MSSP, AI/ML, Identity, SOC, SSO/MFA, Decentralized identity and verifiable credentials, Incident Response

AI Agent Marketplace Signals a Shift in How MSSPs Package Identity Security

Security teams are running into a different kind of problem now. Attacks are showing up through stolen credentials, session cookies, and exposed identities, often without any malware involved. For example, a user session is hijacked through a stolen cookie, bypassing MFA entirely. The attacker accesses internal tools and blends into normal activity, and the worst part is that alerts don’t fire because nothing looks overtly malicious. This has forced a rethink of how security is delivered, especially for MSSPs responsible for monitoring and responding across multiple environments.

SOCRadar’s latest update speaks directly to this. The company has introduced an AI agent marketplace alongside new identity and access intelligence capabilities within its threat intelligence platform, pointing toward a more modular, service-driven way to handle identity risk at scale.

From platforms to modular security workflows

The idea of a marketplace built around AI agents points to a different way of assembling security capabilities. Instead of relying on a bundled platform with fixed features, teams can deploy specific agents for tasks like phishing detection, credential exposure analysis, or dark web monitoring.

That flexibility is starting to reshape how MSSPs package services.

Brian Costello, VP of Global Partnerships at SOCRadar, explained to MSSP Alert, “It shifts MSSPs from selling platform access to selling actual services. Instead of fixed bundles, they can combine agents based on customer needs and offer more tailored, outcome-driven services. This also makes recurring revenue easier as they can charge for continuous monitoring and automated work rather than just a static license. So overall, we’re not selling UI, we’re selling a model shift.”

That shift matters because it aligns more closely with how MSSPs already operate. Customers are not buying tools in isolation. They are buying outcomes - visibility, response, and risk reduction - delivered over time.

Identity is becoming the center of detection and response

The other piece of this announcement is the expansion into identity and access intelligence. The platform now connects external exposure data - like leaked credentials or activity on dark web marketplaces - with internal identity context.

Most tools can tell you that credentials are exposed. The harder part is understanding what that exposure actually means in practice.

Costello puts it this way: “Most platforms stop at showing that credentials are exposed. We focus on why it matters and what to do next. We correlate identity exposures with context like user criticality (for example, executives), exposure type, and potential attack paths. This helps teams avoid low-impact noise and immediately prioritize high-risk identities, reducing investigation time and speeding up response.”

That kind of prioritization is where time gets saved. For MSSPs managing multiple environments, reducing noise and focusing on high-risk identities directly impacts how quickly incidents can be contained.

Automation is moving deeper into analysis, not just detection

Another shift here is how much of the investigative work is being automated. The platform focuses on reconstructing attack paths, analyzing compromised endpoints, and generating risk summaries.

This raises a natural question: Does adding more AI agents increase operational complexity?

According to Costello, the opposite is happening. “The real issue isn’t having multiple agents, it’s having multiple disconnected tools. In traditional setups, each new capability adds another platform and more overhead. With SOCRadar, agents are native to a single platform and work together. You’re not managing tools, you’re orchestrating capabilities. In practice, agents reduce workload by automating monitoring, correlation, and first-level investigation. So it’s more agents, but less manual work.”

For MSSPs, that distinction is important. The constraint is rarely access to tools. It’s analyst time. Automation that reduces investigation effort without adding operational friction is what enables scale.

Execution, not just intelligence

There’s also a broader positioning shift here around how threat intelligence gets used.

Costello frames it in terms of execution: “Platforms like RF or RQ are strong at aggregating intelligence and enabling workflows, but they still rely heavily on analysts to act on that data. Our approach is more execution focused. The AI Agent Marketplace is built around autonomous, outcome-driven tasks; agents continuously monitor, correlate, and take action where needed. From a replication standpoint, it’s less about features and more about architecture and mindset. It’s relatively easy to add ‘agents’ as a feature, but much harder to build a platform around agent-driven operations and service delivery.”

That distinction reflects where the market is heading. Intelligence on its own is no longer enough. The value is increasingly tied to how quickly that intelligence can be turned into action.

Security services are becoming more modular, more focused on identity, and more reliant on automation that actually fits day-to-day operations. The tools are starting to match how MSSPs really work across multiple customers, with limited analyst time, and with pressure to deliver clear outcomes. For MSSPs, the real opportunity is turning these capabilities into repeatable services. That means being clear about what gets monitored all the time, what triggers a response, and how results are shared in a way customers can understand and value.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds