Here's a paradox most MSP owners won't admit publicly.

Related from the Fortress blog: How to price cybersecurity profitably · The true cost of managing 10+ security vendors · Grow MRR/ARR without adding headcount · the Channel Enablement OS.

Cybersecurity is supposed to be the highest-margin service line in their portfolio. Industry surveys show it's the fastest-growing revenue category. Clients want it more than ever. Demand has never been higher.

And yet, most MSPs are losing money on it.

After 28 years in cybersecurity — including running QMasters as an MSSP serving enterprises, banks, and governments — I've seen this pattern over and over. Cybersecurity, done the traditional way, eats MSP margins alive. The MSPs that figure out why are the ones that survive and grow. The ones that don't, slowly bleed out.

Here's exactly what's killing MSP profitability on security — and what to do about it.

Problem 1: Labor Costs Are Eating Everything

This is the silent margin killer.

Cybersecurity isn't IT. The skill set is fundamentally different. To deliver real security services — not the basic checkbox stuff — you need actual security expertise. And that expertise is expensive.

Look at what a real cybersecurity capability requires:

• Security engineers: 80,000 to 120,000 dollars per year each
• SOC analysts: 60,000 to 90,000 dollars per year each, and you need at least 9 to cover 24/7 shifts
• SOC manager: 100,000 to 130,000 dollars per year
• GRC/compliance specialist: 90,000 to 130,000 dollars per year

Total annual headcount cost for a real security operation: 1,000,000 to 1,500,000 dollars or more.

That's just salaries. Add benefits, training, and tooling, and you're looking at 1.5 to 2 million dollars a year in fixed cost before you've served a single client.

For a typical MSP with 20 SMB clients and maybe 1.5 to 3 million in total revenue, that math doesn't work. The labor cost of doing security in-house is bigger than most MSPs' entire profit.

Problem 2: You Can't Hire the Talent Anyway

Even if you could afford it, here's the second reality MSPs hit.

The best cybersecurity talent doesn't go to MSPs. They go to startups, big tech companies, or enterprise SOCs that pay better, offer interesting work, and have prestige.

So even MSPs who try to build a security team end up hiring junior or mid-level talent. People who can run tools but not architect a security strategy. People who can read alerts but not threat-hunt. People who learn on your client's environment.

That talent gap shows up everywhere:

• Tools get misconfigured
• Threats get missed
• Clients lose confidence
• Junior staff burn out and leave
• You start over

This is one reason MSP-delivered security has a reputation problem. It's not because MSPs aren't trying. It's because the structural economics force them to hire under-qualified people.

Problem 3: The Vendor Sprawl Tax

Here's what nobody talks about openly.

To deliver a "complete" cybersecurity offering, MSPs end up running 5 to 10 different tools per client — sometimes more. Each one solves a piece of the puzzle:

• Endpoint detection (EDR)
• Email security
• Backup and disaster recovery
• Web filtering
• Identity and access management
• Vulnerability scanning
• SIEM/log management
• Compliance tooling
• Phishing simulation
• Dark web monitoring

Every one of those is a separate vendor. A separate contract. A separate dashboard. A separate invoice. A separate training requirement.

The license cost is just the visible tip. The real cost is operational:

• Procurement: Negotiating and renewing 5-10 contracts per year
• Accounts payable: Tracking 5-10 invoices monthly per client
• Training: Staff need to learn every tool — and re-learn when staff turnover happens
• Integration: Tools that don't talk to each other create blind spots and false positives
• Vendor management: Multiple support relationships, multiple SLAs, multiple roadmaps to track
• Configuration drift: Default settings, no tuning, tools running but not optimized

This is why MSP staff burn out fast. They're not doing security work — they're doing tool management.

Problem 4: Pricing Built on Bad Foundations

Because of the labor and tool costs above, most MSPs end up doing one of two things — both of which kill the business.

Option A: Price too high. They jack up the per-seat cybersecurity price to enterprise-grade levels to cover their costs. SMB clients balk. Deals fall through. The MSP either loses the prospect or capitulates and discounts heavily, killing margin anyway.

Option B: Price too low. They underprice to win deals but their internal cost structure can't support it. They're losing money on every seat, hoping volume will save them. It doesn't. They just lose money faster.

