MSP Agentic AI
Assessment · 04

How strong is the security you sell?

This rates the security service line you sell to clients — what you can credibly deliver — not your own internal posture. The most common gap isn't capability; it's commercialization: great security, bundled in for free instead of packaged and priced as a renewable line of business.

Take the assessment → How it works

What it measures — the 5 dimensions

You rate each on how it is today (a mirror, not a grade). For every one, the app already holds the “what good looks like” standard you can browse and adopt.

  • Security Stack Depth

    Do you operate the core managed-security controls (EDR, email security, MFA, patching) to a standard — or mostly resell point products?

    What good looks like · A standardized, operated security stack (EDR · email security · MFA · patch/vuln) deployed to a documented baseline across the book.

  • Monitoring & Response

    Is there 24×7 monitoring and incident response — a staffed SOC or outsourced MDR with SIEM — or is detection reactive and best-effort?

    What good looks like · 24×7 SOC/MDR with SIEM/log management and a tested incident-response runbook — alerts are triaged and contained around the clock.

  • Vulnerability & Threat Management

    Do you run vulnerability management, penetration testing, threat hunting, and SOAR — or only patch reactively when something breaks?

    What good looks like · A managed vulnerability program + periodic pen-tests + proactive threat hunting, with SOAR automating containment of known patterns.

  • Compliance & GRC Services

    Can you deliver compliance services — map client controls to frameworks (HIPAA / PCI / CMMC), maintain evidence, and support audits?

    What good looks like · A compliance-as-a-service capability: framework mapping, maintained evidence, and audit support delivered as a billable line.

  • Commercialization

    Is security packaged and priced as a tiered offering (good / better / best), or bundled in for free and sold ad hoc?

    What good looks like · A productized, tiered security offering with its own packaging, pricing, and SLAs — sold and renewed as a distinct line of business.

The 5 maturity levels

Where you land is your headline level; your lowest-rated dimension is the constraint holding you back — you're only as repeatable as your weakest critical area.

  • Level 1 — Resell-only

    You resell security products (AV, maybe EDR) but don't operate them. There's no managed detection or response — security is a line item, not a service you run.

  • Level 2 — Basic Managed Security

    You deploy and manage core controls (EDR, email security, MFA) and patch, but monitoring is reactive and there's no 24×7 response. Coverage varies client to client.

  • Level 3 — Standardized Security Stack

    A defined, standardized security baseline across the book — EDR + email security + MFA + awareness + an IR plan — managed to a documented standard rather than per-client improvisation.

  • Level 4 — SOC/MDR-backed

    24×7 monitoring and response via a staffed SOC or outsourced MDR, with SIEM / log management and a tested incident-response capability. Detection is proactive, not best-effort.

  • Level 5 — Advanced (Threat-Hunting + CaaS)

    Proactive threat hunting, SOAR automation, penetration testing, and compliance-as-a-service (mapping client controls to frameworks with maintained evidence) — a differentiated security practice you lead with.

Why it matters

Security is the fastest-growing line MSPs can sell — and the easiest to under-monetize. If you deploy EDR, manage MFA, and run awareness training but bill it as “included,” you're leaving margin (and a defensible moat) on the table. This shows you where your offering really sits and what it takes to move from resell to a SOC/MDR-backed, packaged practice.

What you get

  • Your headline maturity level across all 5 dimensions.
  • The single constraint holding you back — and the targeted next-steps to lift it, cross-linked to the reference.
  • An evidence check: where your MSP Profile contradicts a high self-rating, the assessment challenges it (it never overwrites your answer).
  • A branded PDF report to download and share with your team.
Take the Security Offering assessment →

See where your MSP stands — in minutes.

No install, free to explore. Pick an assessment and get a tailored read on your gaps and your maturity.

Open the reference →