Unlocking profit: Packaging cybersecurity services as an MSP

* Recorded live on July 16, 2024.

Watch this webinar for an insightful fireside chat where we discussed best practices for packaging and positioning your cybersecurity solutions.

Whether you’re just entering your cybersecurity journey or reassessing your existing packaging structure, you'll learn thoughtful strategies used by successful managed service providers and practical ways to leverage these strategies today.

You’ll finish this session with a better understanding of:

• Best practices for packaging cybersecurity services
• Tips on positioning
• Strategies for increasing adoption of new cybersecurity services

Building a cybersecurity solution

Any cybersecurity solution out there is trying to do one or more of these things:

• Prevent attacks – Stop bad things from happening in the first place. This is the preventative, proactive side of cybersecurity: stopping the bad guys and preventing threats before they cause harm.
• Stop attacks – When something does happen, this phase is all about stopping it in its tracks to minimize both the spread and the damage.
• Recover from attacks – The final stage is recovery: getting back to business as quickly and smoothly as possible.

At the heart of it, every cybersecurity solution fits into one or more of these buckets. We’re trying to stop the bad guys, limit their damage, and recover if they do get in. And we’ve seen a lot of this recently being described as “left of boom,” where you focus on prevention, and the “right of boom,” where you focus on recovery.

The challenge is taking those three simple buckets and asking: what are all the elements that fit into these core parts of cybersecurity? That’s where you start to see the smorgasbord of tools, technologies, and offerings that make up the modern cybersecurity landscape.

Key tool considerations

The table below aligns with the NIST Cybersecurity Framework, which follows a continuous cycle: identify the problems, protect yourself, detect and respond, and then recover—repeating that loop over time.

As cybersecurity professionals, we know that elements like antivirus, multifactor authentication, EDR, automated response, and incident response planning all contribute to a strong cybersecurity solution. But if we simply listed these out for customers, they might not understand their value.

While we recognize the importance of each layer, it’s our job to understand our audience and translate that technical value into meaningful outcomes. Customers need to know what they’re buying and why they need it. It’s about turning the terms that matter to us into the results that matter to them.

Table stakes cybersecurity

When it comes to tools that are considered table stakes today—a question we get often—the answer is: it depends.

What’s essential for your MSP depends on where your customers are in their cybersecurity journey. If you’re working with a newcomer, start with the basics—like enforcing MFA. If a client isn’t sure where they stand, begin with an assessment to identify their risks and liabilities. As customers mature, the table above outlines what a truly holistic cybersecurity solution should look like. You may need to decide based on each client’s readiness: can you take them from zero to one hundred right away, or is that too big a leap?

A phased approach often works best—start with vulnerability detection, email analysis, EDR, and cloud detection, and then build up to the full suite over time.

The importance of visibility

At the end of the day, the key word is visibility. That’s the message MSPs need to communicate to customers—especially when shifting from “Are you protecting me today?” to “How will you protect me against tomorrow’s threats?”

Your ability to reduce risk directly depends on the visibility your tools provide. If you don’t have coverage across cloud, network, and endpoint, you won’t have visibility in those areas—and that’s an important point to make. By focusing on visibility and closing vulnerabilities before they become problems—the “left of boom” work—you make life easier for both you and your clients in the long run.

You’re not only keeping your client’s environment more secure, you’re guiding them toward a posture that’s easier to maintain. It’s like brushing your teeth before the dentist visit—you prevent the cavity before it starts. The more visibility you have, the better protected everyone is.

Packaging models

Whether you're an MSP just starting out and building your first packages, or you’re a more mature MSP, we get asked two specific questions all the time: How should I package this? and How should I go to market with cybersecurity?

There are many models, but here are four we see most often with our partners. We’ll walk through the pros and cons of each—but keep in mind there’s no single right model. It’s about determining what best fits your MSP’s current stage of maturity and the types of clients you’re supporting.

The good-better-best model

First is the good–better–best (or gold–silver–bronze) model, offering multiple tiers of progressively more comprehensive cybersecurity.

