How Can MSSPs Respond to Vendor Competition?

Managed security service providers (MSSPs) must confront a worrying trend: More and more cybersecurity solutions vendors are developing—or acquiring—managed services offerings of their own. This places MSSPs in direct competition with the vendors on whose tools they depend.

Large EDR/XDR providers like CrowdStrike, Palo Alto, and Check Point already have managed detection and response (MDR) services. And more large security firms are moving in this direction.

Consider, for example, a few 2024 mergers, acquisitions, and partnerships:

• The Trustwave–Cybereason merger

• Sophos’ acquisition of SecureWorks

• OpenText’s acquisition of Pillr MDR

• Cylance shifts focus from software to services

• SonicWall and CrowdStrike offer new MDR

We are reaching an inflection point in the security services market—and in particular, in the relationship between MSSPs and their tool vendors.

As more companies move into the security services space, MSSPs are faced with the prospect that they will one day have to compete with their own vendors…if they aren’t doing so already.

That raises the question: What can service providers do about it?

Four Responses to Vendor Competition

There are four main strategic directions MSSPs can take in the face of increased competition from vendors:

Resolve to out compete your vendors

One possible response is to tackle the problem head-on. Make it an operational priority to win managed services contracts from clients and prospects by providing superior, white-glove customer service, adding value through your team's unique security expertise, or focusing on a niche market in which large vendors lack the industry knowledge to meet the needs of the clients. For some MSSPs, this may be a viable path forward. But most will be unable to thrive using this strategy alone—and even for MSSPs that do take this approach, it is a decidedly high-risk option.

Build independence with open-source tools

Another alternative is to develop independence from tool vendors/potential competitors by turning to open-source security solutions. We’ve seen MSSPs wield open-source tools to great effect, building profitable security services businesses using little more than open technologies and the skills of their security engineers.

However, a major drawback of open-source/DIY stacks is that these solutions do not scale well as an MSSP grows. Integration challenges and tool management can quickly become a drag on productivity—and tie up your most skilled team members with infrastructure maintenance work when they should be focusing on security operations.

Buy a SecOps bundle or suite

A more promising approach is to purchase a bundle or suite of security operations (SecOps) tools, provided that these tools come from a vendor that isn’t likely to enter the security services market. However, there are some drawbacks here as well.

For one thing, many security bundles on the market, despite calling themselves “unified platforms,” are essentially just a collection of acquired point solutions. Unfortunately, the component parts are, more often than not, poorly integrated. Bundle-style products, therefore, can bring the same kinds of engineering and maintenance challenges one finds with stacks built on open-source solutions.

Secondly, all-in-one suites that attempt to be all things to all teams are problematic, because the quality of individual modules within a suite will vary, and because you often end up purchasing technology you don’t actually use.

Lastly, security bundle and suite vendors tend to operate from a traditional product vendor mindset. They are unlikely to offer you the customizability, flexibility, and transparency you really need. And there is no guarantee (other than promises) that they will not move into the security services space in the future.

Move to a true SecOps platform

A real SecOps platform represents a fundamentally different approach to security infrastructure for MSSPs. In contrast to traditional point products, or security bundles and suites, a SecOps platform offers independence, integration, control, and scalability.

The basic premise of LimaCharlie’s SecOps Cloud Platform (SCP) is that the cloud provider model that has worked so well in the world of IT can also be applied to cybersecurity. Thus, the SCP offers core cybersecurity capabilities as well-integrated, cloud-native primitives in much the same manner as IT public cloud providers like AWS: on-demand, pay-per-use, and API-first.

The core business model of the SCP is that of a pure provider of enterprise-grade security tools and infrastructure, eliminating the possibility that your vendor will one day decide to compete with you.

Controls are based on fundamental DevOps principles and practices such as infrastructure as code (IaC), automation, and multi-tenancy.

The SCP is, above all, focused on the security practitioner, and on giving them the freedom to build what they need to support security operations and integrate with other tools as required.

A move to the SecOps Cloud Platform is not a quick fix. But it represents a sustainable, strategic, and future-proof response to the threat of vendor competition—and one MSSPs can implement gradually and safely.

The LimaCharlie SecOps Cloud Platform for MSSPs

MSSPs that move to a public cloud-like SecOps platform such as the SCP can expect a number of benefits:

Flexibility and customizability: The cloud provider delivery model means you only pay for what you use, and never have to buy something you don’t want. API-first access gives your security engineers the freedom to build whatever they need with the SCP. That freedom extends to other technologies as well. You can use the SCP to integrate third-party tools, open-source solutions, and any source of telemetry into your operations. The SCP’s bidirectional capabilities also allow you to manage third-party security tools—and automate responses across them—from within the platform.

A modern, scalable approach: For MSSPs, there are immediate benefits to working with an engineering-first platform. Multi-tenancy makes it easier to manage numerous clients through a single interface, and simplifies the onboarding of new clients. IaC allows security engineers to make changes at scale, no matter how many endpoints or clients you have. And an on-demand, pay-per-use delivery model means that MSSPs are not constrained by inflexible contracts or monthly minimums. You just use what you want, when you want it, scaling platform usage up or down as business needs dictate.

A step-wise path to adoption: SCP capabilities are delivered on-demand and pay-per-use, enabling gradual, step-by-step adoption. In other words, moving to the SCP is not an all-or-nothing proposition or a wholesale “rip and replace” operation. For example, if you still need telemetry data from a third-party EDR solution, that data can be brought into the SecOps Cloud Platform and integrated into your operations seamlessly, while you use the SCP to support other functions and/or develop custom detection and response capabilities to replace your legacy EDR solution. If you want to test the SCP out with a handful of customers first, you can do that easily and cost effectively, and then roll it out more widely when you’re ready.

Learning More: Additional Resources for MSSPs

To learn more about what the SecOps Cloud Platform has to offer MSSPs, see:

• The SecOps Cloud Platform Guide for Service Providers

• Case Study: MDR Firm Improves DFIR Capabilities with SecOps Cloud Platform

• LimaCharlie's MSSP Partner Program

• How MSSPs Can Leverage SCP Capabilities to Improve Response Times

• SCP for MSSP Demo Repo (GitHub)

To experience the SCP for yourself, try it for free or book a demo.