Email & SaaS services

SALES & TECHNICAL GUIDE — SELECT A PRODUCT TO VIEW THE FULL PLAYBOOK

How these fit together: INKY and SaaS Defense handle threat detection at the email/cloud layer. SaaS Protection handles backup and recovery. SaaS Alerts monitors for insider threats and account compromise. BullPhish ID and Dark Web ID address the human layer — training your clients' people and watching for their exposed credentials.

Email & cloud security

✉️

INKY

INKY Technology

AI-powered email security that stops phishing, BEC, and spoofing — including attacks from legitimate domains that DMARC can't catch.

View guide →

🔔

SaaS Alerts

Datto / Kaseya

Real-time monitoring of M365 and Google Workspace for suspicious user behavior, account takeover, and insider threats.

View guide →

🛡️

SaaS Defense

Datto / Kaseya

Zero-day advanced threat protection for M365 — Exchange, OneDrive, SharePoint, and Teams. Data-independent detection catches what others miss.

View guide →

Backup & recovery

☁️

SaaS Protection

Datto / Kaseya

Automated 3x daily backup for M365 and Google Workspace — mail, Teams, SharePoint, OneDrive, Drive, and Contacts. One-click restore.

View guide →

Human layer — awareness & credential monitoring

🎣

BullPhish ID

ID Agent / Kaseya

Security awareness training and phishing simulation. Turns employees from the weakest link into an active layer of defense.

View guide →

🕵️

Dark Web ID

ID Agent / Kaseya

24/7/365 dark web monitoring for compromised credentials. Alerts you the moment a client's credentials appear in a breach or dark web marketplace.

View guide →

INKY

SALES GUIDE — TALKING POINTS & OBJECTION HANDLING

✉️

INKY

AI-powered email security that detects and blocks phishing, BEC, spoofing, and impersonation — including attacks DMARC and native M365 filters miss entirely.

INKY Technology

NTG context: INKY replaced Graphus in early 2026 and is now NTG's primary email security platform. It's the closest match to Perception Point in capability. DMARC protects against domain spoofing but does not stop display name spoofing from legitimate external domains — INKY covers that gap.

Best-fit clients

Strong fit

Any client on M365 or Google Workspace
Law firms and financial services (BEC exposure)
Clients who have clicked on phishing links before
Executives with high impersonation risk (CEO fraud)
Healthcare clients with PHI in email

Decent fit

SMBs with 10+ email users
Clients relying solely on M365 Defender
Any client processing invoices or wire transfers by email

Talking points & objections

Talking points

Catches what Microsoft misses

M365's built-in Defender is good at catching known threats. INKY uses behavioral AI to catch novel phishing, lookalike domains, and social engineering that Defender lets through — including zero-day attacks.

Stops display name spoofing

An attacker can send email from a legitimate Gmail or Yahoo account impersonating your CEO with their exact display name. DMARC doesn't stop this. INKY does — it flags the mismatch and warns the recipient inline.

Inline warnings, not just blocks

INKY adds visual banners inside suspicious emails — explaining why it's flagged before the user acts. That real-time coaching reduces clicks and builds awareness without separate training overhead.

BEC is the top financial threat

Business email compromise cost businesses over $2.9 billion in 2023 alone (FBI IC3). It's not malware — it's a convincing email asking someone to wire money or change payment details. INKY is specifically built to catch this.

Objection handling

"We already have M365 — doesn't that include email security?"

M365 includes Defender, which catches a lot — but it's signature-based and misses novel attacks. INKY adds a second AI layer that's specifically trained on phishing patterns Defender doesn't see. Think of it as a second set of eyes that never gets tired.

"We have DMARC set up."

DMARC is a domain authentication protocol — it's great at preventing someone from spoofing your exact domain. But it has no power over display name spoofing from a completely different legitimate domain. That's where most BEC attacks live today.

"Our people know not to click on phishing emails."

The attacks that work aren't obvious. Modern phishing looks exactly like a legitimate DocuSign, QuickBooks, or Microsoft notification. Even security-aware people get caught. INKY's inline banners give them a fighting chance in the moment.

"We've never had an email compromise."