• Good might be standard endpoint protection without proactive vulnerability management or third-party patch management.
• Better would cover all three buckets—cloud, network, and endpoint—bringing prevent, detect, and respond capabilities across the board, focusing on third-party vulnerabilities and increased visibility.
• Best is your premium level, adding things like log retention and compliance frameworks for regulated clients.

Pros: This model is flexible. It allows you to meet a wide range of budgets and needs, appealing to a broader client base. We still see it used often, though many MSPs are paring down to just two tiers—usually “better” and “best.”

Cons: You’re introducing potential risk for your customers and for yourself. Clients in the “good” tier may not have complete coverage. It’s critical to make them aware of those risks, whether through a conversation or by having them sign a waiver.

Keep in mind, when you offer three options, most buyers tend to choose the middle one. Psychologically, we assume the bottom tier isn’t enough, and the top tier is more than we need. So if you want most clients to choose your “best” package, consider adding an “ultra” tier above it. It’s like when you’re buying a car—there’s the sport, premium, and ultra-premium. You might not justify the ultra, so you go one down and still feel like you’re getting great value without paying top dollar.

The all-in model

Next is the all-in model. Given the amount of risk MSPs carry, if something goes wrong, the customer is likely to point to you.

Pros: It’s simple. You offer every client a standard level of protection. To be a customer, they must adopt this minimum standard. You’re being prescriptive and confident in defining what “secure” looks like for your clients.

We’ve seen partners move to this model successfully. For example, one partner previously ran a good–better–best setup and had a client suffer a major breach after opting for a lower tier. We came in to help with incident response, and after that, the MSP standardized on Field Effect for all clients. It was an aggressive move—they lost a few clients during the transition—but ultimately retained just over 90%. The resulting price increase boosted their margins by 120%, while dramatically reducing their own liability.

Cons: You may lose clients when transitioning. A “step change” approach can help—apply the all-in model for new clients, and offer a smaller price bump for existing ones to bring them up to standard. Still, we’re seeing many MSPs move toward this all-or-nothing model due to the risk environment.

Security add-on

The next approach blends the first two: separating your managed services from a security add-on. This model can be very profitable. You keep your managed services as table stakes, then differentiate with security. Often, we see partners offer two security tiers—a “better” and “best”—on top of their base managed services.

For example, you might offer MDR as one add-on and a compliance framework as another. This lets you clearly define and price the value of security separately from your core bundle. It’s also a great way to transition from traditional managed services into a more security-focused offering.

Cons: If clients choose not to add your security option—or skip certain packages—you expose yourself to risk.

A la carte

Finally, there’s the à la carte or resale model.

Pros: It’s simple. You know your cost, you mark it up, and you resell. It’s a straightforward, low-friction model that some MSPs prefer.

Cons: You’re not really selling a complete solution or offering ongoing value. This model doesn’t work well for MSPs managing solutions or MDR deployments, where you’re handling vulnerability management and other labor-intensive tasks.

If you simply mark up the cost of the tools without accounting for your time and effort, you risk running underwater.

Cybersecurity pricing considerations

We can’t tell you exactly what to charge—because you know yourselves and your business best. But what we can help with are the things you should be considering when developing your pricing.

Calculate your expenses

No matter what pricing model you choose, you need a solid grasp of your costs and expenses.

The biggest mistake we see MSPs make is only considering tooling costs when evaluating total costs. You also need to factor in the cost of managing the solution. A few extra dollars up or down on the specific tool might be minimal compared to the actual labor costs or the burden it puts on your business processes.

There’s a tendency to think, “I paid X for this tool; therefore, that’s my cost.” But it’s so much more than that.

Take a holistic view of your costs:

• What are the costs of managing the solution?
• What’s the time and effort to triage and respond to alerts?
• Are the alerts contextualized? Are they integrated?
• Do they walk your team through a path or leave them figuring it out?

