Expel licensing usage measures counts of Endpoints, Resources, Users, and Emails submitted. This page explains what is included in those counts for each type of MDR product.
Quick Links
The MDR product types listed here are the primary ones where we find counts for determining your usage. There are many more integrations we support.
Endpoints
Expel counts the on-prem endpoints in your environment that have been seen within the past 30 days.
- If you have multiple endpoint security products, we use the one with the highest count (this is because we assume you've installed all of your endpoint products on the same hosts).
- If your environment has one endpoint security product covering some hosts and a different endpoint security product covering other hosts, we work with you to manually arrive at the correct quantity for your environment.
What's Not Counted
We do not count cloud-hosted endpoints (see Cloud Security below), mobile devices, or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.
More Details
For these products, we count the following (all the endpoint resource type):
Crowdstrike |
The hosts with a null service provider. |
Microsoft Defender | The machines with a status of "onboarded." |
Palo Alto Networks Cortex | The endpoints. |
SentinelOne |
The number of agents that do not have a cloud provider of AWS, GCP, or Azure in SentinelOne. |
VMware Carbon Black Cloud |
The sensors. |
VMware Carbon Black EDR |
The sensors. |
Cloud
Cloud Security
Expel counts the cloud-hosted endpoints in your environment that have been seen within the past 30 days.
- If you have multiple cloud-hosted endpoint security products, we use the one with the highest count (this is because we assume you've installed all of your endpoint products on the same hosts).
- If your environment has one cloud-hosted endpoint security product covering some hosts and a different cloud-hosted endpoint security product covering other hosts, we work with you to manually arrive at the correct quantity for your environment.
What's Not Counted
We do not count on-prem total endpoints (see Endpoints above), mobile devices, or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.
Kubernetes
We count the median number of nodes over the past 30 days, across all clusters. Kubernetes services and pods are informational only and are not factored into your usage.
Cloud Infrastructure
Expel counts instances, compute resources, storage resources, serverless resources, and any resources being acted upon by API calls. We count the median data point from the past 30 days, which prevents the data from being skewed by outliers. Note that cloud-hosted endpoints are counted under Cloud Security.
What's Not Counted
We do not count mobile devices or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.
More Details
For detailed information about a particular cloud product, scroll down or use one of the links below to skip to your desired chart:
AWS
What We're Counting |
Resource Type |
Description |
EC2 |
Compute |
The number of running AWS EC2 instances on the account, including any EC2 instances created by other AWS services (like the Amazon Elastic Kubernetes Service). |
Lambda | Compute | The number of unique lambdas grouped by account, region, and lambda name. Lambdas with the same name but different regions or accounts are considered as separate lambdas, because there can be differences in the security configurations and access to services in each region or account. |
S3 | Storage | The number of S3 buckets. |
RDS |
Storage |
The number of provisioned RDS instances. |
Azure
What We're Counting |
Resource Type |
Description |
Virtual Machines |
Compute |
The number of virtual machines and virtual machine scale sets in the subscription. |
Sites | Storage | The number of static sites the subscription. |
Storage Accounts | Storage | The number of storage accounts and compute disks in the subscription. |
SQL Servers |
Storage |
The number of SQL virtual machines, SQL servers, and SQL databases in the subscription. |
Functions and App Services |
Compute |
The number of Functions and App Services in the subscription. |
Google Cloud Platform (GCP)
Identity/SaaS Applications
Expel looks at the Identity Provider (IdP) SaaS application with the highest number of users and uses that user total as the count. If there is no IdP currently connected, we look at the most recent SaaS app with the highest number of users and get our count from there.
Anything that can log in to the SaaS app and leverage its full functionality is considered a user. So your count may include:
-
Normal human users
-
Shared accounts intended to be used by multiple humans
-
Service accounts intended to be used by software
What's Not Counted
We do not count suspended, archived, or administratively disabled users who can't log in.
More Details
For these products, this is how a "user" is defined and counted:
Duo |
The user count is the number of users that are not disabled or pending deletion in the organization's Duo account, which we obtain via Duo's API. |
Google Workspace | The user count is the number of users that are not suspended, archived, or deleted in the organization’s Google Workspace account, which we obtain via Google's API. |
Microsoft 365 |
The user count is the number of users that can sign in and are categorized as "Members," which we obtain via Microsoft's API. |
Okta |
The user count is the number of active users in the organization's Okta account that are not suspended or deprovisioned, which we obtain via Okta's API. |
OneLogin |
The user count is the number of active users in the organization's OneLogin account and does not include unactivated or suspended users. We obtain this information via OneLogin's API. |
Phishing
Expel counts using two different methods:
- Counting by Users - We count each user in the customer organization as a unique user toward phishing coverage. The count includes anyone who is able to report suspected phishing emails that then go to Expel for analysis, and may be employees or contractors. If there are too many users in an organization, there may be a monthly threshold limit set on email submissions.
-
Number of Email Submissions - We count each individual email that is sent to Expel for analysis by each individual user on a monthly basis. Similar or identical emails that are sent multiple times are counted as separate emails, regardless of whether they are sent by one authorized user or by multiple.
What's Not Counted
We do not count email aliases as separate users.
Vulnerability Prioritization
Expel counts the on-prem total endpoints in your environment as reported by your vulnerability prioritization vendor. We take the most recent number of endpoints, and only count endpoints that have been seen within 30 days.
- If you have multiple vulnerability prioritization security products, we use the one with the highest count (this is because we assume you've installed all of your products on the same hosts).
- If your environment has one vulnerability prioritization security product covering some hosts and a different vulnerability prioritization security product covering other hosts, we work with you to manually arrive at the correct quantity for your environment.
What's Not Counted
We do not count cloud-hosted endpoints, mobile devices or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.