Prompt Bank

Pull together a QBR summary for [CLIENT NAME] covering the past 90 days.

Include:
- Total ticket volume, broken down by category (hardware, software, network, user, other)
- SLA compliance rate — how many tickets were resolved within SLA vs breached
- Top 3 recurring issue types with ticket counts
- Any open tickets older than 14 days
- Any open or recent security incidents
- Notable wins or improvements since last QBR

Format as a structured report I can use as talking points in the meeting.

Create a health scorecard for [CLIENT NAME].

Cover:
- Open ticket count by priority (critical, high, medium, low)
- Devices with active alerts or offline status
- Any monitors currently down or in warning state
- Overdue or breached SLA tickets
- Last 7 days of incident activity

Rate the overall health as Green / Amber / Red and explain your reasoning.

Write a one-page executive summary of IT activity for [CLIENT NAME] for [MONTH].

Audience: their CTO/IT director — not technical detail, focus on business impact.

Cover:
- Overall service summary (issues resolved, uptime achieved)
- Any significant incidents and how they were resolved
- Improvements or projects completed this month
- Risks or items requiring client attention
- Recommended next steps or upcoming work

Keep it concise and free of jargon.

Identify the top risk areas for [CLIENT NAME] based on current data.

Look for:
- Recurring ticket categories that suggest a systemic problem
- Devices that are offline, degraded, or overdue for replacement
- Security alerts or incidents in the past 30 days
- SLA breaches or near-breach tickets
- Any expired or expiring warranties, certificates, or licenses if visible

Rank the top 3-5 risks by potential business impact and suggest a mitigation action for each.

Prepare an email security posture summary for [CLIENT NAME] to use in our upcoming QBR.

The audience is their leadership team — keep it business-focused, not technical.

Cover:
- Total threats blocked in the past quarter (phishing, malware, BEC, spam) and what that would have meant if unprotected
- Any threats that got through — how they were detected and resolved
- User risk: what percentage of users are clicking phishing simulations, how has it improved?
- Training completion rate — is the team keeping up with security awareness training?
- Top 3 threat types targeting their organization this quarter
- Any recommended improvements or upcoming threats to be aware of

Frame it as value delivered: "we blocked X attacks this quarter that could have cost you Y." Keep the language accessible for non-technical executives.

Show me all unbilled work for [CLIENT NAME] (or all clients if not specified) that is in a billing-ready status.

Include:
- Ticket number, title, and date closed
- Technician who worked the ticket
- Total hours logged and billable hours
- Contract or billing type (time-and-materials, block hours, managed services)

Group by client if running for all accounts. Flag anything over 30 days old that still hasn't been invoiced.

Pull all time entries for [CLIENT NAME] for [DATE RANGE, e.g. March 2025].

For each entry show:
- Date, technician, and ticket number
- Work description
- Hours logged (regular vs overtime if applicable)
- Billing status

Flag any entries that look unusual: very short entries (under 5 minutes), entries logged long after the work date, or entries without a description.

Check contract compliance for [CLIENT NAME] for this month.

I need to know:
- How many devices are under their managed services contract vs what's actively monitored
- Total hours consumed this month vs their included hours (if on a block hours or capped plan)
- Any out-of-scope work billed separately
- Whether they're approaching overage thresholds

Highlight any discrepancies between what's contracted and what we're delivering.

Give me a summary of all outstanding invoices across all clients, grouped by age.

Show:
- Current (0-30 days)
- Overdue 31-60 days
- Overdue 61-90 days
- Overdue 90+ days

For each bucket, list the client name, invoice number(s), amount outstanding, and invoice date. Flag any clients with invoices over 60 days as a priority for follow-up.

Scan all managed devices and identify machines that are 4 or more years old and likely due for hardware refresh.

Group results by client. For each device include:
- Device name and type (desktop, laptop, server)
- Operating system and version
- Approximate age if visible (from warranty or first-seen date)
- Any recent hardware-related alerts or failures

Summarize by client: total aging devices and estimated replacement opportunity. This will be used to prioritize refresh conversations.

Identify clients who may be at risk of churn based on their recent service experience.

Look for clients with:
- High ticket volume compared to their account size in the last 60 days
- 2 or more SLA breaches in the past 30 days
- Recurring issues of the same type (possible systemic problem we're not resolving)
- Tickets with negative or escalation indicators in the description

Rank the top 5-10 at-risk clients with a brief reason for each. This list will be used for proactive account check-ins.

