Everyone is suddenly looking at MSP and MSSP rollups. Investors, strategics, even VCs. The logic is obvious. Fragmented market, recurring revenue, sticky customer relationships. But the reality is that only a small subset of providers actually operate at a level worth scaling. The difference between an average MSSP and a good one comes down to a few fundamentals.

Start With Focus

Most MSPs never defined who they serve. They grew organically, took whatever customer showed up, and built a toolkit around individual fires rather than a repeatable model. A strong MSSP starts with clarity. Who is the ICP. What problem is being solved. What the operating model looks like for that segment. When this is missing, everything becomes random. Different tools. Different service quality. No leverage.

In practice, the most important segmentation is not the MSP itself, but who the MSP sells to. An MSP serving restaurants or spas has a fundamentally different security maturity, willingness to pay, and regulatory exposure than one serving regional banks, healthcare, or regulated SMBs. Treating them as one market leads to mispriced risk and churn.

Understand the Economics

Many MSPs think software licensing is their main cost. It is not. Labor dominates the model. At ConnectWise, our Service Leadership dataset showed that roughly 20 percent of MSPs were not profitable because they simply did not understand their own cost structure. The best ones hit around 20 to 25 percent EBITDA. They standardize. They price correctly. They run the business with discipline instead of firefighting.

The real margin killer is not the license costs. It is the technician minutes required to install, manage, respond, document, and bill every tool. Every additional product increases operational drag, even if the license is cheap.

Standardized Security Bundles Win

The MSSPs that scale do not let customers choose their own adventure. They define a required stack. If you want to be a customer, you adopt their bundle. This gives consistency, predictability, and actual security outcomes. A typical bundle includes:

• Patch and vulnerability management
• Endpoint protection
• Email security
• Security awareness
• Optional SIEM or MDR depending on the segment

Without standardization, you cannot maintain margins or guarantee service quality. You also make incident response dramatically harder because every environment looks different.

In reality, the bundle is usually sold at a fixed price like $50 to $100 per user per month. Any new security tool must fit inside that number. If it costs $2 to $3 per user, something else must be removed or margin gets cut. This is why getting into the bundle is harder than most vendors expect.

Service Quality Is the Product

SMBs want to be secure. They want minimal disruption. And when something goes wrong, they want a real human who knows what they are doing. Not tier 1 scripts. Not delays during an active incident. Good MSSPs prepare the customer during onboarding. They map critical systems, define escalation paths, understand what can be taken offline, and capture credentials and architecture details. They remove the guesswork from the moment the incident starts.

Billing Needs To Be Simple

One of the fastest ways to lose customers is confusing invoices. Customers want to understand what they pay for. Surprises create distrust. The MSSPs that retain well keep billing predictable, transparent, and boring.

Own the Response, Not Just the Alert

An MDR or MSSP that only notifies customers creates frustration. The provider must take the customer through remediation. For SMBs, response often means restoring operations, identifying the entry point, and closing the gap. If the MSSP cannot do this internally, it must have reliable partners.

How Rollups Actually Create Value

Rollups only work when there is a clear thesis. Some focus on platform unification and a single delivery model. Others focus on professionalizing the business with better hiring, benefits, pricing, and operational rigor. Both paths can work. But they require patience and real operating muscle.

The fastest way to build a defensible platform is often not direct MS(S)P sales but embedding into existing security vendors that already sit in the bundle. Winning a technology alliance with an EDR, MDR, or firewall provider puts you into hundreds of MSPs without forcing each of them to make a new buying decision

Cross border rollups in Europe introduce more complexity. Language and local relationships matter. Regulation varies. Centralizing delivery is possible, but customer interaction often stays local. A standardized platform can still work if the ICP is consistent across regions.

The Microsoft Factor

Many SMBs already own security features through M365. Ignoring this leads to bloated stacks and poor pricing. Smart MSSPs align their offering with what customers already have and fill the real gaps.

The Bottom Line

Building a strong MSSP is not mysterious. It requires a defined ICP, a standardized security bundle, disciplined delivery, true incident readiness, transparent billing, and the ability to take customers all the way to resolution. The providers that do these things consistently are the ones worth scaling. Investors often chase the rollup story, but the real value sits inside the boring operational fundamentals that most of the market never gets right.

Yesterday, we brought Security Chat back to Zurich for its sixth edition and it was everything I had hoped for: brilliant talks, a packed room, and the joy of reconnecting with friends old and new. What started back in 2012 as an informal gathering of security enthusiasts has grown into a tradition where community and ideas come together.

This year we had five lightning talks. Each one very different in style, but all equally thought-provoking:

Candid Wüest – Why AI-Powered Malware Won’t Kill You (Yet)

Candid cut through the hype around “AI-driven malware.” He explained the difference between AI-generated malware (just code produced by LLMs) and AI-powered malware (where AI runs inside the malicious code). While there are proof-of-concepts in the wild, protection stacks still hold up. Behavior-based detection and layered defenses remain effective. His takeaway: AI will eventually give attackers new tools, but defenders are not out of the game.

Joshua Rawles – The Global Impact of a Modern Phishing-as-a-Service Operation

Josh gave us an inside look at the booming phishing-as-a-service industry. For as little as $50 a month, criminals can buy turnkey kits that bypass MFA, come with 24/7 “support,” and scale to tens of thousands of victims. His case study on Storm-1167 (“FluorStorm”) showed just how industrialized this has become, with thousands of domains, Telegram bots for real-time stolen credentials, and devastating impact on nonprofits. His message: MFA is necessary but not sufficient; phishing-resistant authentication and faster takedowns are critical.

Barbara Dravec – Drawn to Encrypt: A Visual Trail from OTP to RSA

Barbara brought cryptography to life with a visual storytelling approach. Mapping concepts like one-time pads, pseudo-random generators, and RSA to vivid imagery from the natural world (snakes, owls, octopuses, and more). It was a refreshing, creative reminder that explaining security to non-experts requires more than equations. It sometimes requires narratives that people can connect to.

Advije Rizvani – AI on Wall Street: Smart, Fast… and Surprisingly Fragile

Advije, a PhD student in Liechtenstein, showed how machine learning systems that drive algorithmic trading can be tricked with subtle, temporary data manipulations. A single manipulated data point can cause wrong trades, eroding portfolio performance over time. Her research raises a sobering question: in high-stakes financial markets, how do we know whether losses are due to bad luck, bad models… or deliberate attacks?

Elliott – When Cookies Collide: The Overlooked Attack Vector

Elliott closed the night with a deep dive into cookie tossing, a little-known but powerful web attack. By controlling a subdomain, an attacker can “toss” malicious cookies that hijack authentication flows or manipulate transactions on the parent domain. He walked us through real-world cases and defenses and highlighting how a small misconfiguration can open the door to session hijacking and data theft.

More Than Talks—It’s About Community

What I loved most about Security Chat 6.0 wasn’t just the talks, but the variety of voices and the energy in the room. We had people flying in from London, driving hours through traffic, and carving out time to share ideas. We had job seekers and companies hiring. We had old friends, new connections, and plenty of wine and bagel bites to keep conversations flowing.

A big thank you to our sponsor 1Password for supporting the evening, to the speakers for sharing their insights, and to everyone who showed up to make this community vibrant.

As I said on stage: cybersecurity has given me so much over the years. Events like this are my way of giving back by fostering connection, sparking ideas, and reminding us all that innovation doesn’t happen in isolation.

See you at the next Security Chat – whenever and wherever it may be.