How much does it cost to build a SOC?

An internal 24/7 SOC requires minimum 6-8 analysts (3 shifts) plus a SOC manager, SIEM licensing, and infrastructure. Fully-loaded annual cost: $800,000-$2.2M for a minimal operation. White-label SOC-as-a-Service from vendors like Arctic Wolf or Huntress costs $15-45 per endpoint per month wholesale, enabling MSSPs to deliver SOC capability without the capital investment.

What EBITDA multiples do MSSPs trade at?

MSSPs trade at 10-14x EBITDA in 2026, with compliance-specialist MSSPs (HIPAA, CMMC) reaching 12-15x. Entry-level MSSPs ($1.5-5M revenue) typically sell at 6-9x. The premium over generalist MSPs (5-8x) reflects higher switching costs, compliance lock-in, and recurring revenue quality.

What is the LTV:CAC ratio for a typical MSSP?

Well-run MSSPs achieve LTV:CAC ratios of 10:1-20:1, significantly above generalist MSPs (3:1-5:1), due to compliance-driven switching costs, multi-year contracts, and low annual churn (typically 5-8%). CAC ranges from $3,000-8,000 for SMB clients acquired through referral to $15,000-40,000 for enterprise compliance wins.

How many MSSPs exist globally with $100k+ EBITDA?

Approximately 800-1,100 globally. North America leads with 350-450, Europe 180-250, Asia-Pacific 120-180. Southeast Asia specifically has 140-200, with Singapore (60-80) the most mature market.

What are the most common MSSP failure modes?

The six main killers: (1) SOC alert fatigue leading to missed breaches and client loss, (2) underpricing MDR services below actual delivery cost, (3) over-reliance on one compliance vertical, (4) founder-dependent client relationships, (5) tool stack fragmentation preventing scale, and (6) failing a client breach due to inadequate IR capability.

Home How to Sell Your MSP MSP Valuation Who Buys MSPs Should You Sell? For Buyers MSP Wiki Free MSP Valuation →

UNGLIN · MSSP & Cybersecurity M&A

MSSP / Cybersecurity · 2026 · Big Four Depth

MSSP / Cybersecurity Business: Complete 2026 Wiki
SOC Economics · Unit Economics · Deal Mechanics

Q: What is an MSSP?

A Managed Security Service Provider (MSSP) is a company that remotely monitors, detects, and responds to cybersecurity threats on a 24/7 subscription basis, operating a Security Operations Centre (SOC) staffed by security analysts. Unlike a generalist MSP, security is the MSSP's primary service, not an add-on.

Den Unglin May 25, 2026 45+ min read · For founders, investors & acquirers

Executive Summary — President's Office Briefing

The global MSSP market is $43B in 2026, growing at 14–16% CAGR to $137B by 2035. MSSPs command the highest valuation multiples in managed services — 10–14x EBITDA — driven by compliance lock-in, 24/7 SOC capability, and structural scarcity of security talent. A 24/7 SOC costs $800K–$2.2M/year to build internally; white-label alternatives enable entry at $15–45/endpoint/month. Elite MSSPs achieve LTV:CAC of 10:1–20:1. Approximately 800–1,100 MSSPs globally have $100K+ EBITDA. AI is transforming SOC operations — reducing analyst alert load by 60–80% while enabling sub-5-minute mean time to detect. This document covers the full taxonomy, economics, technology stack, compliance, talent, deal mechanics, and failure modes.

Strategic premise: The MSSP market is bifurcating. Compliance-specialist MSSPs with proprietary SOC tooling and vertical depth command 12–15x EBITDA. Generalist "security-flavoured" MSPs with no real SOC are being displaced by AI-native MDR platforms and will trade at 5–7x — or not at all.

1. MSSP Definition & Complete Service Taxonomy

A Managed Security Service Provider (MSSP) is a third-party company that remotely monitors, detects, and responds to cybersecurity threats for client organisations on a 24/7 subscription basis, operating a Security Operations Centre (SOC) staffed by security analysts. Unlike a generalist MSP where security is an add-on, an MSSP's core competency and primary revenue driver is security operations.

MSSP vs MDR vs XDR vs SOC-as-a-Service — The Taxonomy

Term	Definition	Who delivers it	EBITDA multiple
MSSP	Broadest category: 24/7 SOC, firewall mgmt, compliance, vCISO, IR retainer	Dedicated security firm with owned/white-label SOC	10x–14x
MDR (Managed Detection & Response)	Focused subset: threat hunting, active containment, human-led response. Higher value than pure monitoring.	MSSP or specialist MDR vendor (Arctic Wolf, Huntress)	11x–15x
XDR Platform	Technology layer unifying endpoint + network + cloud + identity telemetry. MSSPs use XDR to deliver MDR.	Technology vendors (CrowdStrike, SentinelOne, Microsoft)	n/a (tech, not services)
SOC-as-a-Service	Pure SOC monitoring delivered as a managed service. No broader IT managed services.	Pure-play SOC vendors, white-label suppliers	8x–11x
vCISO	Fractional CISO advisory: security programme, board reporting, compliance oversight	MSSP add-on or standalone advisory firm	8x–11x
Security-flavoured MSP	Generalist MSP with EDR add-on and basic alerting. No real SOC, no 24/7 coverage, no IR capability.	Generalist MSPs claiming MSSP status	5x–7x

Buyer due diligence warning: Approximately 40% of firms that self-identify as "MSSPs" in 2026 do not operate a genuine 24/7 SOC. Buyers verify this through shift logs, analyst headcount, SIEM alert volumes, and MTTD/MTTR data. A security-flavoured MSP without a real SOC trades at MSP multiples, not MSSP multiples.

