Alerts arrive client by client — so a bad patch failing across four clients looks like four unrelated tickets. Crosswatch correlates across every client (and every tool, if you run more than one) and warns you while the incident is still small.
Read-only · No agent · Vendor-neutral
Read from your RMM, Intune, or a webhook — the signals your tools already produce. Backups & network gear ride in wherever your RMM or a feed reports them.
Works with data from
…or anything that can POST JSON. Read-only feeds, nothing installed.
The problem
One RMM or several — alerts are filed per client and per ticket, and cross-client patterns are exactly where spreading failures hide.
One failed patch at one client. The same failure at the next client is a different ticket, a different queue, maybe a different tech. Nothing looks worth escalating.
The same failure fingerprint is hitting device after device — but scattered across consoles, it reads as unrelated one-offs.
The pattern only becomes visible once enough devices are down — and by then you're firefighting across every client at once.
How it works
No agent on any endpoint. No RMM credentials held. Crosswatch only ever reads.
For Microsoft Intune & Microsoft 365, connect a native cloud connector — a read-only OAuth app registration, no script and no agent. For everything else, point a webhook at Crosswatch or drop in a 5-line script. Events flow one way.
Patches, agent updates, services, backups, certificates, sign-in failures, network gear, Microsoft 365 — every event is normalized to a failure fingerprint. When the same fingerprint hits multiple devices across multiple clients inside a rolling window, that's not noise — that's an incident forming.
The warning lands in Microsoft Teams and your Crosswatch portal — plain English, the root cause, and an AI remediation that gives you several ways to fix it (via Intune, a PowerShell job, your RMM's patch policy, or on-device), each step-by-step with the exact console path, ready-to-run scripts, and the Microsoft KBs — then copy it straight into your ticket. You approve and run it; Crosswatch never touches a device.
New · AI remediation
The detection is deterministic — tested code, not a model guessing. Only the fix is AI-drafted: grounded in the real Microsoft KB, with several ways to resolve it, and a human always approves and runs it. Crosswatch proposes — your tech decides, and nothing touches a device.
Why Crosswatch
Crosswatch recommends; you act. No write access, no stored RMM credentials — nothing is ever executed on a device.
One brain over every console. Inherited a second RMM in an acquisition? Crosswatch covers both from day one.
The correlation engine is tested code, not an LLM guessing. AI writes the remediation runbooks — never the verdicts.
Webhook or a 5-line script per tool. No agent rollout, no change windows, no procurement saga.
How we're different
Every tool that correlates does it inside one client, or only for security. The space in between — operational failures spreading across your clients — is the one nobody watches.
Every other tool works inside one client or only on security. Crosswatch correlates operational failures across all your clients — and, as more fleets join, across the whole network.
The platform today
Crosswatch is live in production, already correlating real Microsoft Intune fleets through the native connector. Here's what ships right now.
Microsoft Intune & Microsoft 365 connect through a read-only OAuth app — no agent, no script, no credentials stored in clear. It's running on live fleets in production today.
Connect Atera, Datto RMM, Kaseya VSA, ConnectWise and N-able by their own API — self-service, read-only, polled like Intune. Prefer push? Every tool also takes a webhook or 5-line JSON feed.
Emerging incidents post straight to your Teams channel with the recommended action — the team sees the warning where they already work, the moment a cluster forms.
Each workspace gets its own portal — incidents, events, and feed health behind Microsoft 365 single sign-on. Invite your team or a client; everyone sees only their own fleet.
Tune detection per client, switch alerts on or off per workspace, and review a full audit log of every administrative change. Multi-tenant isolation by default.
Opt in and see a bad patch or agent rollout spreading across other fleets before it reaches yours — the leading edge no single console can see. Anonymized: only failure fingerprints + counts are shared, never a client, device or identity.
Every incident ships an AI remediation (multiple methods, scripts, KBs, copy-to-ticket) and a live blast-radius forecast — plus an operations dashboard (MTTR, trends) and a white-label client report you forward to your customer.
Every patch or CVE incident is cross-checked live against Microsoft's security updates (MSRC) and CISA's Known Exploited Vulnerabilities catalog — so you instantly know whether it's just your fleet or a known-bad update the wider world has already flagged. No other layer corroborates an operational failure against the outside world.
Sound familiar?
These are real, public incidents — and what their first hours looked like from inside an IT service desk.
July 2024 · agent update
One faulty security-agent update boot-looped roughly 8.5 million Windows devices worldwide (Microsoft's estimate). For service providers it arrived client by client — a few blue screens here, a few there. The early signature — the same agent version knocking devices offline at more than one client — is exactly the cluster Crosswatch flags.
January 2024 · Windows patch
A Windows security update failed with error 0x80070643 on a huge share of machines. Inside any one ticket queue it looked like scattered, per-client patch errors for days. Cross-client correlation turns that into one incident and one action: pause the rollout ring.
Several times a year · cloud service
When Exchange Online or Teams degrades, every client's users open tickets at once and the desk drowns in duplicates. Grouped as one wave, the answer is one line: it's Microsoft-side — check Service Health, hold the individual tickets.
What catching it early is worth
No invented "customers save 60%" claims — you'd be right not to trust them. A worked example, every number on the table:
Unchecked — a bad patch reaches the whole book
…plus 12 awkward client conversations.
Caught at the first cross-client cluster
…and you're the provider who caught it first.
Your fleet's numbers will differ — that's exactly what the free 7-day pilot measures, on your own data.
Recommended: pause the patch policy in each RMM, then run the generated runbook on affected devices.
Fictional demo workspace — "NorthStar IT"
Live demo
One demo workspace — a fictional MSP ("NorthStar IT") running the same deterministic engine that ships in the product. Watch it catch the incident, then explore the whole platform: blast-radius forecast, AI remediation, analytics and the cross-fleet network watch.
Who it's for
Run one RMM? Crosswatch connects the dots between your clients — the patterns your per-client ticket queues can't show. Run several after an acquisition? It covers every console from day one.
Intune for endpoints, an RMM for servers, a security console on top — three tools, three alert streams, no shared picture. Crosswatch is the layer that connects them.
Free 7-day pilot · read-only · cancel by turning off the feed.
Or write to us directly: info@qaswatechnology.com