A Smarter Approach to Managing Security Services: The SecOps Cloud Platform (w/ MSSP Alert)

Most managed security providers do not fail because their analysts are bad at detection. They fail because the thing underneath the analysts cannot grow as fast as the business needs to. That is the argument running underneath this MSSP Alert session with Matt Bromiley, Lead Solutions Engineer at LimaCharlie, who came up through the incident response and managed detection and response world before joining the company a little over two years ago. His case is simple and a little uncomfortable: for an MSSP or MDR, infrastructure is not a competency, it is a liability you have not noticed yet, and the moment it becomes one is usually the moment you can least afford it.

The checkbook used to open too late

Bromiley's instincts come from the IR world, where time was the only currency that mattered. You needed tooling that deployed fast, stayed reliable for the length of an engagement, and was there the second you needed it. What he noticed leaving the MDR space is that managed services inherited that volatility without inheriting the urgency. A provider can be sitting quietly at nine on a Wednesday morning and be in a war room by ten. That, he points out, is not the moment to find out whether you have enough CPU cycles on the database server to handle what is coming.

The old pattern was reactive: nobody opened the checkbook until an incident forced it. The shift he sees, and the one the platform is built to reward, is proactive. Providers now stand up processes and partners ahead of trouble rather than scrambling after it. IR itself moved from an outsourced commodity into a standard escalation path baked into most MDR and MSSP offerings. The problem is that this proactive posture demands an infrastructure that can absorb sudden change on command, and that is exactly what most providers do not have when they need it.

The dilemma is that customers grow too

Bromiley frames the real squeeze as a three-way balance between cost, scalability, and service innovation. Break any one and growth stalls. If the infrastructure cannot scale, the business is capped at whatever customer count it can physically carry. If innovation lags, the provider falls behind both the threat landscape and customer demand. And the demand side is the part he is sharpest on. Customers can read the same threat reports and join the same intelligence communities a provider can, so there is no secret sauce to sell them on. What they want instead is breadth: endpoint, network, identity, and cloud telemetry all watched. The provider has to follow the customer's tech stack rather than asking the customer to shrink to fit it.

He is blunt about why the vendor-defined version of this fails. Providers get locked to a vendor's roadmap, told they can offer identity monitoring only once that vendor finishes integrating some company it acquired. The workaround is to bolt on point solutions until analysts are digging through a sprawl of consoles that barely talk to each other. Growth, in his telling, is not only landing more logos. It is a customer doubling its footprint through an acquisition and expecting you to say yes the same day. An infrastructure that cannot answer that is the thing quietly setting the ceiling on the business.

Build it like a cloud, scope it for security

The platform's answer is to borrow the shape of a cloud provider and aim it squarely at security. When you build an application on a cloud, you assemble the database, DNS, virtualization, and APIs you need, costs come back to the penny, and the same deployment serves one user or a hundred thousand without rework. The SecOps Cloud Platform applies that to security operations: API-first, cloud-native, with the infrastructure handled so a provider can build and scale per customer instead of per limitation.

Two design choices do the structural work. The first is genuine multi-tenancy. Bromiley draws a hard line between real isolation and what he calls superficial multi-tenancy, the kind built on database table tagging where data quietly coalesces under the hood. On LimaCharlie, two customers never share data, which lets a provider stand behind each client's specific data, retention, classification, and residency requirements. That last point has teeth for providers serving regulated markets, with regional deployment available across the US, UK, Europe, India, and Australia. The second choice is scale on demand. New tenants spin up as clean slates, so a provider whose sweet spot is fifteen to twenty endpoints per customer can still absorb a thousand-endpoint contract the day a salesperson lands one, without rolling its own servers or hiring an infrastructure team to catch up.

Pricing follows the same logic. Pay-for-use billing tracks what is actually deployed, scaling up from a thousand endpoints to two thousand and back down again, with no long contract that forces you to pay for a band of capacity you are not using. The numbers are published, so a provider can price a deal in minutes rather than negotiating for months. EDR carries a set monthly price tied to scale, other telemetry is billed by volume measured to the byte, and during an incident, when data ingestion spikes, the customer sets the retention window so they pay for the surge only as long as they need it.

The proof Bromiley offers is two providers who already made this trade. An SMB and mid-market MDR building an agent-centric XDR service went from concept to live deployment in five months, then used to-the-minute pricing to tell customers they were only running twenty of fifty planned endpoints and pass the savings back rather than wait a year to true up. A Texas-based MDR that had outgrown a custom platform built on free and open source software moved its infrastructure over, learned the hard way that open source is not actually free once you are patching vulnerabilities and buying servers, and freed its engineers to return to what the company was actually good at: faster detection and better visualizations. Their onboarding collapsed to a single button click from signed deal to live service, which became its own competitive edge.

That is the through line. The vendor-defined model ties your ability to grow to someone else's integration backlog and contract terms. Treating security infrastructure as a cloud you scale and shape per tenant turns the question of whether you can take on the next customer, or the next telemetry source, into a yes by default. For an MSSP or MDR, that is not a technical preference. It is the difference between a business with a ceiling and one without.