A Netspy region is up and running. The Installation manual says to  log in to the Netspy region in this manner:

To log on to the product region, use the following VTAM logon command:
LOGON APPLID(priacbnm) or LOGON APPLID=priacbnm
priacbnm is the name of the primary VTAM ACB application nominated in the NSYNAME parameter value in dsnpref.NMC0.NYPARM(INITPRM).
Note: To set up the security and performance interfaces for a product region, see the Administration Guide.

In our environment, it would be better to log into this from an existing user logged into the system from TSO.
We would like to add Netspy as an option to our existing ISPF menu we have for various vendor products.
Is this possible?

TSO has an API that can be called using REXX and a batch interface, but Netspy does not utilize that API, so there is no way of integrating it into TSO that we are aware of. We recommend contacting IBM in case this has changed.

Netspy is meant to run either as a direct access via TN3270, or through a session manager that uses SNA, such as TPX or SOLVE:Access.

Another option could be to define a separate Telnet port that limits users in ONLY access Netspy. This would require defining the session in the TN3270 Emulator that is in use, for example QWS3270, Attachmate or Host Explorer.
Users would need to know to use that specific definition.