Managed Security Services

How to Price and Package Your MSSP Services for 2024

One of the biggest topics among MSSP and MSP owners at this time of year as during strategic planning is pricing. How do you price managed security services? Are you using a per device plan? A per user plan with a device allowance? Are you pricing by ingestion? By alerts? What’s in your standard bundle? What are you adding on?

There are so many different ways to set pricing for managed security services, and best practices are always evolving. Add to that the recent economic environment. We have recently come out of a pandemic that disrupted normal economic patterns. Inflation has been high. Interest rates are high. The labor market has been unstable. There’s plenty of uncertainty as we head into 2024.

Joe Morin, CEO of CyFlare, an MSSP 250 company, has recently been on a vision quest to figure out the right formula for pricing MSSP services, and it’s a continuing journey. Morin recently shared some of his thoughts with MSSP Alert during a December webcast, MSSP Pricing and Packaging Strategies for 2024. You can watch the webcast on-demand here.

MSSP Pricing and Packaging: Key Considerations

Meanwhile, here are some of the highlights.

What are the core services MSSPs need to offer? At a basic level MSSPs should be offering the following core services:

  • Assessments
  • SIEM/mXDR and SOC
  • mEDR
  • Vulnerability scanning and reporting

In addition, there are plenty of add on services as well that you could offer your customers to differentiate your services and provide your end-customers with greater value. They include the following:

  • Penetration testing
  • Email security
  • Web security
  • Patch management
  • vCISO services
  • Incident response
  • DLP (data loss prevention)
  • Identity access management / privilege access management
  • Cloud detection and response
  • Zero trust network access / zero trust endpoint

When you are doing the actual pricing of your bundle of services, no one size fits all, according to Morin. For instance, educational end customers have thousands of students who don’t really fit per user pricing the same way staff members would. And technology startup companies may just have 10 users but a massive infrastructure footprint on AWS that they are looking for you to monitor and protect.

Create a Default MSSP Pricing Model

However, Morin recommends creating a default pricing model that you use for most of your clients and then having some some alternatives/exceptions already identified. Morin said that at CyFlare, 95% of clients fit the default model.

When you create those pricing models your goal should be to target gross margins of more than 60%. Tech-enabled MSSPs should be targeting gross margins of more than 70%, he said. Keep in mind that if your customers are resale partners or MSPs, they are expecting their own margins of 35% on this business.

MSSP Services Packaging: Two Styles to Consider

In terms of packaging, Morin said there are two styles to consider. “Bundle and Save” offers financial incentives for adding multiple products and services. Plus, it enables a more strategic relationship, and it makes it harder for the customer to quit you. “A la carte” services allow customers to select a single service to fit an immediate need. Sometimes this kind of sale happens when a customer is working with an MSSP for the first time or has had a bad experience with a previous service provider.

Morin recommends adopting a “Product as a Feature” mindset. That means adding a value-added service in an easy-to-understand bundle option. For instance, you could offer penetration testing for 1-5 IP addresses per year. Thinking this way lets you add and remove those line items easily. It also gives you flexibility on the tools that you use. These kinds of add ons can also dramatically increase average revenue per user, according to Morin.

Morin offers plenty more advice, including some ranges for actual pricing, during the webcast. He also fielded a number of questions from audience members on topics such as IoT pricing, vendor selection, cybersecurity awareness training, some other alternative pricing models, bundled vs. individual services, tips and tricks to determine the prospect’s cybersecurity maturity level, and how to calculate implementation fees.

For more on the topic of MSSP Pricing and Packaging Strategies for 2024, be sure to check out the webinar on-demand.

Got a different perspective on how your MSSP prices its services? We would love to hear how you do it. Please email editorial director, Jessica C. Davis at [email protected].

Jessica C. Davis

Jessica C. Davis is editorial director of CyberRisk Alliance’s channel brands, MSSP Alert, MSSP Alert Live, and ChannelE2E. She has spent a career as a journalist and editor covering the intersection of business and technology including chips, software, the cloud, AI, and cybersecurity. She previously served as editor in chief of Channel Insider and later of MSP Mentor where she was one of the original editors running the MSP 501.