Labor cost is a huge factor and can quickly cut into an MSP’s margins. It can also tie up your most expensive or most skilled techs on reactive issues instead of freeing them for project work or revenue-generating tasks.

Ask yourself: does the tool you’re using allow your L1 techs to manage it, or does it require higher-level expertise? Those are important considerations when deciding how to price your services and which tools to use.

Another factor is endpoint versus user pricing. There can be a significant delta here—it’s not a one-to-one. Sometimes we see ratios of 1.25:1, 1.5:1, or even 2:1 users to endpoints. So when you’re comparing vendors, check how they price: by user or by endpoint? Make sure that’s reflected in your own cost model.

Understand technology trends

Keep an eye on technology trends. A tool that’s considered premium today might become a commodity tomorrow, which could impact your pricing. As threat actors evolve and become more sophisticated, cybersecurity solutions also have to evolve—and that can change both your costs and your pricing approach.

Identify your target customer

Identify and learn about your target customer and their needs. You’re really going nowhere fast if you don’t understand who’s interested in your solutions, who’s buying them, and what they’re looking for.

Identify the value

Regardless of your pricing model, you really need to understand from the top level:

• What are your costs?
• What is the value to your customer?

If not purchasing a certain tool could potentially cost them a million dollars after a breach, that’s a high-value item. So you need to understand the outcomes you’re providing and the value of those outcomes.

Analyze the competition

This one’s a favorite for many—and it’s essential. You need to understand who your direct competitors are. If you’re MSP A and your prospect is also looking at MSP B, you need to know what they’re offering.

But one thing that’s often overlooked is the status quo—the “do nothing” option. That’s your competitor too. Doing nothing is often the easiest “buying decision” for a prospect.

So, when identifying your differentiators, make sure you also explain how you’re different from doing nothing—what happens if they don’t take action.

Select pricing model and strategy

Your pricing model answers the question: how are you charging for it? It could be:

• Cost-plus (your cost plus markup)
• Value-based (price by customer value)
• Or a mix of the two (which is common in cybersecurity)

Then you can layer in specific approaches like per-user, fixed, or hourly pricing.

Your pricing strategy, on the other hand, is about how you roll it out to market.

For example, maybe you want to attract early adopters who will become case study opportunities or references later on. You could offer early-adopter pricing—you know your final price point, but you start at a lower rate for a limited time or a limited number of clients. This can build momentum while you establish proof and reputation.

Understand your positioning

Finally, make sure you’ve nailed your positioning. No matter how strong your offering or how well-thought-out your pricing strategy may be, if you can’t clearly articulate why clients should choose you, the rest doesn’t matter.

Positioning is how you connect your pricing and value to your client’s understanding of their needs—and that’s what ultimately drives buying decisions.

Positioning your cybersecurity services

The first part of positioning is really understanding who your audience is. This is key—because almost never does your audience understand (or care about) all the same things that you do.

You may know every feature they need, but your job is to translate those features into things that matter to them.

For example, imagine you’re choosing a barber. The barber might care that they have ultra-sharp trimmers, a built-in vacuum, and LED lights—all great features from their perspective. But as the customer, you just want a fast haircut, to look good in the mirror, and for your partner to love it. The barber knows you don’t care about the specs—they filter the message to focus on what you do care about.

Who is your audience?

We often get asked, “How do I get to know my audience?” The simplest answer: talk to them. But there’s an art to it. Make sure you’re not just asking questions that lead to technical answers like, “Oh yeah, I need an EDR.” What you’re trying to understand goes deeper than cybersecurity requirements.

Ask questions like:

• What are their business goals?
• What challenges do they face beyond cybersecurity?
• How do they measure success?

So yes—talk to your customers, but also ask the right questions. There are entire books on this. If you want to dig deeper, look into buyer persona research. It gives you specific questions to ask—not just to understand your audience, but to gain insight into how they make buying decisions.

What alternates are they looking at and how do you differentiate?