Most companies don't know until after the wire transfer clears or the credentials show up on the dark web. The absence of a known incident isn't protection — it's just a gap in visibility.

SaaS Alerts

SALES GUIDE — TALKING POINTS & OBJECTION HANDLING

🔔

SaaS Alerts

Real-time behavioral monitoring for M365 and Google Workspace — detects account takeover, insider threats, and suspicious activity the moment it happens.

Datto / Kaseya

How it fits: INKY and SaaS Defense stop threats at the perimeter. SaaS Alerts watches what happens after — once someone is inside the M365 environment, SaaS Alerts catches the behavior: mass downloads, login from an unusual country, forwarding rules that route mail to external addresses, and more.

Best-fit clients

Strong fit

Law firms and financial services (data exfiltration risk)
Clients with remote or hybrid workforces
Any client post-breach or post-incident
Clients with compliance monitoring requirements
Organizations with frequent staff turnover

Decent fit

SMBs with sensitive client data in M365
Clients who've had disgruntled employee situations
Anyone asking about insider threat protection

Talking points & objections

Talking points

Perimeter tools stop outsiders — this stops insiders

Firewalls, email filters, and EDR are all designed to keep attackers out. SaaS Alerts watches what's happening from inside the M365 environment — by legitimate users whose credentials may be compromised or who are acting maliciously.

Account takeover detection

If a user's password gets compromised, the attacker logs in quietly and starts exfiltrating data or setting up mail forwarding rules. SaaS Alerts catches that behavior in real time — not weeks later during a forensic review.

Automated response

SaaS Alerts can automatically lock down a compromised account, remove malicious forwarding rules, and alert your team — all without waiting for someone to notice and respond manually.

Compliance and audit evidence

For regulated clients, SaaS Alerts provides an activity log that demonstrates active monitoring of cloud environments — exactly what GLBA, HIPAA, and cyber insurance auditors want to see.

Objection handling

"Doesn't M365 already have audit logging?"

M365 logs everything, but the logs don't alert you — they just accumulate. You'd need a full-time analyst watching them to catch anything in real time. SaaS Alerts does that watching for you and fires an alert the moment behavior looks wrong.

"We trust our employees."

This isn't about distrust — it's about compromised accounts. The threat isn't usually a bad employee; it's a good employee whose credentials got stolen and are now being used by someone in another country at 2am. SaaS Alerts catches that scenario.

"We're too small for insider threats to matter."

Account takeover happens at every size. SMBs are actually more vulnerable because there's no dedicated security team watching the logs. That's exactly what this service provides.

"How is this different from what RocketCyber does?"

RocketCyber monitors endpoints and infrastructure. SaaS Alerts is purpose-built for cloud application behavior — specifically M365 and Google Workspace. They complement each other; they don't overlap.

SaaS Protection

SALES GUIDE — TALKING POINTS & OBJECTION HANDLING

☁️

Datto SaaS Protection

Automated 3x daily backup and one-click restore for M365 and Google Workspace — mail, Teams, SharePoint, OneDrive, Drive, Calendar, and Contacts.

Datto / Kaseya

NTG context: SaaS Protection is already deployed across NTG's client base for M365 backup. SaaS Protection+ bundles SaaS Defense on top. The key sales conversation is closing the "Microsoft backs it up" myth — Microsoft's own service agreement states they will delete customer data 90 days after subscription termination, and they explicitly disclaim liability for that deletion.

Opener that works

Cold call / QBR conversation starter

"Is your email backed up? What would happen if someone deleted all their emails and walked out the door?"

Anyone you talk to will say their business email is important — that makes it a no-brainer opener. Follow with: "85% of a company's intellectual property flows through Outlook. Without an independent backup, that data is one accidental deletion away from being unrecoverable." Use industry-specific versions for law firms: "Without backup, losing case files to an accidental deletion could be devastating to an active trial."