Look across our client base and identify expansion or upsell opportunities.

Flag clients who:
- Have grown their device count significantly in the past 6 months (potential seat expansion)
- Have frequent security-related tickets but no security add-on services (EDR, backup, etc.)
- Are consistently exceeding their included hours but haven't upgraded their contract
- Have aging infrastructure that we haven't had a hardware refresh conversation with

For each opportunity, briefly explain the gap and suggest the relevant service or conversation.

We've just onboarded [CLIENT NAME]. Give me a full picture of their environment based on what we've discovered so far.

Cover:
- Total device count and types (workstations, servers, network gear)
- Operating systems in use and any that are end-of-life
- Any immediate risks or issues flagged during onboarding
- Current monitoring coverage (what's being monitored vs what we found)
- Gaps compared to our standard managed services baseline

This will be used to prioritize the first 30 days of work and identify quick wins.

Give me a morning standup summary of all open tickets for today.

Group by:
1. Critical and High priority — list each with ticket number, client, summary, and assigned tech
2. Tickets breaching SLA within the next 4 hours
3. Tickets unassigned or with no update in the last 24 hours
4. Total open count by priority tier

Keep it brief — this is for a 10-minute team standup.

Show me all tickets that are at risk of breaching or have already breached their SLA.

Separate into:
- Already breached: ticket number, client, priority, how overdue
- Breaching in the next 2 hours
- Breaching in the next 4 hours

Include the assigned technician for each. Sort by most urgent first. I need this to prioritize the team's next hour.

Find all tickets that are stalled and may need escalation or a nudge.

Look for:
- Open tickets with no technician update in the last 48 hours
- Tickets waiting on client response for more than 5 business days
- Any ticket open for more than 14 days regardless of status
- Escalated tickets that haven't had a senior tech review documented

For each, show ticket number, client, summary, last activity date, and current assignee.

Prepare a shift handoff brief for the incoming team covering everything they need to know right now.

Include:
- All active or acknowledged incidents and their current status
- High and critical priority tickets opened in the last 8 hours
- Any tickets I've been actively working — include where I left off and next steps
- Anything scheduled or expected to fire in the next 4 hours (maintenance windows, monitoring alerts)
- Any client communications that need a follow-up response

Format as a structured handoff document, not a data dump.

I have a call with [CLIENT NAME] in 10 minutes. Give me a quick brief.

Cover:
- Their currently open tickets: count and any critical or high priority ones
- Most recent 3-5 closed tickets and what they were about
- Any patterns or recurring issues I should be aware of
- Any open items they've been waiting on us for
- Anyone at their company I should know about from recent ticket interactions

Keep it to 200 words max — I need this fast.

A user at [CLIENT NAME] has reported a suspicious email. I need to triage it quickly.

User report: [paste the user's description or forwarded email headers]

Steps I need help with:
1. Look up the reported message in our email security platform — is it already classified?
2. Check if other users at this client (or other clients) received the same email
3. Classify it: genuine phishing / spam / safe (false positive)
4. If it's a genuine threat: has anyone clicked or interacted with it?
5. Draft a brief response to the reporting user explaining what we found and what they should do

If the email is confirmed phishing and others received it, automatically suggest escalating to the phishing investigation workflow.

A user at [CLIENT NAME] has requested release of a quarantined email.

User details: [sender address, subject, approximate date received]

Before releasing, help me:
1. Find the quarantined message
2. Review the sender, subject, headers, and any link/attachment analysis
3. Assess whether it's genuinely safe to release (expected sender, legitimate content, no suspicious links)
4. Check if the sender domain has a history of spam or phishing in our system

If safe: release the message and recommend whether to add the sender to the allowlist.
If not safe: explain why to the user and suggest they contact the sender through a different channel to re-send.

Always err on the side of caution — if there's any doubt, don't release.

Give me a full infrastructure health report across all monitored clients.

Group by status:
- Down / offline: list device name, client, type, and how long it's been down
- Degraded / warning: devices with active alerts but still responding
- Unknown / no check-in: devices that haven't reported in over 24 hours
- Healthy: summary count only

For any client with 3 or more devices in warning or down state, flag them as needing immediate attention. Total counts at the top.

Generate a patch compliance report across all managed devices.

Show:
- Devices missing critical or security patches (OS and third-party)
- Count of missing patches per device
- Clients with the worst patch compliance (most missing patches)
- Any devices that haven't had a successful patch scan in the last 7 days

Flag any device missing patches that is also exposed to the internet (server or firewall) as high priority. I need this to prioritize this week's patching run.