MSP vs MSSP — The Economic Distinction

Feature	Generalist MSP	MSSP
Primary focus	Uptime, backups, help desk	Threat detection, incident response, compliance
SOC	None or outsourced alerting	24/7 SOC (internal or white-label)
Key staff	Help desk, network admins	Security analysts (L1/L2/L3), threat hunters, IR specialists
Compliance depth	Basic (backup, AV)	HIPAA, PCI DSS, CMMC, SOC 2, ISO 27001 — operational detail
Pricing	$75–$150/user/month	$100–$300/user/month or $15–$60/endpoint/month
Client churn	8–12% annually (SMB)	5–8% annually (compliance-sticky)
EBITDA multiple	5x–8x	10x–14x
Primary churn trigger	Price / service quality	Compliance framework change or major breach at client

2. Global MSSP Market Size & Growth (2026)

$43BMSSP market 2026Up from $31B in 2023

14–16%CAGR 2026–2035Fastest in managed services

$137BProjected 2035Mordor Intelligence

$311BTotal cybersecurity 202666% delivered via channel

The MSSP market is the fastest-growing segment of the managed services industry. Growth is structurally driven by three forces that will not reverse: regulatory proliferation (CMMC, NIS2, EU AI Act), the global cybersecurity talent shortage (estimated 3.5 million unfilled positions in 2026), and the geometric increase in attack surface from cloud adoption and AI-generated threats.

Region	MSSP market 2026	CAGR	Key driver	EBITDA multiple range
North America	~$19.4B (~45%)	13%	HIPAA, CMMC, cyber insurance mandates	10x–15x
Europe	~$10.3B (~24%)	14%	GDPR, NIS2, EU AI Act enforcement	8x–12x
Asia-Pacific	~$8.6B (~20%)	17–20%	Digital transformation, data localisation laws	6x–10x
Middle East & Africa	~$2.6B (~6%)	16%	Vision 2030 (Saudi), UAE cybersecurity strategy	5x–8x
Latin America	~$2.1B (~5%)	12%	LGPD (Brazil), financial sector requirements	4x–7x

Sources: Mordor Intelligence MSSP Market Report 2026; Gartner Security Services Forecast; IDC Cybersecurity Spending Guide 2026.

3. SOC Economics — Build vs Buy vs White-Label

The SOC decision is the most capital-intensive choice an MSSP founder makes. Getting it wrong — building too early or white-labelling the wrong vendor — is the #1 cause of MSSP margin collapse. Here is the complete economic analysis.

Option 1: Build an Internal 24/7 SOC

Cost component	Annual cost (minimal 24/7 SOC)	Notes
SOC analysts (6 FTEs, 3 shifts × 2)	$420,000–$570,000	L1 analysts at $55–75K fully loaded. Cannot run 24/7 with fewer than 6.
SOC Manager / Lead analyst	$110,000–$150,000	Required for quality control and escalation management
SIEM licensing (Splunk / Microsoft Sentinel)	$80,000–$250,000	Scales with data ingestion volume. Splunk = expensive; Sentinel = per-GB
EDR platform (enterprise tier)	$40,000–$120,000	CrowdStrike, SentinelOne, or Microsoft Defender at MSSP/multi-tenant pricing
Infrastructure (SOAR, TIP, ticketing)	$50,000–$120,000	Palo Alto XSOAR, Recorded Future TIP, ServiceNow or Jira
Physical / virtual SOC infrastructure	$30,000–$80,000	Secure workspace, display walls, redundant connectivity
Total annual operating cost	$730,000–$1,290,000	For a minimal, genuine 24/7 SOC. Enterprise SOCs run $3M–$10M+

Break-even analysis: At $150/user/month per client (blended SOC + IT), a minimal internal SOC breaks even at approximately 450–700 users under management. Below this threshold, the unit economics are deeply negative. Most MSSPs under $5M ARR cannot justify an internal SOC on economics alone.

Option 2: White-Label SOC-as-a-Service

White-label SOC eliminates capital investment while enabling MSSP positioning. The margin story is compelling at scale but requires careful vendor selection:

Vendor	Model	Wholesale price	Typical MSP resale	Margin
Arctic Wolf	MDR + Concierge SOC (white-label)	$20–$35/endpoint/month	$45–$75/endpoint/month	40–55%
Huntress	MDR for MSPs (purpose-built)	$3.50–$6/endpoint/month	$12–$20/endpoint/month	55–70%
Secureworks Taegis MDR	Enterprise MDR white-label	$15–$30/endpoint/month	$35–$60/endpoint/month	40–55%
Sophos MDR	MDR with human response	$5–$10/endpoint/month	$18–$30/endpoint/month	45–65%
SentinelOne Vigilance	MDR response layer on Singularity	$4–$8/endpoint/month	$15–$28/endpoint/month	45–65%

White-label risk: When you white-label a SOC, the SOC capability is not yours — it belongs to the vendor. In a sale process, buyers heavily discount white-label-only MSSPs because the "SOC asset" leaves with the contract. Build proprietary runbooks, add your own L1 analyst layer on top, and document your processes as if the SOC were internal. This transforms a white-label arrangement into a defensible proprietary capability.

Option 3: Hybrid Model (Most Common Above $3M ARR)

The optimal model for most growth-stage MSSPs: white-label SOC for 24/7 L1 monitoring + internal L2/L3 analysts for escalations + proprietary compliance and vCISO layer. This achieves the SOC positioning without the full capital cost while building genuine internal IP. Cost: $180,000–$400,000/year (2 internal senior analysts + vendor SOC).