Best-fit clients

Strong fit

Every M365 and Google Workspace client — no exceptions
Law firms with client file and email retention requirements
Healthcare with HIPAA data retention obligations
Financial services with email archiving requirements
Any client post-ransomware or accidental deletion incident
Clients with recent employee departures or turnover

Decent fit

Clients who believe M365 handles backup natively
SMBs with no documented retention policy
Clients moving to M365 from on-prem (migration safety net)
M365 renewal conversations — natural upsell moment

Talking points & objections

Talking points

Microsoft says so in writing

Microsoft's own service agreement states: "After the 90-day retention period ends, Microsoft will disable Customer's account and delete the Customer Data. Microsoft has no liability for the deletion of Customer Data." That's their words — not ours. Their documentation actively recommends third-party backup.

OneDrive sync makes data loss worse, not better

Many clients think OneDrive is a backup. It's not — it's a sync tool. If a file is deleted or infected on a local device, that change automatically syncs to OneDrive. The file is deleted or encrypted on both sides simultaneously. Real backup stores an independent copy that sync can't touch.

Native retention limits are dangerously short

Exchange Online recovers deleted data for only 30 days. OneDrive allows 93 days. After those windows close, the data is purged permanently. And recovering within those windows is a cumbersome manual process — not the one-click restore clients expect. Google Drive auto-deletes trashed files after just 30 days.

Departing employees are a hidden risk

When an employee leaves and their account is deleted, their mailbox, files, and Teams history go with it — unless you have a backup. Datto lets you retain that data without keeping an active (and expensive) M365 license. It's both a data protection strategy and a cost savings tool.

47% of data loss is caused by end users

Accidental or malicious deletion by end users accounts for nearly half of all cloud data loss. SaaS vendors can't distinguish intent — they can't reverse what looks like a deliberate user action. You can, with a real backup.

Teams is covered too

Most clients don't realize Teams data is at risk. SaaS Protection backs up public channel content, conversations, and calendar meetings. With Teams now central to how businesses operate, leaving it unprotected is a significant gap.

Objection handling

"Microsoft backs everything up — I pay for M365."

Microsoft maintains uptime and infrastructure — that's what you're paying for. Data protection under their Shared Responsibility Model is explicitly the customer's responsibility. We can show you their service agreement language that says they'll delete your data 90 days after termination with no liability.

"We have version history and recycle bins."

Those are retention features, not backup. Version history doesn't protect against ransomware — ransomware overwrites all versions and syncs the encrypted copies. Recycle bins have short expiry windows. Neither creates an independent copy stored outside Microsoft's infrastructure. That's what backup does.

"We have OneDrive — that's our backup."

OneDrive is a sync tool. If a file is deleted or infected locally, OneDrive syncs that change — meaning both copies are gone or compromised simultaneously. This is a critical misconception. Backup requires an independent copy that sync can't reach.

"We've never lost data before."

Most clients who lose data thought the same thing. A real MSP once deleted a mailbox per a client's request — a departing employee — only to have the client come back months later needing data from that account. Because backup was in place, they recovered it and looked like heroes. Without backup, that conversation ends very differently.

"What happens if a client still refuses?"

Have them sign a declination waiver. Document that you offered the service, explained the risks, and they declined. Datto has a template for this in the partner portal. It protects NTG from liability and often serves as a wake-up call — some clients sign the backup agreement just to avoid signing the waiver.

"What's the difference between SaaS Protection and SaaS Protection+?"

SaaS Protection is backup and recovery. SaaS Protection+ adds SaaS Defense — real-time advanced threat protection across Exchange, OneDrive, SharePoint, and Teams. One product recovers from disasters; the other tries to prevent them. Most clients who need one genuinely need both.

Sales strategy notes

Best time to sell

M365 or Google Workspace renewal conversations. When a client is already thinking about their subscription, adding backup as a line item is a natural extension. Lead with "while we're reviewing your M365 licenses, let's make sure we have backup covered."

Bundle it, don't sell it alone

The most successful MSPs include SaaS Protection automatically in their M365 bundles rather than selling it a la carte. When it's a line item in the bundle, the conversation shifts from "do you want it?" to "here's what's included." Much easier close.

The waiver tactic

If a client won't buy, require them to sign a declination waiver stating they were offered the service and refused. It protects NTG from liability and frequently converts the client — nobody wants to sign a document acknowledging they chose to leave their data unprotected.

SaaS Defense

SALES GUIDE — TALKING POINTS & OBJECTION HANDLING

🛡️

Datto SaaS Defense

Zero-day advanced threat protection for M365 — detects unknown malware, phishing, and BEC across Exchange, OneDrive, SharePoint, and Teams without relying on known threat signatures.