You need to understand not only what your solution provides, but what sets you apart from others like you—or from alternative solutions they might be evaluating.

Again, this all starts with knowing your audience, then clearly communicating the outcomes your solution provides.

What are the outcomes your solution provides?

It’s tempting to fall into feature-based selling—talking about the things that matter to you, but not necessarily to your audience. You’ve probably heard the evolution of this idea:

• Feature selling → benefit selling → outcome selling.

Outcome-based selling is where you want to be. Knowing your customer’s business goals, how they define success, and being able to speak directly to those outcomes is critical.

Then, work backwards. Once you’ve captured their attention with an outcome that resonates, you need proof points—the link between your features, benefits, and outcomes. To make your message land, move from outcome to benefit to feature instead of the other way around.

A great example: imagine I come to you and say, “I have this device—it has hi-fi sound, supports OGG, MP3, WMA, and WAV formats, you can expand the memory with a TF card, and it charges fast.”

You might say, “Cool,” but it doesn’t really connect.

Then Steve Jobs comes along and says, “A thousand songs in your pocket.”

That’s the difference between feature-based messaging and outcome-based storytelling. Jobs captured people’s imagination with something short, simple, and powerful—an outcome that mattered to them. Apply the same thinking to your own positioning. Don’t speak in features that make sense to you but might not resonate with your audience.

How can you make it easy for your audience?

Finally, as you build out your positioning, focus on making it easy for your audience—across the entire journey. Easy to understand what they’re buying, to measure whether it’s working, to purchase, to renew.

Think through every customer touchpoint and ask yourself: How can I make this as simple, clear, and frictionless as possible?

From features to outcomes

We all get excited about industry buzzwords—but let’s not forget that this industry can be confusing, especially for people who’ve never purchased a cybersecurity solution before. Instead of leading with a laundry list like “You’ll get EDR, MDR, cloud detection, threat hunting, SOC, and vulnerability management,” try leading with something more relatable:

“With our security package, we’ll work hand-in-hand with you to prevent, detect, and respond to threats across your entire organization. You’ll get a complete solution that provides 24/7 support and is built for today’s threat landscape.”

Or, for a punchier line that connects the dots, something like:

“Without Field Effect—or without our MDR—in place, I don’t have the visibility required to properly protect you against today’s threats and reduce your organizational risk.”

That ties back to the key point from earlier: how do you lead your clients to this place of understanding? The world changes, and so do technology and threats. It’s important to communicate that you’re only as effective as the tools you have in place. Even if your client is comparing competitive solutions, it’s okay to say: “Those competitors don’t have the same visibility either—unless they have these elements in place.”

It’s okay to be prescriptive. It’s okay to take the role of a trusted advisor—because that’s exactly where your clients expect you to be.

What to look for when evaluating partners

When you’re looking at potential cybersecurity partners, the key word is right there in the title: partner, not vendor. Yes, they’re going to provide cybersecurity—but what else are you getting from them?

Holistic coverage

Holistic coverage is essential. You want to work with a partner who can help you consolidate your tech stack, allowing you to save on tooling costs and drive efficiencies across your operations.

But beware of marketing buzzwords. Imagine walking into a cybersecurity conference—it can feel like everyone under the sun is offering an “MDR.” But what are they really offering? Is it actually MDR? Is it XDR? Or is it just a managed EDR that’s been rebranded as MDR?

We’ve seen vendors claim to offer “cloud monitoring,” but what does that actually mean?

• Are they tying it to the endpoint?
• Are they analyzing behavior?
• Are they monitoring activities like file downloads from SharePoint?
• How mature is that monitoring, and is it all being tied together?

That’s why it’s important to look beyond the SKUs and marketing claims, and actually dig in. Unfortunately, many vendors latch onto the latest buzzwords and “check the box” without delivering real depth.

You need to understand:

• What is the vendor truly taking on your behalf?
• What level of support do they provide?
• Are alerts delivered standalone or consolidated?
• Do their tools integrate with your existing tech stack?