4. Technology Stack Deep-Dive

SIEM Platform Comparison (2026)

Platform	Ownership	Pricing model	Best for	Key risk
Microsoft Sentinel	Microsoft	Per-GB ingested (~$2.46/GB)	Microsoft-heavy environments; cloud-native; broad Azure integration	Costs spike with high log volume; requires Azure expertise
Splunk Enterprise Security	Cisco (acquired 2024)	Per-GB or infrastructure-based ($150K–$500K+/year)	Large enterprise SOCs; complex correlation; rich ecosystem	Very expensive; Cisco ownership creates roadmap uncertainty
IBM QRadar	IBM / Palo Alto (QRadar SIEM divested)	Per-EPS (events per second)	Regulated industries; established enterprise customers	Complex UI; declining market share; acquisition uncertainty
Elastic Security	Elastic (public)	Compute/storage based	Cost-sensitive MSSPs; developer-friendly; flexible ingestion	Requires deep Elasticsearch expertise; less turnkey
LogRhythm / Exabeam	Private (merged 2023)	Per-user or per-EPS	Mid-market MSSPs; UEBA; compliance-focused	Post-merger integration risk; roadmap uncertainty

EDR/XDR Platform Comparison (MSSP/Multi-tenant)

Platform	MSSP/Multi-tenant capability	Wholesale MSSP price	Key strength
CrowdStrike Falcon	Excellent — Falcon Foundry + Horizon MSSP portal	$8–$18/endpoint/month	Best-in-class threat intelligence; fastest detection; AI-native
SentinelOne Singularity	Excellent — multi-tenant console, API-first	$4–$9/endpoint/month	Autonomous AI response; best remediation automation; strong SOAR integration
Microsoft Defender for Business	Good — MDE multi-tenant via GDAP	$3–$6/endpoint/month	Deep M365 integration; included in E5 license; best for Microsoft shops
Palo Alto Cortex XDR	Good — Cortex MSSP programme	$10–$20/endpoint/month	Best network + endpoint correlation; XSOAR integration
Bitdefender GravityZone Ultra	Excellent — purpose-built multi-tenant	$3–$6/endpoint/month	Best price/performance; top AV efficacy; low false positive rate

SOAR & Automation Platforms

Security Orchestration, Automation, and Response (SOAR) is what separates a scalable MSSP from one that drowns in alerts. In 2026, SOAR is the critical investment for MSSPs targeting 1,000+ endpoints:

Palo Alto XSOAR (Cortex) — Market leader. 900+ integrations. Enables fully automated playbooks for common alert types. $50K–$200K/year. Steep learning curve but highest automation ceiling.
Splunk SOAR (formerly Phantom) — Strong if already on Splunk SIEM. Tight integration; drag-and-drop playbook builder. Bundled or separate licensing.
Microsoft Sentinel Automation — Logic Apps-based. Best for Microsoft-only stacks. Near-zero additional cost for existing Sentinel customers.
Rewst — Emerging SOAR specifically for MSP/MSSP workflows. 200+ pre-built playbooks. Lower cost ($1,500–$5,000/month). Best entry-point for MSSPs under $5M ARR.
Torq / Tines — Code-first SOAR. Preferred by security engineers who want maximum flexibility. Per-workflow pricing.

Sources: Gartner Magic Quadrant for SIEM 2025; Forrester Wave EDR 2026; MSSP Alert vendor survey 2025.

5. MSSP Pricing Models — The Complete Spectrum

Pricing model	Structure	Gross margin	Best for	Buyer preference
Per-endpoint (most common)	$15–$60/endpoint/month based on protection tier	55–70%	SMB and mid-market; easy to understand	High — predictable
Per-user all-inclusive	$100–$300/user/month; security stack included	50–65%	Compliance-heavy verticals; simplifies procurement	Very high — clean MRR
Tiered SOC (Bronze/Silver/Gold)	Bronze: monitoring only. Silver: MDR. Gold: MDR + vCISO + IR retainer	45–68%	Any size; drives upsell to Gold	High — shows productisation
Outcome-based / SLA-linked	Priced on MTTD <15 min, breach prevention SLA	60–75%	Enterprise; compliance-critical clients	Premium — emerging
IR retainer (add-on)	$2,000–$15,000/month for on-call IR response	70–80%	Any; high-value recurring	High — pure margin
vCISO advisory (add-on)	$2,500–$8,000/month for 8–20 hrs advisory	75–85%	SMB without full-time CISO	Very high — sticky, high margin
Compliance-as-a-Service (add-on)	$1,500–$6,000/month for GRC management	65–80%	HIPAA, CMMC, SOC 2 verticals	Very high — compliance lock-in

Pricing psychology: The most common MSSP pricing mistake is competing on per-endpoint price. A client choosing between $18/endpoint (you) and $12/endpoint (competitor) is choosing a commodity. Reframe around cost-of-breach ($150K average for SMB) vs. cost-of-prevention ($200/month). An MSSP that can demonstrate a client avoided a breach event creates immediate price insensitivity. Document near-misses — they are your most powerful sales asset.

6. Unit Economics & Financial Modeling

Gross Margin vs EBITDA — The MSSP-Specific Distinction

Metric	Typical MSSP range	What drives it	Why buyers care
Gross Margin	50–68% (varies hugely by SOC model)	White-label SOC = higher gross margin vs. internal SOC (high fixed analyst cost)	Reveals unit-level profitability of each client
EBITDA Margin (reported)	10–22% for most MSSPs	High analyst salaries; SIEM/tool costs; compliance overhead	The multiple basis — but always normalised first
Normalised EBITDA	15–35% (after add-backs)	Founder salary normalisation; one-time hires; IR engagement revenue treated separately	What PE actually prices. Can be 30–50% above reported.

MSSP-specific add-back trap: IR (incident response) engagements can be $50K–$300K one-time revenue events. Sellers often include these in recurring EBITDA. Buyers will exclude them as non-recurring. Know which revenue is genuinely recurring before going to market — misclassifying IR revenue as MRR is the #1 cause of post-LOI price chips in MSSP transactions.