Datto / Kaseya

How it fits: INKY protects the email gateway — what comes in. SaaS Defense protects the M365 environment itself — files, chats, and documents once they're inside. They complement each other. SaaS Defense is also bundled with SaaS Protection in the SaaS Protection+ offering.

Best-fit clients

Strong fit

M365 clients with SharePoint and Teams heavily in use
Law firms and financial services
Clients who have experienced ransomware or malware
Clients with cyber insurance requirements
Any client running SaaS Protection (natural upsell to Protection+)

Decent fit

SMBs collaborating heavily via Teams or SharePoint
Clients sharing files with external partners regularly
Organizations with compliance audit exposure

Talking points & objections

Talking points

Detects threats that have never been seen before

Traditional security tools match against a database of known threats. SaaS Defense analyzes the composition of files and messages — it identifies what a safe document looks like and flags deviations. That means zero-day threats get caught at first encounter, not after the vendor updates their signatures.

Protects beyond email

Most clients think email is the only attack vector. SaaS Defense also scans files in OneDrive, messages in Teams, and documents in SharePoint. Malware that arrives via a Teams chat or a shared link is just as dangerous — and most tools don't catch it there.

Silent detection — no client disruption

SaaS Defense works in the background. Threats are neutralized before users see them. No false-positive flood, no end-user pop-ups, no IT tickets from confused staff.

Bundle value with SaaS Protection

If a client already has SaaS Protection, SaaS Defense is a natural add — and together they become SaaS Protection+, which is the full backup-plus-protection stack in one. One vendor, one dashboard, one billing line.

Teams is a major unprotected attack surface

With millions of daily active Teams users, it's become a primary vector for malware delivery via shared files, external links, and chat messages. SaaS Defense scans Teams content in real time — protecting public channel content, conversations, and files shared through Teams that most security tools never see.

Objection handling

"We already have M365 Defender."

M365 Defender is signature-based — excellent for known threats. SaaS Defense is data-independent and catches zero-day threats Defender misses. They work at different layers and are genuinely complementary, not redundant.

"We use INKY for email security — isn't that enough?"

INKY covers what comes through email. SaaS Defense covers the environment — files shared in Teams or OneDrive, links clicked inside M365, and documents uploaded by external collaborators. Different attack surface, different protection.

"How does this compare to what our AV does?"

Endpoint AV scans files on a device after they land. SaaS Defense operates at the cloud layer — it catches threats inside M365 before they ever reach a device. It protects the collaboration environment itself, which AV doesn't touch.

"Is this the same as SaaS Protection?"

No — SaaS Protection is backup and recovery. SaaS Defense is real-time threat detection. They solve different problems: Protection recovers data after something goes wrong; Defense tries to stop it before it does. Together they're SaaS Protection+.

BullPhish ID

SALES GUIDE — TALKING POINTS & OBJECTION HANDLING

🎣

BullPhish ID

Security awareness training and phishing simulation — video lessons, quizzes, and real-world phishing campaigns that turn employees from the weakest link into an active layer of defense.

ID Agent / Kaseya

Pair with Dark Web ID: BullPhish ID trains people to recognize and resist attacks. Dark Web ID monitors whether their credentials are already compromised. Together they cover both sides of the human risk equation — behavior and exposure.

Best-fit clients

Strong fit

Law firms and financial services with compliance training requirements
Healthcare clients with HIPAA security training mandates
Clients who have experienced a phishing click or incident
Clients with cyber insurance (many now require SAT)
Organizations with frequent new hires or high turnover

Decent fit

Any SMB where humans touch sensitive data
Clients who believe technical controls are enough
Organizations preparing for a compliance audit

Talking points & objections

Talking points

95% of breaches involve human error

Technology alone can't stop a user who's been convinced to hand over credentials or approve a fraudulent wire transfer. Security awareness training builds a human firewall — the one layer that gets better with investment, not worse over time.

Simulated phishing campaigns

BullPhish ID sends realistic phishing simulations to your staff and measures who clicks. The people who do get immediate, contextual training in the moment — turning a failure into a learning event without the embarrassment of a real incident.