We have multiple alerts firing right now. Help me make sense of them.

List all active alerts and incidents, then:
1. Group alerts that are likely related (same client, same time window, same infrastructure layer)
2. Identify the most likely root cause for each group
3. Suggest which alert to investigate first to have the most impact
4. Flag any alerts that look like noise vs genuine service impact

I'm trying to find the actual problem, not chase symptoms.

I'm planning a maintenance window for [DESCRIPTION, e.g. firewall firmware upgrade] at [CLIENT NAME] on [DATE/TIME].

Help me prepare by:
1. Listing all monitors currently associated with systems that will be affected
2. Identifying the on-call engineer on duty during the window
3. Drafting a status page announcement to notify stakeholders (if applicable)
4. Noting any tickets or incidents that are currently open for this client that might be affected

After the window, remind me to: resume all paused monitors, verify everything returns to 'up', and resolve any stale incidents.

Help me write a post-mortem for the incident affecting [SERVICE/CLIENT] that occurred on [DATE].

Structure it as:
1. **Summary**: What happened and what was the business impact (1 paragraph)
2. **Timeline**: Key events from first alert to resolution with timestamps
3. **Root Cause**: What actually caused the incident
4. **Contributing Factors**: What made it worse or delayed detection/resolution
5. **What Went Well**: Things that worked during the response
6. **Action Items**: Specific, assigned tasks to prevent recurrence (include owner and due date)

Keep the tone blameless — we're fixing systems, not blaming people.

Give me a morning email threat briefing covering the last 24 hours across all clients.

Include:
- Total blocked threats by type (phishing, malware, BEC, spam) with counts
- Any threats that were delivered to users (not blocked) — these are highest priority
- New or active campaigns targeting our clients
- Any users who clicked a malicious URL or opened a dangerous attachment
- Clients with unusually high threat volume compared to their baseline

Flag anything that requires immediate action (delivered threats, active BEC attempts, credential phishing). Keep the rest as a summary table.

I need to investigate a phishing email reported by [USER] at [CLIENT NAME].

Known details: [paste subject line, sender, or any other details you have]

Help me:
1. Find the original email and its full headers / metadata
2. Identify all other recipients at this client or across clients who received the same or similar email
3. Check whether any recipients clicked links or opened attachments
4. Determine if any credentials or data may have been compromised
5. Identify the campaign or threat actor if known
6. List every mailbox that still has a copy of the email (for remediation)

End with a recommended remediation: quarantine scope, user notifications needed, and any account lockouts to consider.

Review the current email quarantine queue across all clients.

I need to:
1. See all messages held in quarantine in the last 24 hours, grouped by client
2. Identify any that look like false positives (legitimate business email, newsletters the user opted into, known vendors)
3. Confirm which messages are genuine threats that should remain quarantined or be deleted
4. Flag any quarantine entries that have been waiting more than 48 hours without review (user may be waiting on an important email)

For likely false positives, tell me what action to take (release and allowlist sender/domain). For confirmed threats, confirm deletion. Highlight any patterns that suggest an allowlist or blocklist rule update is needed.

Give me a security awareness training status report across all clients.

Cover:
- Active phishing simulation campaigns: click rates and failure rates per client
- Training completion rates — who is overdue or has outstanding assignments
- Highest-risk users by risk score (frequent clickers, incomplete training)
- Clients with click rates above 10% — these need attention
- Improvement trends: are clients getting better or worse over time?

Flag the top 5 highest-risk users overall so we can have a conversation with their client's IT contact. Include a recommendation for clients with persistently high failure rates (more frequent simulations, mandatory retraining, etc.).

I have a [SEVERITY, e.g. P1 / Critical] incident at [CLIENT NAME]. [SYSTEM OR SERVICE] is down affecting approximately [NUMBER] users.

Use the available tools to do the following right now:

1. Pull all active alerts and monitoring events for [CLIENT NAME] from the last 2 hours — list them chronologically
2. Check for any existing open tickets related to this issue and link them; if none exist, open a P1 ticket with the title "[CLIENT NAME] – [SYSTEM] Outage" and set priority to Critical
3. Identify the on-call engineer currently assigned and their contact details
4. Build a timeline of events starting 2 hours ago: alert fires, ticket opens, tech activity, any config changes or deployments if visible
5. Give me your best current hypothesis for root cause based on what you can see

Format the output as a war room brief — I'm sharing this in a Slack channel right now.