LTV:CAC by MSSP Segment

Segment	Typical CAC	Contract life	Annual MRR/client	LTV (est.)	LTV:CAC
SMB general security (<100 endpoints)	$3,000–$8,000	3 yrs	$18,000–$36,000	$54K–$108K	8:1–15:1
Compliance specialist (HIPAA/CMMC)	$8,000–$20,000	5.5 yrs	$36,000–$96,000	$198K–$528K	15:1–30:1
Mid-market MDR (100–500 endpoints)	$15,000–$40,000	4 yrs	$72,000–$216,000	$288K–$864K	10:1–20:1
Enterprise SOC contract	$40,000–$120,000	3 yrs	$180,000–$600,000	$540K–$1.8M	8:1–15:1
vCISO advisory (add-on)	$500–$2,000	4 yrs	$30,000–$96,000	$120K–$384K	60:1–190:1

Estimates based on UNGLIN analysis of 47 MSSP M&A transactions (2023–2025).

SLA Benchmarks — What Defines a Credible MSSP

KPI	Definition	Industry average	Best-in-class	PE due diligence minimum
MTTD (Mean Time to Detect)	Time from threat occurrence to SOC alert	16–24 hours (industry)	<15 minutes (AI-assisted)	<4 hours documented
MTTR (Mean Time to Respond)	Time from alert to containment action	2–6 hours	<30 minutes (automated response)	<2 hours documented
False Positive Rate	% of alerts that are not genuine threats	45–65% (industry)	<15% (tuned rules + ML)	<30% with trending data
Alert-to-ticket ratio	% of SOC alerts that become billable/actionable tickets	5–15%	<5% (indicates good tuning)	Trend line over 24 months
Uptime / SOC availability	% of time SOC is actively monitored	99.5%	99.95%	99.5% minimum, documented

7. Valuation Multiples for MSSPs (2026)

MSSP type	Revenue range	EBITDA multiple	Revenue multiple	Primary driver
Security-flavoured MSP (no real SOC)	Any	5x–7x	0.6x–0.9x	Treated as MSP, not MSSP
Entry-level MSSP ($1.5–5M)	$1.5M–$5M	6x–9x	0.9x–1.2x	SOC exists but founder-dependent
Scaled MSSP ($5–15M)	$5M–$15M	8x–11x	1.1x–1.4x	24/7 SOC, MDR, multiple compliance certs
Platform-ready MSSP ($15M+)	$15M+	10x–14x	1.2x–1.6x	Proprietary SOC tooling, NRR >110%
CMMC/HIPAA specialist	Any	+20–35% premium	—	Compliance lock-in, very sticky
AI-native MDR platform	$5M+	12x–16x	1.5x–2.0x	Proprietary AI, Zero-Touch SOC, scalability

For the full valuation calculator and deal-specific multiple analysis, see our dedicated MSSP sale guide and MSP valuation multiples guide. This wiki provides the framework; those pages provide the tools.

8. Threat Landscape 2026 — What MSSPs Actually Defend Against

Understanding the threat landscape is not just operational knowledge — it is a sales and valuation asset. MSSPs that can quantify what they have prevented, with documented near-miss evidence, command premium pricing and premium multiples.

Threat category	2026 prevalence	Avg. SMB breach cost	MSSP defence layer
Ransomware	#1 threat; 65% of incidents involve ransomware element	$270K–$1.2M (downtime + recovery + ransom)	EDR + SOC monitoring + immutable backup + IR retainer
Business Email Compromise (BEC)	#1 by financial loss; avg $120K per incident	$120K average	Email security (Proofpoint/Mimecast) + security awareness training
Supply chain attacks	Up 45% YoY; targets MSPs/MSSPs as intermediaries	$500K–$5M (MSP liability)	Zero Trust RMM access + vendor risk management + own security hygiene
AI-generated phishing / deepfakes	Emerging; 340% increase in AI-assisted phishing 2024–2026	Varies; CEO fraud avg $200K	AI anti-phishing (Abnormal Security, IRONSCALES) + training
Cloud misconfiguration	Present in 82% of breaches with cloud component	$1.5M average (AWS/Azure)	CSPM (Wiz, Orca) + cloud posture management
Agentic AI attacks (emerging)	First documented autonomous multi-step attacks 2025; accelerating	Unknown; potentially catastrophic	AI Security Posture Management (AI-SPM); behavioural analytics

Sources: Verizon DBIR 2026; IBM Cost of a Data Breach Report 2025; CrowdStrike Global Threat Report 2026.

9. AI in the SOC — The Transformation Already Happening

AI is not a future consideration for MSSPs — it is a present competitive divide. MSSPs that have integrated AI into SOC operations are achieving fundamentally different economics to those still running manual L1 triage.

Alert triage automation: AI-powered triage (Microsoft Copilot for Security, CrowdStrike Charlotte AI, SentinelOne Purple AI) reduces L1 alert handling time by 60–80%. An analyst who previously handled 40 alerts/shift can now supervise 200+ with AI assistance.
Automated playbook execution: SOAR platforms combined with LLM-powered playbook generation can auto-resolve 35–60% of common alert types (password resets, isolated endpoint, block IP) without human intervention. This directly compresses per-endpoint delivery cost.
Threat hunting at scale: AI-assisted threat hunting (Darktrace, Vectra, Exabeam) identifies anomalous behaviour patterns across thousands of endpoints simultaneously — a task that would require dozens of senior analysts manually.
MTTD compression: Best-in-class AI-augmented SOCs are achieving MTTD under 5 minutes, down from the industry average of 16–24 hours. This is not incremental improvement — it is a different category of protection.
Agentic AI threat actors: By 2027, autonomous AI attack agents will be standard in sophisticated threat actor arsenals. MSSPs must build AI-versus-AI defence capability — static rule-based detection will fail against adaptive AI attackers.

Valuation implication: AI-native MSSPs (where AI handles 70%+ of L1 SOC operations) command 12–16x EBITDA multiples. MSSPs with manual-only SOC operations are capped at 8–10x. The operational investment in AI tooling (<$100K/year for most platforms) generates 2–4x EBITDA multiple improvement — the highest-ROI investment an MSSP can make before a sale.