Plug-and-play or customized content

Pre-built video lessons and quizzes cover all major security topics — phishing, password hygiene, social engineering, and more. Content can also be customized to your client's industry, brand, and specific risk profile.

Cyber insurance increasingly requires it

Many cyber insurers now ask about security awareness training during underwriting and at renewal. Having a documented, active SAT program can lower premiums and prevent coverage denials after an incident.

Objection handling

"We already do annual security training."

Annual training has almost no measurable impact on behavior — people forget within weeks. BullPhish ID runs ongoing simulations and short, regular lessons that actually change habits over time. It's the difference between a one-time lecture and a consistent coaching program.

"Our employees are smart — they won't fall for phishing."

The campaigns that land are designed to fool smart people. They look exactly like DocuSign, QuickBooks, Microsoft, or an email from the CEO. We've seen technically sophisticated users click. Simulation testing shows you the real risk, not what you assume it is.

"We have email filters — why do we need training too?"

Filters catch what they recognize. Novel attacks, well-crafted BEC, and attacks from legitimate domains get through. When they do, a trained employee is your last line of defense. Both layers are necessary.

"My staff will be annoyed by phishing tests."

Initial resistance is common. But once people understand the tests are meant to protect them — and after they see how realistic the simulations look — most employees become engaged and even competitive about not clicking. The culture shifts quickly.

Dark Web ID

SALES GUIDE — TALKING POINTS & OBJECTION HANDLING

🕵️

Dark Web ID

24/7/365 dark web monitoring that scours breach databases, criminal marketplaces, and dark web forums for your clients' compromised credentials — and alerts you the moment they appear.

ID Agent / Kaseya

Pair with BullPhish ID: Dark Web ID finds credentials that are already out there. BullPhish ID trains people to stop creating new ones. Together they're the complete human-layer package — monitor exposure and reduce future risk simultaneously.

Best-fit clients

Strong fit

Law firms, financial services, healthcare — any regulated client
Clients with cyber insurance (often required at renewal)
Clients who reuse passwords across personal and work accounts
Any client post-breach or post-incident
Organizations with high-value executive targets

Decent fit

SMBs of any size — credential theft doesn't discriminate
Clients who've never had a security assessment
Anyone asking "how do we know if we've been breached?"

Talking points & objections

Talking points

Credentials are being sold right now

Billions of usernames and passwords are actively traded on dark web marketplaces. The average time between a credential being stolen and being used in an attack is measured in hours — not days. Dark Web ID monitors in real time, not in quarterly reports.

You don't know what you don't know

Most businesses have no idea their credentials are compromised until an account gets taken over. Dark Web ID closes that visibility gap — you find out when we find a match, not when the attacker acts on it.

Human + machine intelligence

Dark Web ID combines automated scanning with human analyst intelligence to monitor not just known breach databases but active criminal forums, paste sites, and dark web marketplaces where credentials are actively traded.

Actionable alerts, not just reports

When a match is found, Dark Web ID tells you exactly which credential was found, where it appeared, and what to do — reset the password, force MFA enrollment, or escalate to investigation. It's a response tool, not just a monitoring tool.

Objection handling

"We use MFA — our accounts are protected even if passwords leak."

MFA is critical and you're right that it helps. But compromised credentials are still used in MFA fatigue attacks, SIM swapping, and targeted phishing designed to capture the MFA token too. Knowing which credentials are exposed helps you prioritize who needs extra protection immediately.

"Can't I just use HaveIBeenPwned for free?"

HaveIBeenPwned is a great personal tool — but it only shows you historical public breaches. Dark Web ID monitors active criminal marketplaces and private breach data that never makes it to public databases, plus it alerts you in real time rather than requiring you to check.

"How do you access the dark web without getting us in trouble?"

ID Agent has a dedicated team of analysts who operate in these environments legally and ethically as part of their research. You're not accessing anything — they monitor on your behalf and surface only what's relevant to your domain.

"We require strong passwords and change them regularly."

Password policies control what people set — they can't control what gets stolen. A strong password that's been captured in a breach is just as compromised as a weak one. Dark Web ID catches the theft regardless of password strength.