Variation — if you know the affected service:
Replace "[SYSTEM OR SERVICE] is down" with the specific service, e.g. "The VPN concentrator at their main office is unreachable" or "Microsoft 365 Exchange Online is returning 503s for all users."

Generate a post-incident review (PIR) for the incident documented in ticket [TICKET NUMBER] (or the most recent resolved P1/Critical ticket for [CLIENT NAME] if no ticket number is known).

Pull the full ticket history — all notes, time entries, and status changes — and structure the PIR as follows:

**1. Incident Summary**
What happened, what was the business impact, and how long did it last (detection to resolution)?

**2. Timeline**
A bullet-point chronology from first alert/report through to confirmed resolution. Include timestamps.

**3. Root Cause**
What was the actual underlying cause? Be specific — not "server was down" but why it was down.

**4. Contributing Factors**
What made the incident worse or delayed our response? (monitoring gaps, escalation delays, missing runbooks, etc.)

**5. What Went Well**
At least 2-3 things the team did right during the response.

**6. Action Items**
Specific tasks to prevent recurrence or improve response time. For each: description, owner (assign to [YOUR NAME] if unspecified), and a due date 2 weeks from today.

Keep the tone blameless. This document will be shared with the client.

Variation — multi-system incident:
Add a "Scope" section listing all affected systems, services, and user counts before the Timeline.

Draft a client-facing incident communication for [CLIENT NAME] regarding the [SYSTEM/SERVICE] issue that [started at TIME / is currently ongoing / was resolved at TIME].

The audience is their [CTO / IT Director / Executive team] — assume they are not technical. Do not use internal jargon.

The message should:
- Acknowledge the issue and its impact on their business clearly (no minimising)
- State the current status: [investigating / identified and implementing fix / resolved]
- Explain what we know so far in plain language (1-2 sentences max on technical detail)
- Describe what we are doing right now
- Give a realistic next update time: [TIME or "within X hours"]
- End with a direct contact name and number for urgent escalation

Tone: professional, calm, and accountable. We own this — no blaming the vendor unless explicitly directed.

Pull any relevant details from the open ticket for [CLIENT NAME] to populate specifics.

Variation — resolved incident update:
Change the status to resolved and include: actual resolution time, root cause in one sentence, and what we are doing to prevent recurrence.

User [USER EMAIL ADDRESS] at [CLIENT NAME] just triggered a risk alert. I need to determine if this is account compromise.

Use available tools to pull the following:

1. **Sign-in history** — last 7 days of authentication events: location, IP, device, and whether MFA was satisfied. Flag any sign-ins from new countries, anonymous IPs, or unusual times.
2. **MFA changes** — any MFA method additions, removals, or phone number changes in the last 7 days
3. **Email forwarding rules** — check for any inbox forwarding rules created recently, especially to external addresses
4. **Email delegation** — any recently added mailbox delegates
5. **Recent email activity** — any bulk send/delete activity in the last 48 hours
6. **Device compliance** — is their primary device compliant and managed? Any new device registrations?

After pulling the data, give me a verdict:
- **Likely compromised**: list the specific indicators and recommend immediate actions (password reset, MFA re-enrol, session revoke, ticket open)
- **Suspicious but inconclusive**: list what's unusual and what additional steps to take
- **False positive**: explain why

If you assess compromise as likely, draft the first response ticket note I should post.

Variation — no email security tool connected:
Focus on sign-in logs and MFA changes only, and note that email forwarding check requires manual review in M365 admin.

I need to triage a potentially compromised endpoint. Device: [DEVICE NAME or HOSTNAME] at [CLIENT NAME].

Pull every available signal for this device:

1. **EDR alerts** — any active or recent threats, detections, or quarantined files from SentinelOne or equivalent. Include severity and current status.
2. **RMM status** — is the device online? Last check-in time? Any active alerts in the RMM?
3. **Patch status** — is the device current on OS and third-party patches? How many critical patches are missing?
4. **Running processes / script execution** — any recent script runs or remote commands executed on this device (from RMM history)?
5. **Network isolation status** — is the device currently network-isolated? If not, should it be?
6. **Open tickets** — any existing tickets for this device in the last 30 days

After gathering the data:
- Rate the risk: **Critical / High / Medium / Low**
- List the top indicators driving your assessment
- Recommend the immediate next steps (isolate, remediate, monitor, close)
- Draft the internal ticket note to document the triage findings

If the device should be isolated, remind me to get client approval before doing so — unless a critical threat is actively executing.