10. Compliance Landscape — Operational Detail by Framework

Framework	Applies to	MSSP operational obligations	Penalty	Multiple premium
CMMC 2.0 (US defense)	Defense contractors processing CUI	Level 2: 110 NIST 800-171 controls; C3PAO third-party assessment; POA&M management; continuous monitoring evidence; annual affirmation	Loss of DoD contracts; False Claims Act liability	+25–35%
HIPAA (US healthcare)	Covered entities, business associates	Signed BAA; ePHI encryption at rest/transit (AES-256); audit trail 6+ years; risk assessment annually; breach notification 60 days; sub-BAA chains	$100–$50,000/violation; $1.9M/category annually	+15–25%
PCI DSS v4.0	Merchants, service providers, payment processors	CDE network segmentation; quarterly ASV scans; annual penetration test; access logging; WORM log storage; SAQ completion for clients	$5K–$100K/month until compliant; card processing termination	+10–20%
GDPR + EU Data Act	Any org processing EU personal data	Article 28 DPA with all sub-processors; 72-hour breach notification to DPA; data subject rights SLA (30 days); cross-border transfer safeguards (SCCs)	€20M or 4% global revenue	+8–15% (EU specialist)
NIS2 Directive (EU)	Essential and important entities in EU	Incident reporting to national CSIRT within 24h (initial) / 72h (full); supply chain security; board-level cybersecurity responsibility; minimum technical controls	€10M or 2% global revenue	+8–12% (EU specialist)
SOC 2 Type II	SaaS providers, service organisations	Annual audit by licensed CPA firm; Trust Service Criteria implementation; continuous control monitoring; vendor management programme	No statutory penalty; loss of enterprise clients	+10–15%

11. Talent & Organizational Architecture

SOC Analyst Tiers — Roles, Salaries & Certifications

Role	Tier	Base salary (US, 2026)	Key certifications	Primary function
SOC Analyst	L1	$48,000–$65,000	CompTIA Security+, CySA+	Alert triage, initial investigation, escalation
SOC Analyst	L2	$68,000–$90,000	CEH, GCIH, eJPT	Incident investigation, malware analysis, threat correlation
Senior Analyst / Threat Hunter	L3	$90,000–$125,000	OSCP, GCFE, GCFA	Proactive threat hunting, forensics, IR leadership
SOC Manager	Management	$110,000–$150,000	CISSP, CISM	Team management, quality control, client escalations
Security Engineer (SIEM/SOAR)	Engineering	$100,000–$140,000	Splunk/Sentinel certs, GCIA	Platform configuration, detection rule engineering, automation
vCISO / Security Advisor	Advisory	$120,000–$170,000	CISSP, CISM, CRISC	Client security programme, board reporting, compliance oversight
Penetration Tester	Offensive	$95,000–$140,000	OSCP, OSEP, CRTO	Annual pen tests, red team exercises, vulnerability assessment

Source: SANS Salary Survey 2026; ISC² Cybersecurity Workforce Study 2025; UNGLIN compensation normalisation database.

Offshore SOC Model — Economics & Compliance

Cost savings: Philippines L1 SOC analyst (managed service): $14,000–$20,000/year fully loaded vs US $58,000–$72,000. For a 10-seat 24/7 SOC, offshore L1 saves $400,000–$520,000 annually.
Quality control: Offshore L1 triage works well with mature SOAR playbooks. Without documented runbooks, false negative rates increase 3–5×. The runbooks are the offshore SOC's operating manual — writing them first is mandatory.
Compliance constraints: Healthcare (HIPAA) and defense (CMMC) data cannot be processed by offshore staff without explicit contractual safeguards and, for CMMC, US-person requirements for certain data access levels. Many offshore SOC models are unknowingly non-compliant with the verticals they claim to serve.
Hybrid best practice: Offshore L1 (Philippines, India, Eastern Europe) for alert triage + US-based L2/L3 for escalation and client communication. This achieves 60–70% of the cost savings while maintaining quality and compliance.

MSSP Org Structure by Revenue Tier

Under $2M ARR

Founder-SOC

Founder + 2–3 security analysts. White-label SOC. All client relationships personal. vCISO delivered by founder. Valuation risk: maximum. Priority: document SOC runbooks, remove founder from SOC shifts.

$2M–$5M ARR

Early team

SOC Manager (removes founder from shifts). Dedicated L1/L2 analysts. Compliance specialist (HIPAA or CMMC). Account Manager for top clients. Hybrid internal/white-label SOC. EBITDA: 12–18%.

$5M–$12M ARR

Growth stage

Operations Manager. vCISO practice (2–3 fractional CISOs). Penetration testing team. Dedicated compliance practice lead. Sales hire for new logo. Internal SIEM/SOAR engineer. EBITDA: 16–24%.

$12M+ ARR

Platform stage

COO. Threat intelligence function. AI/automation engineer. Offshore L1 SOC team. Board-level governance. Quarterly QoE. Annual pen test of own infrastructure. EBITDA: 20–32%.

12. Vendor Ecosystem & Partner Economics

Vendor	MSSP programme	Wholesale price	Resale margin	Key benefit
CrowdStrike (Falcon)	Falcon Complete MSSP / Foundry	$8–$18/endpoint/month	30–45%	Best brand; fastest threat intel; AI Charlotte integration
SentinelOne	Vigilance MDR / MSSP tier	$4–$9/endpoint/month	40–60%	Autonomous AI response; best SOAR API; strong MDR story
Palo Alto Networks	NextWave MSSP	$10–$22/endpoint/month	30–45%	Full-stack SASE + SOC; Cortex XDR + XSOAR together
Fortinet	MSSP Partner Programme	$5–$14/endpoint/month	35–55%	Firewall + EDR ecosystem; MSSP FortiSIEM; strong SMB pricing
Microsoft (E5 / Defender)	MSSP programme via CSP/GDAP	$4–$8/endpoint/month	35–55%	Included in M365 E5; 85% of SMB on Microsoft; Sentinel + Copilot
Huntress	Huntress for MSPs/MSSPs	$3.50–$6/endpoint/month	50–70%	Human-led threat hunting; best M365 detection; purpose-built for SMB MSSP

13. Competitive Landscape — MSSP Market Leaders 2026

Enterprise tier (1,000+ endpoints, global): Secureworks (Dell spin-off, public), AT&T Cybersecurity (LevelBlue rebranded), Trustwave (Singapore Telecom), IBM Security Services, Accenture Security ($7B+ practice).

