SonicWall’s Michael E. Crean: Avoid these mistakes to boost your MSSP’s valuation

1. Building mature businesses with predictable recurring revenue
2. Following financial and operational best practices

• What percentage of revenue is truly recurring security service revenue
• Gross margin by service line
• Renewal rates by product and managed service
• Attach rates for monitoring, reporting, response, or compliance services
• Whether customers pay for the MSSP’s expertise, not just the tool

“The most successful MSSPs build real enterprise value by documenting everything: onboarding, escalation paths, monitoring processes, customer communication cadence. Their businesses can run without them personally being involved in every conversation. That’s what makes them sellable.”

• How much security revenue is recurring
• How much is resale versus pass-through
• How much gross margin each service produces
• Which services have the highest attach rates
• Which drive customer expansion
• Which create the most support burden
• Which should be priced higher or retired

“Know your numbers at the customer level, not just your top line or EBITDA. Track your margin per customer, cost to serve per customer, churn rate, MRR growth, gross retention. When you know your numbers at the right level of granularity, you can make real decisions. You can fire the customers who are actually costing you money and identify where you’re underpricing. You can tell your story to an investor with confidence because you actually know what you’re selling.”

“I lived this. I built Solutions Granted for over two decades. There were moments early on where I was the business. Getting out of that took intentional, deliberate work building process, hiring people and actually letting them make decisions, and getting comfortable with outcomes I didn’t personally control. By the time SonicWall acquired us, we had something that could stand on its own. That matters enormously in due diligence because buyers aren’t buying you, they’re buying the business.”

• Contract length
• Auto-renewal language
• Termination rights
• Price increase provisions
• Change-order mechanics
• SLA penalties
• Assignment clauses
• Customer concentration
• Scope clarity

“Multiyear agreements with auto-renewals are the foundation. That alone changes how your revenue looks on paper. Add price escalators, even modest CPI (Consumer Price Index)-based ones. You’re demonstrating that your revenue grows predictably, not just because you hustle. Termination rights matter too. The more difficult it is for a customer to walk away without cost, the more durable your revenue appears.

“Assignment clauses are often overlooked but they are critical. If your contracts don’t transfer cleanly in an acquisition, you have a real problem. A lot of MSSPs find that out at exactly the wrong moment. Investors and acquirers have seen every variation of this. They will read every contract. Make sure yours are telling the right story before someone else tells it for you.”

• Lower margins
• Analyst fatigue
• Inconsistent delivery
• Poor reporting
• Higher training costs
• Vendor dependency
• Integration gaps

“You said yes to every vendor that came along and never rationalized your stack. Now, you have integrations that don’t talk to each other, data that lives in fifteen places and technicians who are expert in nothing because they’ve been asked to be decent at everything. When a buyer sees that, they see risk, high training costs and margin compression from all those vendor contracts.

“The best MSSPs I know treat their stack like a mechanic treats a toolbox. You want the right tools, the ones you actually know how to use and you want them organized so anyone on your team can find what they need. That’s scalable.”

1. Margins suffer
2. Customers may not perceive the value of the service

“You justify higher pricing by making the value visible. Monthly health reports. QBRs where you show them what you caught, what you fixed and the risk they’re no longer carrying because of you. Threat data specific to their industry and geography. Not generic data, but relevant numbers.

“When you show a dental practice that 88% of SMB breaches involve ransomware, you can walk them through exactly what you’re doing to make sure they’re not in that statistic. That’s a very different conversation than, ‘We monitor your network.’ One of those conversations gets you a price increase. The other gets you a race to the bottom.”

• Recurring revenue
• Profitability
• Growth
• Service mix
• SOC maturity
• 24/7 monitoring
• Managed services breadth
• Security specialization

“Investors want to know you understand your market position. Reports like the MSSP Alert 250 give you a framework for that conversation [and] where the gaps are. If you’re number 180 and you want to be in the top 50, now you have something to work toward. That’s not ego, that’s strategy. … Making a list like the MSSP Alert 250 gives you instant credibility.

“When a prospect sees that a credible third-party has validated where you stand among your peers, that matters. It becomes part of the story you tell. Being recognized at that level signals that managed security services are not just a side conversation. They are the conversation.”

1. Learn to say no. Do not take on customers that won’t adhere to basic security requirements, deals that aren’t the right fit, or services the MSSP isn’t good at delivering. Every time you say yes to the wrong thing, you’re saying no to building something real.
2. Invest in your own people. You can’t build a scalable MSSP on the backs of a few technicians. Document your processes, train your team, and let people make decisions.
3. Don’t stay in the MSP world too long when you’ve committed to being an MSSP. “Do or do not. There is no try.” The moment you straddle both worlds, you do neither one well. You’ll confuse the market about what you actually are.
4. Get back to the fundamentals and be relentless. The vast majority of the compromises we’ve investigated trace back to someone not doing the basics. Get the basics right first, then add the sophisticated tooling on top of something that’s actually solid.
5. Partner strategically. You do not have to be everything. Find the people and organizations that fill your gaps and build trust with them. That’s how you scale without breaking.
6. Be passionate about what you do. I was a really crappy MSP when I was doing it without passion. When I found my way into security and into the SOC-as-a-service world, everything changed. The best partners I see out there, they care. Customers and investors feel that; the market rewards it.