Variation — server triage:
Add "Check for any scheduled tasks or services added in the last 72 hours" and treat network isolation as a last resort given potential service impact.

I need to fully investigate a reported phishing email at [CLIENT NAME].

Known details:
- Reported by: [USER EMAIL]
- Subject line: [SUBJECT LINE if known]
- Sender address: [SENDER ADDRESS if known]
- Approximate time received: [DATE / TIME if known]

Work through the following investigation steps:

1. **Locate the email** — find it in the email security platform by sender, subject, or time window
2. **Blast radius** — identify every mailbox at [CLIENT NAME] (and across all clients if the platform supports cross-tenant search) that received this email or a variant of it
3. **Interaction check** — for each recipient, determine: did they open it? Click any links? Download an attachment?
4. **Link / attachment analysis** — what do the URLs or files resolve to? Any known malicious indicators?
5. **Credential exposure** — if any user clicked a link to a credential-harvest page, flag them for immediate password reset
6. **Threat intel** — is this part of a known campaign? Any IOCs (sender IP, domain, hash) in threat intel feeds?
7. **Remaining copies** — list every mailbox that still has a copy of the email (for quarantine/deletion)

End with a prioritised remediation checklist:
- [ ] Accounts to lock/reset (list them)
- [ ] Mailboxes to remediate (list them)
- [ ] Allowlist/blocklist rules to create
- [ ] User notifications to send
- [ ] Ticket to open (draft the title and description)

Variation — internal phishing simulation:
If the email turns out to be a KnowBe4 or similar security awareness simulation, note the click rate and flag users who clicked for training follow-up instead of remediation.

Run a documentation audit for [CLIENT NAME] (or all clients if not specified).

Cross-reference the RMM's device inventory against the documentation platform and flag gaps:

1. **Missing runbooks / configurations** — devices or services that are active and monitored in the RMM but have no corresponding configuration record or runbook in IT Glue / Hudu. List: device name, device type, and how long it's been active.

2. **Stale passwords** — any passwords stored in the documentation platform that haven't been rotated in 90 or more days. Include: password title, last rotated date, and associated asset or service.

3. **Undocumented network devices** — switches, firewalls, or APs visible in the RMM that have no documentation entry

4. **Missing contacts** — client contacts in the PSA with no corresponding entry in the documentation platform (gaps in the contact list)

5. **Expired SSL certificates or licenses** — any documented items with an expiry date that has passed or is within 30 days

Produce a prioritised gap list. Rate each gap: **Critical** (passwords, active servers), **High** (network devices, key services), or **Medium** (workstations, nice-to-have docs). Suggest which gaps to close first.

Variation — new client onboarding:
Run this immediately after onboarding discovery is complete to generate the documentation work backlog for the first 30 days.

Generate a runbook for [DEVICE NAME / SERVICE NAME] at [CLIENT NAME].

Pull all available data from the RMM and documentation platform to populate the runbook, then structure it as follows:

**Overview**
- Device / service name, type, and purpose
- Client and physical or logical location
- Criticality: [Mission Critical / Important / Standard] — infer from device type and ticket history if not specified

**Access & Credentials**
- Primary access method (RDP, SSH, web console, etc.)
- Credential references (link to IT Glue / Hudu password entries — do not include actual passwords in the runbook)
- MFA or jump host requirements

**Key Details**
- IP address(es), hostnames, relevant ports
- OS, firmware, or application version
- Licensing or warranty expiry if known

**Monitoring**
- What monitors are configured for this device/service in the RMM?
- What alerts should a tech expect to see, and what do they mean?

**Common Issues & Fixes**
- List up to 5 common issues found in the ticket history for this device (pull from PSA if connected)
- For each: symptom, likely cause, resolution steps

**Maintenance Schedule**
- Patching cadence, restart windows, backup schedule if known

**Escalation Path**
- Who to contact if this device/service fails after hours
- Vendor support details if applicable

After generating, tell me which sections you had to leave blank due to missing data — those are documentation gaps to fill in.

Perform an asset discovery summary for [CLIENT NAME].

I need to understand what's in their environment and what is or isn't documented.

1. **Full device inventory** — pull every device currently reporting into the RMM. For each: name, type (workstation / server / network / other), OS, last seen, and online/offline status.

2. **Documentation coverage** — for each device, check whether a matching record exists in IT Glue / Hudu. Flag devices with no documentation record.