Pricing that fits

Pricing is another major consideration.

Ask yourself:

• What margins are you aiming for?
• Is the offering truly all-in-one?
• Are there hidden costs or add-ons down the road?
• Is there SKU confusion that could cause issues later?

You don’t want to find yourself in a critical situation, reaching out to your vendor only to discover you don’t have the right package for incident response or active response.

Also consider: does their pricing align with how you bill your clients? At Field Effect, for example, we align our pricing model with how MSPs bill their customers. It makes the entire process more seamless and reduces complexity—something every MSP appreciates.

Around-the-clock expertise

Next, consider what level of expertise they bring. Is it truly 24x7 support? Because in cybersecurity, it has to be. Threats don’t take breaks, and neither can your defenses. That full-time coverage isn’t just beneficial for you—it’s also something you can sell as a value-add to your clients.

Marketing and sales support

Finally, look at what your partner provides beyond cybersecurity. Are they helping you sell the service? Do they offer marketing and sales support? For many MSPs—especially those just starting out or transitioning from endpoint protection to MDR—this can make all the difference.

You want a partner who not only delivers effective cybersecurity but also gives you the tools, sales enablement, and marketing resources you need to successfully bring it to market. That’s where the concept of a two-way partnership comes in—one where you’re working together toward shared success.

Getting a true partner with Field Effect

At Field Effect, it’s part of our ethos to truly partner with the MSPs we work with.

From a sales and marketing perspective, you will get access to sales tools that we provide our partners, like a pre-sales attack surface report that’s going to help show your customers their vulnerabilities. We also provide free tools combined with sales enablement and sales engineering support for demos. You’ll have access to go-to-market assets, messaging templates, and a full partner portal stocked with ready-to-use campaigns and webinars.

And we’re always happy to sit down one-on-one to have these kinds of conversations with you directly.

We truly believe in complete visibility—and in offering a solution that’s not weighed down by hidden costs or endless add-ons. Our approach is to deliver a complete, transparent solution that’s simple to implement and easy to manage. That means seamless integration with MSP tools like ConnectWise and Autotask, fitting naturally into your existing processes, and ultimately working together to provide the best possible protection for your clients.

Q&A

Q: Are Field Effect marketing materials currently available with outcome-based messaging?

As a Field Effect partner, you have access to a wide range of marketing materials designed to speak to a less technology-savvy audience—focusing more on the outcomes they’ll get, rather than the technical details. You’ll find “campaigns in a box” tailored to specific industries and problem sets, plus a whole library of resources available on the partner portal to help you build that kind of messaging.

We’re also constantly evolving our own materials. This is where we love working closely with our partners—if your clients care about specific outcomes that we can help communicate from a cybersecurity perspective, we’re always happy to collaborate and build those materials together.

When we onboard you as a partner, we guide your team through two dedicated tracks: a technical track (focused on actually using the product) and a sales and positioning track (focused on outcome-based messaging). Those sessions, combined with the extensive resources in the partner portal, give you everything you need to confidently market and position Field Effect’s solutions.

Q: Can you provide a common MSP stack we should be using—or providing—to our prospects and customers?

It’s going to align closely with many of the items you saw earlier in the Identify, Detect, Respond framework. We list the 15+ tools Field Effect includes in its holistic coverage. We believe you’re not doing yourself any good protecting one area while leaving your windows or doors open in another.

Q: What’s the split between MSPs doing the “good, better, best” model versus the “all-in” model? Is there a trend?

We’re definitely seeing a move away from “good, better, best” to something more prescriptive. Some MSPs have moved fully to the all-in model, especially given the current risk landscape.

What we’re seeing most often now is a bit of “fence-sitting”—either a two-tier model (“better” and “best”) or an all-in model with a compliance add-on. That security add-on approach is trending upward.

But overall, especially after an attack or incident, many MSPs find it’s just not worth the time or risk to maintain multiple tiers. So we’re seeing a shift toward all-in, sometimes with a small step-up option.