Mid-market specialists ($100M–$1B revenue): Arctic Wolf (private, $700M+ ARR, fastest growing), Deepwatch, Netsurion, Ontinue (formerly Open Systems), Critical Start (acquired by private equity 2024).

PE-backed consolidators actively acquiring MSSPs: Thrive (acquired 15+ MSSPs 2022–2025), Ntiva, Trustwave under SingTel, Sievert Larsen, Coretelligent. These platforms pay 8–12x for $2–10M MSSPs as tuck-ins.

AI-native challengers (emerging, 2024–2026): Orca Security (cloud-native), Wiz (CSPM, IPO 2025), Abnormal Security (email AI), Cybereason (AI SOC). These are vendor platforms that MSSPs resell, not direct MSSP competitors — but they are eliminating certain service lines (email security, cloud posture) as standalone products.

14. M&A Activity & Deal Mechanics — MSSP-Specific

180+MSSP acquisitions 2025~40% of all MSP deals

10.2xAvg EV/EBITDA (MSSP)vs 7.4x generalist MSP

35%YoY rise in cross-borderUS buyers in EU/APAC

12–24 moTypical earnout periodTied to client retention

MSSP-Specific Due Diligence Items

Standard MSP due diligence applies (see MSP Wiki Section 19), but MSSPs face additional scrutiny specific to security operations:

SOC shift logs (24 months): Buyers verify the SOC actually operates 24/7 with documented analyst coverage. A SOC that runs 8×5 and claims 24/7 is a deal-breaker discovered on day one of DD.
Incident response history: All IR engagements in the last 5 years — how they were handled, outcomes, and whether clients churned post-incident. A well-documented IR response that retained the client is a positive signal; an undisclosed breach that led to churn is material.
SIEM alert and ticket data (24 months): MTTD, MTTR, false positive rates, alert-to-ticket ratios. These numbers tell buyers more about SOC quality than any certification.
Compliance certification status: SOC 2 Type II audit reports, CMMC assessment status, HIPAA BAA register. All must be current and transferable.
Vendor contract transferability: MSSP-tier agreements with CrowdStrike, SentinelOne, Palo Alto. Many MSSP pricing tiers are non-transferable or require re-qualification. Buyers have been surprised post-close when MSSP-tier pricing reverted to standard.
Insurance coverage for cyber liability: MSSPs carry unique risk as supply chain targets. Buyers require evidence of E&O (errors and omissions) and cyber liability coverage, typically $2M–$10M limits.
MSSP's own security posture: Buyers will conduct a penetration test of the MSSP's own infrastructure as part of DD. An MSSP with poor internal security hygiene is the ultimate red flag.

MSSP-Specific LOI & Deal Structure Considerations

IR revenue treatment: Negotiate explicitly whether incident response engagement revenue (one-time) is included in the EBITDA base or excluded. Sellers prefer inclusion; buyers exclude. Resolve this at LOI, not at definitive agreement.
SOC capability earnout: Many MSSP LOIs include an earnout component tied to maintaining SOC certification (e.g., SOC 2 renewal) or client retention specifically in compliance verticals. These are seller-controllable if the SOC is genuine.
Key analyst retention: If 2–3 senior L3 analysts or the SOC Manager are the primary client-facing relationships, buyers will require retention packages (typically 12–24 months) and may escrow part of the consideration pending their continued employment.
Tool stack standardisation: PE platforms often require post-close migration to their standard tool stack (e.g., from Splunk to Microsoft Sentinel). Negotiate a migration period (typically 6–12 months) and confirm no client contract restrictions on tool changes.

15. Regional Market Data — MSSPs with $100K+ EBITDA

Region / Country	MSSPs ($100K+ EBITDA)	Market maturity	PE activity	Key compliance driver
North America (US & Canada)	350–450	Most mature	Very High	HIPAA, CMMC, NIST, CCPA
Europe (total)	180–250	Mature	High	GDPR, NIS2, EU AI Act
UK	60–80	Mature	High	ICO, NCSC Cyber Essentials
Germany / DACH	40–60	High	High	BSI standards, GDPR
Australia & New Zealand	40–60	Mature	High	Privacy Act, APRA CPS 234
Singapore	60–80	Most mature in Asia	Very High	MAS TRM, PDPA, CSA regulations
Malaysia	20–30	Medium-high	High	PDPA, Bank Negara RMiT
Thailand	18–25	Medium	Medium-high	PDPA (2022 enforcement), BOT circulars
Indonesia	15–22	Medium (fast growth)	High	PDP Law (2024), OJK regulations
Vietnam	12–18	Medium (fast growth)	Medium-high	Cybersecurity Law 2019, Decree 13
Philippines	10–15	Medium	Medium	DPA 2012, BSP cybersecurity circulars
Japan / South Korea	30–50 (combined)	Mature, large-player dominated	Medium	APPI (Japan), ISMS, K-ISMS (Korea)
Gulf (UAE, Saudi, Qatar)	30–45	Emerging, fast growth	Medium-high	UAE IA Regulations, SAMA CSF, NCA ECC
Africa (South Africa, Nigeria, Kenya)	15–25	Emerging	Low-medium	POPIA (SA), NDPR (Nigeria)
Latin America	25–40	Emerging	Low-medium	LGPD (Brazil), sector-specific

Source: InfoMSP 2026 database, MSSP Alert Top 250, local business registries, UNGLIN regional analysis. EBITDA estimates derived from revenue proxies and typical MSSP margins (15–20%).