3. **Shadow IT / unexpected devices** — flag any devices that don't match the expected naming convention, have an unknown device type, or appear to have been added recently without a corresponding ticket.

4. **End-of-life OS** — list any devices running an OS that is past Microsoft or Apple's end-of-support date (Windows 10 21H2 and earlier, Windows Server 2012 and earlier, macOS Ventura and earlier).

5. **Unmanaged devices** — if Liongard is connected, check for systems detected during inspector runs that are not in the RMM agent inventory (e.g., network devices with no agent).

Produce:
- A summary table of the full inventory with documentation coverage percentage
- A "needs action" list sorted by risk: EOL devices first, then undocumented servers, then undocumented workstations
- Recommended next steps to close coverage gaps

Variation — post-M&A or site acquisition:
Use this prompt immediately after taking on a new site to generate the baseline discovery report before the first QBR.

Pull all the data I need to prepare a QBR for [CLIENT NAME] covering the period [START DATE] to [END DATE, e.g. "January 1 – March 31 2025"].

From the PSA:
- Total tickets opened and closed in the period
- Ticket breakdown by category (hardware, software, network, user error, security, other)
- SLA compliance rate: % of tickets resolved within SLA, and total breach count
- Average time to first response and average time to resolution
- Top 5 ticket categories by volume
- Open tickets at the end of the period (carryover)
- Any critical or P1 incidents — title, date, and resolution time

From the RMM (if connected):
- Total managed device count at start and end of period (growth?)
- Devices with persistent alerts or recurring issues
- Patch compliance rate at end of period
- Any devices that went offline for more than 4 hours during the period

Formatting:
- Present numbers in a clear table where possible
- Highlight improvements vs the previous period if prior data is available
- Flag any metrics that are worse than industry benchmarks (SLA <95%, patch compliance <90%)

I'll use this raw data to build the QBR deck — just get me the numbers.

Variation — multi-client QBR data:
Run for all clients and sort results by SLA compliance rate ascending (worst performers first) so I can prioritise conversations.

Review all managed services contracts that are due for renewal in the next [TIMEFRAME, e.g. 90 days].

For each contract:
1. **Renewal date and contract value** — current MRR or ARR, renewal date, and auto-renewal status
2. **Device count drift** — compare contracted device count to actual devices currently managed in the RMM. Flag any contracts where we are managing significantly more (or fewer) devices than contracted.
3. **Hours consumption** — for block-hour or capped plans, what was the average monthly consumption vs included hours over the contract term? Are we consistently over or under?
4. **Profitability signals** — which contracts had high ticket volume relative to their revenue? Flag contracts where ticket volume was more than 20% above the portfolio average per device.
5. **Pricing age** — how long since this contract was last repriced? Flag any contracts that haven't had a rate increase in 24+ months.

For each contract that has a flag, suggest a renewal recommendation:
- **Increase MRR**: by how much, and the justification
- **Renegotiate scope**: what to add or remove
- **Renew as-is**: if the contract is well-balanced

Sort by renewal date ascending. I'm using this for my renewal pipeline planning.

Variation — single client:
Run for [CLIENT NAME] only and include full contract history for context.

Identify unused or wasted software licenses for [CLIENT NAME] so we can surface a cost savings opportunity.

Check the following (use connected tools for what's available; note which checks require manual review):

**Microsoft 365**
- Total licensed seats vs active users (users who have signed in within the last 30 days)
- Licenses assigned to terminated or disabled accounts
- Licenses assigned to shared mailboxes or room resources that could be downgraded
- Users on E3/E5 plans who are only using Exchange and Teams (potential downgrade to M365 Business Basic/Standard)
- Any Microsoft add-on licenses (Intune, Defender, PowerBI) with zero recent usage

**Other SaaS / recurring software** (from PSA contract or documentation platform if available):
- Any software licenses that appear in contracts but have no matching active user or device in the RMM
- Renewals coming up for tools that may no longer be in use (flag for client conversation)

**Output format:**
- For each waste category: list the license type, count of wasted seats, estimated monthly savings at current rate
- Total estimated monthly savings if all waste is reclaimed
- Recommended action for each item (remove, downgrade, reassign, or verify with client)

Note: actual savings depend on contract terms — flag any that require vendor negotiation vs immediate self-serve changes.

Variation — run across all clients:
Generate a portfolio-wide license waste report sorted by estimated savings descending. Use this to prioritise client conversations.