following up — did the breach report for [Client] make it to you? Let me know if you have questions. Also happy to run a few more of your clients if useful."

Goal: Stay top of mind without being pushy. One follow-up only, then move on.

Channel A: Direct to Business (Fallback)

When We Can't Identify the MSP

If we can't find who manages their IT, we go direct. But we have to work much harder to not look like a scam.

Trust-Building Elements Required

🏢
Real Address

Physical NZ business address in signature

🔗
Verifiable Website

risksense.cloud with team photos, about page

📱
Phone Number

Real NZ number they can call

🎁
Full Report Attached

Not gated, not "click here to see"

Subject: [Company Name] - credential exposure check (no action needed)

Hi,

I run a small security research company called RiskSense, based in [City, NZ]. We monitor public breach databases to help businesses know if their data has been exposed.

I came across [Company Name] in a recent scan and found that [X] email addresses from your domain appear in breach records. I've attached a summary showing which accounts are affected.

You don't need to do anything with this email. I'm not selling anything, and there's no follow-up call or meeting. I just thought you'd want to know so you can pass it to whoever handles your IT, if you have someone.

If you're curious about us, we're at risksense.cloud, or you can call me on [phone].

Take care,

[Your full name]
RiskSense
[Physical address], NZ
[Phone number]

Why This Framing Works

  • ✓ "No action needed" in subject line — defuses the scam alarm
  • ✓ "Small company based in [City]" — human, local, verifiable
  • ✓ "I'm not selling anything" — explicitly stated, reduces suspicion
  • ✓ "Pass it to whoever handles your IT" — plants the seed without pushing
  • ✓ Full contact details — we're real, we're reachable, we're accountable

Follow-Up Philosophy

What NOT To Do

  • "Just following up on my email..."
  • "Did you get a chance to review..."
  • "I'd love to schedule a call..."
  • Multiple follow-ups escalating urgency
  • "This is time-sensitive..."

These all scream "desperate salesperson" and confirm their suspicion that we're just here to sell them something.

What TO Do

  • One follow-up max (after 2 weeks)
  • Add more value in follow-up (new info, updated scan)
  • Make it easy to ignore ("No need to reply if not relevant")
  • Be genuinely okay with no response
  • Leave door open without pressure

Our goal is to be remembered positively, so when they DO need security help, they think of us.

The Long Game: Most won't respond. That's fine. We're planting seeds. When they have a security incident, or their cyber insurance asks about training, or their MSP mentions breach monitoring — they'll remember "that company that sent us the free report." That's when they reach out.

Revised Metrics (Realistic)

Stage Weekly Volume Conversion Output
Domains scanned 5,000
Breaches found (~20%) 1,000 20% 1,000 breached businesses
MSP identified (~30%) 300 30% 300 → MSP-first channel
MSP outreach sent 300
MSP responses (~15%) 45 15% 45 MSP conversations
MSPs requesting more scans (~50%) 22 50% 22 engaged MSPs
MSPs becoming partners (~25%) ~25%/month 5-6 new partners/month

Direct Channel (No MSP Found)

700/week → ~3% response → ~20 conversations → mostly "thanks" or forwarded to IT → ~2-3 eventual MSP intros

Combined Monthly Output

~5-8 new MSP partners/month through pure goodwill and value-first approach

Plan B: Give MSPs the Tool (usecure Model)

If Outbound Doesn't Scale: Productize BreachScan

If the vendor-initiated outbound is too labor-intensive or doesn't convert, we pivot to the usecure model: give MSPs BreachScan as a self-serve prospecting tool.

What We'd Build

  • MSP Portal: Enter domains, get instant results
  • Branded Reports: MSP logo, their contact info
  • Email Templates: Ready-to-send outreach
  • Bulk Upload: Scan entire client list at once

Business Model

  • Free tier: 10 scans/month (prospecting hook)
  • Partner tier: Unlimited scans (RiskSense partners only)
  • Bundled: Include with RiskSense subscription
Trigger for Plan B: If after 8 weeks of outbound we're getting <5% MSP response rate, pivot to building the self-serve tool. But try Plan A first — it's more differentiated.

Implementation Actions

Week 1

Build MSP identification workflow

Process to find who manages a company's IT from public sources

Week 1

Create breach report templates

PDF for MSPs, PDF for businesses, both professional and scannable

Week 2

Source 1,000 NZ domains

Professional services, 20-200 employees, ideally with identifiable MSPs

Week 2

Run pilot scans

Validate breach detection rate, refine qualification criteria

Week 3-4

Launch MSP-first outreach

100 MSP outreaches with "gift" positioning, measure response

Week 5-8

Scale and iterate

Refine messaging based on responses, increase volume

Decision: Approve BreachScan Pilot (Revised Approach)

Pilot Investment

  • MSP research + outreach (4 weeks): $6,000
  • Report templates + collateral: $1,000
  • Domain sourcing: $500
  • Total: ~$7,500

Success Criteria (8 weeks)

  • 300+ MSP outreaches sent
  • 40+ MSP responses
  • 15+ MSPs requesting more scans
  • 5+ MSPs becoming partners
Key Shift: We're now leading with the MSP-first "gift" approach, using value and goodwill to build relationships. No hard selling, no urgency tactics. Just be genuinely helpful and let partnerships develop naturally.
Management Recommendation: Approve Pilot
Add to Actions