Expel licensing usage measures counts of Endpoints, Resources, Users, and Emails submitted. This page explains what is included in those counts for each type of MDR product.

Quick Links

The MDR product types listed here are the primary ones where we find counts for determining your usage. There are many more integrations we support.

Endpoints

Expel counts the on-prem endpoints in your environment that have been seen within the past 30 days.

  • If you have multiple endpoint security products, we use the one with the highest count (this is because we assume you've installed all of your endpoint products on the same hosts).
  • If your environment has one endpoint security product covering some hosts and a different endpoint security product covering other hosts, we work with you to manually arrive at the correct quantity for your environment.


What's Not Counted

We do not count cloud-hosted endpoints (see Cloud Workloads below), mobile devices, or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.


More Details

For these products, we count the following (all the endpoint resource type):

Crowdstrike

The hosts with a null service provider.

Microsoft Defender The machines with a status of "onboarded."
Palo Alto Networks Cortex The endpoints.
SentinelOne

The number of agents that do not have a cloud provider of AWS, GCP, or Azure in SentinelOne.

VMware Carbon Black Cloud

The sensors.

VMware Carbon Black EDR

The sensors.

Cloud

Cloud Workloads

Expel counts the cloud-hosted endpoints in your environment that have been seen within the past 30 days.

  • If you have multiple cloud-hosted endpoint security products, we use the one with the highest count (this is because we assume you've installed all of your endpoint products on the same hosts).
  • If your environment has one cloud-hosted endpoint security product covering some hosts and a different cloud-hosted endpoint security product covering other hosts, we work with you to manually arrive at the correct quantity for your environment.


What's Not Counted

We do not count on-prem total endpoints (see Endpoints above), mobile devices, or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.

Kubernetes

We count the median number of nodes over the past 30 days, across all clusters. Kubernetes services and pods are informational only and are not factored into your usage.

Cloud Infrastructure

Expel counts instances, compute resources, storage resources, serverless resources, and any resources being acted upon by API calls. We count the median data point from the past 30 days, which prevents the data from being skewed by outliers. Note that cloud-hosted endpoints are counted under Cloud Workloads.

 

What's Not Counted

We do not count mobile devices or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.


More Details

For detailed information about a particular cloud product, scroll down or use one of the links below to skip to your desired chart:

AWS

What We're Counting

Resource Type

Description

EC2

Compute

The number of running AWS EC2 instances on the account, including any EC2 instances created by other AWS services (like the Amazon Elastic Kubernetes Service).

Lambda Compute The number of unique lambdas grouped by account, region, and lambda name. Lambdas with the same name but different regions or accounts are considered as separate lambdas, because there can be differences in the security configurations and access to services in each region or account.
S3 Storage The number of S3 buckets.
RDS

Storage

The number of provisioned RDS instances.

Azure

What We're Counting

Resource Type

Description

Virtual Machines

Compute

The number of virtual machines and virtual machine scale sets in the subscription.

Sites Storage The number of static sites the subscription.
Storage Accounts Storage The number of storage accounts and compute disks in the subscription.
SQL Servers

Storage

The number of SQL virtual machines, SQL servers, and SQL databases in the subscription.

Functions and App Services

Compute

The number of Functions and App Services in the subscription.

Google Cloud Platform (GCP)

Identity/SaaS Applications

Expel looks at the Identity Provider (IdP) SaaS application with the highest number of users and uses that user total as the count. If there is no IdP currently connected, we look at the most recent SaaS app with the highest number of users and get our count from there.

Anything that can log in to the SaaS app and leverage its full functionality is considered a user. So your count may include:

  • Normal human users

  • Shared accounts intended to be used by multiple humans

  • Service accounts intended to be used by software


What's Not Counted

We do not count suspended, archived, or administratively disabled users who can't log in.


More Details

For these products, this is how a "user" is defined and counted:

Duo

The user count is the number of users that are not disabled or pending deletion in the organization's Duo account, which we obtain via Duo's API.

Google Workspace The user count is the number of users that are not suspended, archived, or deleted in the organization’s Google Workspace account, which we obtain via Google's API.
Microsoft 365

The user count is the number of users that can sign in and are categorized as "Members," which we obtain via Microsoft's API.

Okta

The user count is the number of active users in the organization's Okta account that are not suspended or deprovisioned, which we obtain via Okta's API.

OneLogin

The user count is the number of active users in the organization's OneLogin account and does not include unactivated or suspended users. We obtain this information via OneLogin's API.

Phishing

Expel counts using two different methods:

  • Counting by Users - We count each user in the customer organization as a unique user toward phishing coverage. The count includes anyone who is able to report suspected phishing emails that then go to Expel for analysis, and may be employees or contractors. If there are too many users in an organization, there may be a monthly threshold limit set on email submissions.
  • Number of Email Submissions - We count each individual email that is sent to Expel for analysis by each individual user on a monthly basis. Similar or identical emails that are sent multiple times are counted as separate emails, regardless of whether they are sent by one authorized user or by multiple.

What's Not Counted

We do not count email aliases as separate users.

Vulnerability Prioritization

Expel counts the on-prem total endpoints in your environment as reported by your vulnerability prioritization vendor. We take the most recent number of endpoints, and only count endpoints that have been seen within 30 days.

  • If you have multiple vulnerability prioritization security products, we use the one with the highest count (this is because we assume you've installed all of your products on the same hosts).
  • If your environment has one vulnerability prioritization security product covering some hosts and a different vulnerability prioritization security product covering other hosts, we work with you to manually arrive at the correct quantity for your environment.

What's Not Counted

We do not count cloud-hosted endpoints, mobile devices or devices like printers, thermostats, or other things (IoT / OT) with an IP address in the usage data.