Most MSPs end up oscillating between both — winning deals at thin margins, losing deals at premium prices, and never building a sustainable security practice.

Problem 5: They Don't Know How to Sell It

This one is structural and human.

MSPs are IT people. They're great at uptime, networking, hardware, troubleshooting. They're not security salespeople.

When they sit across from an SMB owner, they default to technical talk: EDR, MFA, SIEM, zero-trust. The SMB owner glazes over. The conversation dies. The MSP walks away thinking "this client doesn't care about security." The truth is the MSP didn't know how to translate security into business value.

Real cybersecurity sales conversations are about:

• Compliance requirements ("you need this to win that enterprise contract")
• Cyber insurance ("your insurer requires this for renewal")
• Business risk ("one in five SMBs that get hit go bankrupt")
• Reputation ("your clients are asking if you're secure")

Most MSPs don't have those conversations. So they don't sell. So their security practice never grows.

How to Fix It

The good news: every one of these problems has a solution. The bad news: the traditional MSP approach can't deliver them. You need a structural change.

Here's what fixing each problem actually looks like:

Fix 1: Eliminate the headcount problem. Instead of hiring 9 SOC analysts, use a platform that includes 24/7 AI-driven monitoring (with optional managed human SOC layered on top). Your existing IT staff handles client relationships. You don't add a single hire. You save 700,000 to 1.2 million dollars per year in avoided headcount costs.

Fix 2: Bypass the talent shortage. You don't need to compete with startups for security engineers. Use a platform built and operated by people who already have that expertise. Their team becomes your team — without the salary costs.

Fix 3: Consolidate the vendor sprawl. Replace 5-10 vendors with one platform. One contract, one invoice, one dashboard, one training path. Your staff stops managing tools and starts delivering services.

Fix 4: Price profitably. With dramatically lower internal costs, you can price competitively for SMB clients (in a range they'll actually pay) and still keep healthy margin. No more pricing whiplash.

Fix 5: Get sales enablement included. Use a platform partner that gives you the talking points, assessment frameworks, compliance angles, and discovery questions to actually close cybersecurity deals. Stop trying to be a security salesperson alone.

The Structural Change After the Fix

Let's run the same MSP — 20 SMB clients, 600 total seats — through the fixed model.

Before (traditional approach):

• Tool licenses for 5-10 vendors per client (compounding costs)
• Security headcount (even partial): hundreds of thousands of dollars annually
• Realistic margin: thin to negative on security services

After (platform-based approach):

• Consolidated platform eliminates vendor sprawl
• No new hires required — existing IT staff delivers
• Cost-to-deliver compresses to a fraction of the traditional model
• Healthy double-digit margin on security services becomes sustainable

That's the difference between a security practice that drains your business and one that funds your growth.

The Mindset Shift

The fundamental change isn't technological. It's operational philosophy.

The old model says: "To do cybersecurity properly, we need to build it ourselves — buy the tools, hire the team, run the SOC."

The new model says: "Cybersecurity is too specialized to build alone. The platform handles what specialists do best. We focus on what only we can do — the client relationship, the trust, the strategic conversation."

MSPs that hold onto the old model are bleeding margin every month and don't realize it. MSPs that embrace the new model are quietly outgrowing them on the same headcount.

What to Do This Week

If you're an MSP owner reading this, take 30 minutes and run the numbers on your own security practice:

1. What are you spending on security tool licenses across all clients?
2. What portion of your IT staff's time is spent on security tool management vs. client work?
3. What's your actual margin on security services after labor and tools are properly allocated?
4. How many clients are you turning down because you can't service security demand?

If those numbers don't make you happy, the model is broken — not your business.

Fortress was built for exactly this problem. We give MSPs the platform, the AI-powered monitoring, the optional managed SOC, the compliance automation, and the sales enablement — at MSP-friendly economics that preserve healthy margin on every client you serve.

The cybersecurity market is the fastest-growing revenue category for MSPs. The question isn't whether you should be in it — it's whether the way you're doing it can survive.

---

Menachem Tauman is the founder of Fortress Cyber and a 28-year cybersecurity industry veteran. He previously co-founded QMasters, an MSSP serving enterprises, governments, and banks.