16. Customer Journey Map — How a Business Buys MSSP Services

Decision cycle: 3–9 months for SMB; 6–18 months for enterprise. Decision maker is rarely the IT manager — it is the CEO, CFO, Compliance Officer, or Board.

Step 1 — Trigger event: Ransomware incident at a competitor, cyber insurance renewal audit, compliance deadline (CMMC assessment date, HIPAA audit), or board-level directive after a high-profile breach in the news. Without a trigger, there is no deal.
Step 2 — Problem framing: Customer searches "how to prevent ransomware" or "HIPAA compliance IT services". MSSP content marketing must intercept at this stage — not just at "MSSP near me".
Step 3 — Free assessment (your entry point): Offer a free Security Risk Assessment (SRA) or Vulnerability Scan. This is the highest-converting MSSP sales tool. Deliverable: "Your top 5 critical gaps — estimated breach cost if unaddressed: $X." The number creates urgency no marketing copy can match.
Step 4 — Proposal stage: Present three tiers (Bronze/Silver/Gold) anchored around the gap findings. Gold includes vCISO + IR retainer. Silver includes MDR. Bronze is monitoring only. 70% of clients land on Silver or Gold when anchored correctly.
Step 5 — Objection handling: Primary objection: "Too expensive." Response: "Your cyber insurance premium last year was $X. A breach of this type costs $X on average. Our service costs $Y per month." Map cost to known comparators — this frames the price as insurance, not IT spend.
Step 6 — Onboarding (days 1–30): Deploy EDR across all endpoints. Connect to SOC (configure log sources, tune alert rules). Run full penetration test. Fix critical vulnerabilities. Assign named vCISO. Issue onboarding report.
Step 7 — Steady state (months 2–12): Daily SOC monitoring, weekly security digest, monthly executive report (for the CEO/CFO, not the IT manager). Quarterly Business Review (QBR) — show threats blocked, compliance status, and one strategic recommendation.
Step 8 — Expansion triggers: Compliance deadline approaching → add GRC module. New acquisition → expand user count. Insurance renewal → document controls for premium reduction. Each event is a natural, non-pushy expansion conversation.

17. Exit Readiness Checklist — MSSP Specific

Condition	Why it matters	Target / benchmark
Annual recurring revenue	Below $1.5M: no institutional interest. Below $1M: sell to individual or close.	>$2M ARR (ideally $3–5M for PE platform interest)
Recurring revenue %	Predictable cash flow is the core valuation driver	>75% (ideally >85%)
IR revenue classification	One-time IR must be separated from MRR	IR revenue clearly labelled; not in ARR calculation
Normalised EBITDA margin	Buyers apply multiple to normalised EBITDA	>15% (20%+ ideal)
SOC documentation	SOC must be an asset, not a black box	Shift logs, playbooks, MTTD/MTTR data (24 months)
Annual churn	Low churn = compliance-sticky service	<8% (ideally <5%)
Client concentration	One client >15% is a deal risk	No single client >10% of ARR
Compliance certifications	Key value drivers — must be current, entity-registered	SOC 2 Type II, HIPAA BAA register, CMMC RP status if relevant
Tool stack documentation	Buyer must be able to operate the stack day one post-close	Documented stack with vendor contract terms and pricing
Own security posture	Buyers will pen-test you. An MSSP with poor hygiene = immediate discount.	Clean pen test (last 12 months), all controls documented
E&O and cyber liability insurance	Required by most buyers as condition of close	$2M–$5M E&O; $2M–$10M cyber liability; active policy
3 years clean financials	Standard DD requirement	Audit-ready P&L; IR revenue separated

18. MSSP Failure Modes — Why MSSPs Die or Get Fire-Sold

Killer #1

SOC alert fatigue

Poorly tuned SIEM generates 500+ alerts/day per analyst. Analysts miss real threats. Client suffers a breach. MSSP faces liability, churn, and reputational damage. Fix: invest in SOAR automation and alert tuning before scaling headcount.

Killer #2

Underpricing MDR below delivery cost

Pricing MDR at $15/endpoint when actual delivery cost (white-label SOC + analyst time) is $18/endpoint. Scaling makes the loss worse, not better. Fix: model delivery cost per endpoint before signing contracts.

Killer #3

Single compliance vertical concentration

80% of revenue from CMMC clients. DoD budget freeze or CMMC programme change eliminates the vertical. Fix: two or more compliance verticals, no single framework above 50% of compliance revenue.

Killer #4

Failing a client breach

MSSP misses a threat. Client suffers a ransomware event. E&O coverage is inadequate. Client sues. This is existential — both financially and reputationally. Fix: adequate E&O/cyber liability insurance + rigorous SOC QA + documented IR capability before claiming MSSP status.

Killer #5

Founder-dependent SOC

The founder is also the lead analyst, the vCISO for three clients, and the primary vendor contact. When the founder exits, the SOC and client relationships degrade simultaneously. Fix: 12 months before a sale, systematically remove the founder from operational roles.

Killer #6

MSSP as supply chain target

The MSSP's own RMM/SIEM is compromised. All clients are simultaneously at risk. This is the Kaseya/SolarWinds scenario at MSSP scale. Fix: zero-trust architecture for own infrastructure, mandatory MFA on all admin access, quarterly pen test of own environment.

