What Does It Mean To Be A ‘True’ MSSP?

Thrive CEO Bill McLaughlin says that while it’s smart for an MSP to transition to an MSSP if they believe they are ready for that type of expansion, it’s concerning to see some providers calling themselves MSSPs without actually managing their customers’ security themselves.

Data Center Programmer Using Digital Laptop Computer, Maintenance IT Specialist. Cloud Computing Server Farm System Administrator Working on Cyber Security for Iaas, saas, paas. Closeup Focus on Hands

For MSPs that are looking to make the wise move of going deeper on cybersecurity services, expanding to become an MSSP is one notable option that many are considering right now.

But to be a “true” MSSP requires a major investment that not all MSPs are going to be positioned to make, according to Bill McLaughlin, CEO of Foxborough, Mass.-based service provider Thrive. The company operates multiple Security Operations Center (SOC) locations worldwide, allowing it to provide 24x7 managed security services to customers.

In 2025, many customers “want somebody who’s got expertise in being able to provide security around their enterprise, have the ability to manage it with a SOC 24 hours a day, 365 days a year,” McLaughlin said.

[RELATED: Staying On The Right Path: Partner Enablement Needs To Be A ‘Continuous Journey’]

Crucially, Thrive does not outsource any of its MSSP work to other providers, and every individual working in its three worldwide SOCs is an employee of the company, he said.

A SOC typically provides managed security services—delivered by a team of security analysts—including threat monitoring and detection as well as response and remediation of cyberattacks.

Such services are increasingly provided across the full spectrum of IT environments and devices used by an organization, in contrast to MDR (managed detection and response) offerings that traditionally focus on detection and response for threats targeting endpoints.

While MSPs are smart to consider moving to becoming an MSSP if they believe they are ready for that type of expansion, it’s concerning to see some providers calling themselves MSSPs without actually managing their customers’ security themselves, according to McLaughlin.

“If you’re going to be a true MSSP, you’ve got to have the technology. And the technology is more than just MDR and EDR [endpoint detection and response],” he said. “It’s a complete framework around various components that are going to address all the different areas within the enterprise—then having the team to be able to respond, manage, react and remediate.”

By contrast, McLaughlin said, many service providers today are signing up with a major MDR provider with the premise that “they will outsource the SOC to [the vendor]—and then they’ll call themselves an MSSP.”

Without a doubt, amid the massive demand for managed security services, “a lot of smaller MSPs are leveraging a third party and outsourcing because they don’t have the financial backing or wherewithal to be able to build out a true SOC,” he said.

The technology to do so is not inexpensive, and neither is the hiring and training of security analysts, McLaughlin said. Ultimately, Thrive has positioned itself to “bring in a top-tier product, to have a top-tier platform, to have it truly integrated—and then have the right talent behind it to provide the services that are required to be a true MSSP,” he said.

For an MSP to provide managed security services the minimum number of seats it should be managing is 5,000, according to Charles Everette, a cybersecurity veteran who was recently named field CISO at Slovakia-based security vendor ESET.

Apart from having a certain scale, it’s also crucial for an MSSP to be taking on clients that already have achieved a level of maturity in their cybersecurity posture, Everette said.

“If you go in and try to provide it to companies that are immature, that don’t have the cybersecurity understanding, you’re not going to be able to manage it properly. And that’s the key thing,” he said. “It’s not just about getting it up and running; it’s [also] about is this the right customer?”

One MSP that undertook the expansion into an MSSP is Milford, Conn.-based Vancord, which opened its own SOC in 2023 and manages roughly 6,000 endpoints, said Lou Ardolino, vice president of client success at Vancord.

While the move to become an MSSP may not make sense for all MSPs, Vancord had the built-in advantage of already having security engineers on staff, Ardolino said.

Notably, a key growth area for the company has been to work with other MSPs and VARs that are not in a position to offer MSSP services themselves by providing its own SOC services to those partners and their end customers, he said.

“They’ll leverage us because they might not be as large of a shop as we are,” Ardolino said, and the MSSP-MSP partnerships have been “very beneficial” for both sides.