ConnectWise CISO: MSP Cybersecurity Readiness Isn’t About ‘Chasing The Latest Zero-Day Anymore’

‘Take a hard look at what you’ve allowed into your environment. ‘Not just what’s exposed externally, but what’s internally trusted: applications, vendors, service accounts. That’s your real attack surface now,’ says ConnectWise CISO Patrick Beggs.

Cybercriminals are increasingly skipping software exploits and going straight after identities, according to a new report.

In its latest 2026 MSP Threat Report, Tampa, Fla.-based vendor ConnectWise warned MSPs that stolen credentials, session tokens, remote access tooling and software supply-chain relationships are now the fastest path to an attack. And at the center of that shift is identity abuse.

“Attackers aren’t always forcing their way in anymore. They’re walking through the front door using identities, tokens and connections that organizations already trust,” ConnectWise CISO Patrick Beggs told CRN in an interview. “And the scary part is, that behavior doesn’t always look abnormal.”

[Related: ConnectWise Exec: AI And Hyperautomation ‘Creating New Business Lines’]

Ransomware groups in 2025 prioritized speed and reliability over innovation, according to the report. Campaigns followed a “scan, steal, encrypt” model, with attackers targeting backup systems early to prevent recovery. In many cases, multi-factor authentication (MFA) protections were bypassed through stolen session tokens or inherited VPN credentials.

Beggs added that these trends significantly change how MSPs should approach security.

“This isn’t about chasing the latest zero-day anymore,” he said. “It’s about understanding what you already trust inside your environment. What applications are connected? What APIs (application programming interface) are active? Who has access to your most critical systems? Most organizations would be surprised at how much overprovisioning exists.”

AI is also accelerating cybercrime, the report stated, by powering more believable phishing, speeding up malware development and letting threat actors automate attacks at a large scale. This is even when traces of AI don’t show up clearly in forensic data. “That’s what makes it dangerous, it lowers the barrier to entry while increasing effectiveness,” he said.

But despite the growth in sophisticated threats, Beggs said many MSPs still struggle with fundamentals: people and processes. He pointed to operational discipline such as identity governance, routine access reviews and documented playbooks as areas where many MSPs still have room to mature.

To help mitigate this, ConnectWise this week launched its new “Modern Threat Protection” approach, a unified, AI-powered framework that improves visibility and response across endpoints, identities and networks.

The offering aims to reduce tool sprawl by integrating managed endpoint detection and response (EDR), security information and event management (SIEM) and email security into a single system, enhanced by AI-driven analysis and backed by a 15-minute response service level agreement.

“Fragmentation creates gaps,” Beggs said. “When your tools don’t talk to each other, attackers can exploit those seams. The goal now is correlation bringing identity, endpoint and network data together so you can see the full picture and act quickly.”

And it starts with mapping trust.

“Take a hard look at what you’ve allowed into your environment,” he said. “Not just what’s exposed externally, but what’s internally trusted: applications, vendors, service accounts. That’s your real attack surface now.”

The latest research reinforces what many MSPs are already seeing in practice, and partners Jason Slagle and Corey Kirkendoll said that shift is undeniable.

“Identity-based attacks have been on the uptick for a while now, and that makes perfect sense,” Slagle, president of Toledo, Ohio-based MSP CNWR Inc., told CRN. “As companies get better at backups and recovery, attackers pivot. Identity is harder to detect, harder to respond to and just as damaging. “Inside the network has always been easier to exploit Once attackers are in, they find the softer targets.

Kirkendoll, CEO of Plano, Texas-based 5K Technical Services, echoed Slagle’s sentiment, adding that MSP priorities must evolve.

“Anything we’ve assumed is safe is now a target,” Kirkendoll told CRN. “Identity-first security is critical. You have to monitor behavior, not just rely on signatures and operate with an assume-compromise mindset.

“It comes down to discipline,” he added. “Clean up access, know your tools and continuously reassess trust.”