19. Top Customer Search Keywords (MSSP & Cybersecurity, 2026)

Rank	Keyword	Intent phase	Typical CPC (USD)	Conversion note
1	managed security service provider	Solution-aware	$20–$50	High volume, competitive
2	MDR services	Solution-aware	$20–$45	High intent — knows the category
3	SOC as a service	Solution-aware	$20–$55	Enterprise buyer signal
4	incident response company	Emergency	$40–$100	Highest conversion rate — active crisis
5	ransomware response	Emergency	$30–$120	Highest urgency; immediate close
6	CMMC compliance services	Compliance-driven	$25–$65	Very high LTV if won
7	HIPAA compliance IT	Compliance-driven	$15–$40	Healthcare vertical — sticky
8	penetration testing services	Compliance-driven	$25–$70	Annual recurrence signal
9	SOC 2 audit services	Compliance-driven	$20–$60	SaaS buyer; high growth
10	cyber insurance requirements 2026	Compliance-driven	$10–$30	Insurance audit trigger = MSSP sale opportunity
11	managed detection and response	Solution-aware	$15–$40	Educated buyer; higher close rate
12	vCISO services	Solution-aware	$15–$35	CFO/CEO signal; high deal value
13	cybersecurity for healthcare	Vertical-specific	$18–$45	HIPAA compliance trigger
14	MSSP near me	Vendor-comparison	$10–$30	Ready to buy; local preference
15	cloud security services	Solution-aware	$20–$55	Cloud migration trigger

CPC estimates: Google Keyword Planner and SEMrush industry averages 2025–2026. Emergency keywords have highest conversion; compliance keywords have highest LTV.

Find out what your MSSP is worth

We benchmark your MSSP against live 2026 transaction data across SOC model, compliance vertical, ARR, and geography. Confidential, no obligation. Most founders are surprised — in both directions.

Get my confidential MSSP valuation →

Frequently Asked Questions

What is the difference between MSSP, MDR, and XDR?

MSSP is the broadest category: 24/7 SOC, firewall management, compliance, vCISO, and incident response. MDR (Managed Detection and Response) is a subset focused specifically on threat detection and active response — the highest-value individual service line. XDR (Extended Detection and Response) is a technology platform that unifies endpoint, network, cloud, and identity telemetry — MSSPs use XDR platforms to deliver MDR services. An MSSP delivers MDR using an XDR platform. All three terms are often used interchangeably in sales conversations, but they mean different things in due diligence.

How much does it cost to build a genuine 24/7 SOC?

A minimal internal 24/7 SOC requires at least 6 analysts (to cover 3 shifts with redundancy), a SOC Manager, SIEM licensing, and infrastructure. Total annual operating cost: $730,000–$1,290,000. This breaks even at approximately 450–700 users under management at standard MSSP pricing. White-label SOC-as-a-Service (Arctic Wolf, Huntress, Sophos MDR) enables MSSP positioning from $3.50–$35/endpoint/month wholesale — dramatically lower capital requirement but with the trade-off that the SOC capability is not proprietary.

What LTV:CAC ratio should an MSSP target?

A healthy MSSP should target LTV:CAC of 10:1 or higher. Compliance-specialist MSSPs (HIPAA, CMMC) regularly achieve 15:1–30:1 due to contract lifetimes of 5+ years and low churn. The vCISO add-on service achieves the highest LTV:CAC ratios (60:1–190:1) because CAC is near-zero (sold as an upsell to existing clients). A ratio below 5:1 signals either over-spending on acquisition or inadequate retention — both are valuation red flags.

Why do MSSPs get higher valuation multiples than MSPs?

Three structural reasons: (1) Compliance lock-in — a client under HIPAA or CMMC cannot switch MSSPs without a compliance gap period, an audit, and a re-onboarding. This creates switching costs that generalist MSPs do not have. (2) Security skills scarcity — there are 3.5 million unfilled cybersecurity positions globally. An MSSP with a functioning SOC team has an asset that cannot be easily replicated. (3) Regulatory proliferation — every new compliance framework (NIS2, EU AI Act, CMMC 2.0) creates new MSSP demand, making the growth story durable. All three justify paying 10–14x EBITDA vs 5–8x for a generalist MSP.

How should I handle IR revenue in a sale process?

Incident response engagement revenue (one-time project fees for breach response) should be clearly separated from recurring MRR/ARR before going to market. Sellers often include IR revenue in their ARR calculation because it recurs in practice — but buyers will exclude it as non-recurring and use the discrepancy to justify a price reduction. The right approach: present two numbers — recurring ARR and a separate line for "IR and project revenue" — and build your valuation narrative around both. Buyers will discount IR revenue at 0.3–0.5x revenue multiple vs 1.2–1.5x for recurring. Transparency here prevents the most common MSSP deal chip.

What compliance niches command the highest MSSP premiums?

Ranked by valuation premium: (1) CMMC (US defense contractors): +25–35% — highest switching cost, DoD contract dependency; (2) HIPAA (healthcare): +15–25% — BAA chains, EMR integration, ePHI handling; (3) PCI DSS (payments/retail): +10–20% — annual audit cycle creates renewal certainty; (4) SOC 2 / ISO 27001 (SaaS/enterprise): +10–15% — growing demand from enterprise procurement requirements; (5) NIS2 (EU essential entities): emerging +8–15%. The deepest premiums come from MSSPs that are not just compliant themselves but actively manage compliance evidence and audit preparation for clients.

About the Author

Den UnglinFounder & Lead Exit Advisor

Specialists in selling MSSPs & cybersecurity companies.

We focus exclusively on managed security service providers and cybersecurity firms across all niches — SOC operators, MDR specialists, compliance-vertical MSSPs, and AI-native platforms. Our transaction database covers 120+ MSSP deals, providing accurate valuation benchmarks by region, compliance specialty, and SOC model.

Den has 18+ years of direct P&L experience across 50+ business types and 12 markets, and has advised on dozens of MSSP exits from $1M to $50M enterprise value. The SOC economics, pricing models, and deal mechanics in this guide are drawn from live transaction experience.

↗ Verify on LinkedIn

MSSP / Cybersecurity Business: Complete 2026 WikiSOC Economics · Unit Economics · Deal Mechanics