Navigating the SecOps Cloud Platform Revolution for Service Providers

Every service provider eventually has to make a bet about the technology underneath the business, and Eric Capuano, LimaCharlie's Director of Training and Product Enablement, has lost that bet twice. Before LimaCharlie existed he built and ran his own MDR, which meant choosing between the two ways anyone could stand up a service business at the time. One path made him a reseller for a large product vendor. The other had him assembling open source tools into a stack he owned. In this session with co-founder and host Christopher Luft, Capuano makes a quiet but pointed argument: both of those paths fail a provider in the same place, at exactly the moment the business is finally working. The structural problem he keeps circling is not which security tool is best. It is that a service provider's technology choices and its growth tend to pull against each other, and almost everything else in the conversation is a case for decoupling the two.

Both old paths punish you for succeeding

Reselling a vendor's product, Splunk or AlienVault or QRadar, gets you running fast, but it ties your fate to a company whose own incentive is to grow its market. That increasingly means moving into managed services, which puts the vendor in direct competition with the customers you built on its platform. Capuano describes living this: a product vendor reached out to one of his customers offering to cover the same product at a fraction of his price. On the dollars alone the pitch was true. What the customer could not see was that the vendor was offering to manage one product, while a proper MSSP was covering far more than that single tool. Having to explain to a client why you cost more, he notes, is a conversation you would rather never have. You are, in his phrase, feeding your competitor.

The open source path looks like the opposite of that trap, and in the early days it is. The software is free, the initial cost is the lowest possible, and a small provider can make it work. The bill arrives later, as total cost of ownership. No support when something breaks, documentation that may or may not exist, optimization that is entirely do-it-yourself. And the failure is timed cruelly. A stack that comfortably held a thousand managed endpoints starts to strain at five thousand, then ten thousand, and the provider ends up afraid of the wrong thing. Capuano describes the dread directly: a large prospect appears, the kind of growth that should be cause for celebration, and instead the founder is lying awake wondering whether the stack tips over at two in the morning. Both paths, in other words, convert success into risk. Grow with the vendor and you fatten a competitor. Grow on open source and you gamble on infrastructure you are not sure can hold.

The platform argument is really about coupling

What Capuano is selling against is not a particular tool but a particular shape of dependency. He frames the SecOps Cloud Platform the way you would frame AWS or GCP: a collection of building blocks, except the primitives are purpose-built for security operations, log ingestion pipelines, detection and response engines, the ability to run historical threat hunts. You assemble the pieces you need. The deeper point is what that removes. Nobody racks servers in a data center to ship software anymore, and in the same way a provider should not be hand-maintaining databases, log parsers, and ingestion engines. Less time on plumbing, more time bringing the fight closer to the adversary, which is the only thing an MSSP is actually paid for.

The pricing model is the clearest expression of the same idea. Large upstream vendors deal in long contracts with minimum commitments and annual sales thresholds you have to hit or lose the partnership. Onboard a customer with a thousand endpoints and you pre-buy a thousand licenses, locked in for the term, still paying if that customer walks early. So providers over-buy against hypothetical growth just to avoid renegotiating. Usage-based pricing breaks that. You provision what you need and spin it down when you do not, the way you would with EC2. When a customer acquires another company and adds roughly thirty percent more endpoints, you move at their speed; when they shed coverage, you scale back and stop paying. Capuano puts a number on the visibility side too: the endpoint agent carries unlimited telemetry with a year of retention at a flat three dollars per month per endpoint. That matters less as a price than as a behavior change. Providers stop rationing which event logs to ingest to dodge throughput charges, and analysts work with full visibility instead of betting on which sources to leave out.

Scale, then, stops being the thing you fear. Built on GCP with infrastructure as code and auto-scaling, the platform treats fifty endpoints and fifty thousand the same, and provisioning is self-served with no need to call LimaCharlie. The benefit Capuano says people underweight is workflow scale: because the platform is infrastructure as code down to the user level, a provider can automate organization provisioning and tenant configuration through the API, with CI/CD templates that stand up a fully configured new customer in about thirty seconds. Onboarding becomes uniform and repeatable rather than a custom project each time. Consolidation compounds the effect, since a provider mastering one platform no longer has to hire and train subject matter experts across five, six, or ten tools, or maintain detection rules and response actions in each of them separately.

Defending where the business now lives

The session also marks the release of bidirectional functionality, announced by founder and CEO Maxime Lamothe-Brassard at Google Next. LimaCharlie always supported detect-and-respond on its own EDR agent. The new capability extends instantaneous response to the SaaS and cloud sources where there is no agent to install: Microsoft 365, AWS, GitHub, Slack. Capuano's example is the kind of alert no one wants sitting in a queue. A suspicious Microsoft 365 login by the CFO at three in the morning from an unexpected location should not wait for an analyst to wake up. A rule disables the account immediately, and triage happens after the damage is already contained. He draws the contrast deliberately: most platforms treat non-endpoint telemetry as second-class, fine for alerting but dependent on either constant analyst attention or an expensive bolt-on SOAR product to do anything with it. Pushing response down next to the telemetry itself is what cuts mean time to respond on the half of the customer's business that now lives in the cloud.

That last point is where the whole argument lands for an MDR. Customer environments are hybrid now, and the era when an endpoint agent could defend an entire organization is over. The value of decoupling your technology from a single vendor or a fragile homegrown stack is not philosophical. It is that you can keep saying yes, to a bigger customer, to a more complex hybrid environment, to a customer who doubled overnight, without the part of the business that should be celebrating instead bracing for the stack to fail.