MSP vs MSSP: Why a Generalist MSP Can't Deliver Real Cybersecurity

Most MSPs are comfortable with the status quo. That's exactly what leads to the cybersecurity disasters we keep getting called in to clean up.

They're running one security tool. We're running seven or eight. Their security line on your invoice is three bucks an endpoint. Ours is sixty. For them, security is one thing on a long list. For us, it's the whole thing. That difference isn't marketing language. It's just what the numbers say once you start looking at them.

Here's what we see when we walk into accounts from generalist MSPs, and why the model doesn't work for real cybersecurity. Not because the providers are bad people. Most of them aren't. The model just isn't built for it.

MSP vs MSSP, Plain English

An MSP, a Managed Service Provider, is an IT company. They run your help desk, patch your computers, deal with email, run backups, and slap an antivirus on top. Security is one line item on a long invoice. For most generalist MSPs, cybersecurity is a bolt-on, not the practice area.

An MSSP, a Managed Security Service Provider, is built around cybersecurity. Layered tools from different vendors. Real human analysts watching alerts around the clock. Threat hunting. Compliance support. Ongoing tenant hardening. Security isn't the side dish. It's the whole business.

So how do you tell which one you've got? Look at the security line on your invoice. If it's three bucks an endpoint, you've got an MSP running antivirus and calling it a security program. If it's in the $40-$60 range, you've got something closer to MSSP-grade. The pricing gap isn't arbitrary. It's just what the layered version actually costs to run.

McNallan sits on the MSSP side of that line now. We weren't always there. Ten years ago we were at three bucks too. The threats moved and so did we.

The Stack: One Tool vs Seven

At peer groups Eric asks people what they use for security. The answers come back: "We use SentinelOne." "We use Defender." He follows up. Okay, what else? And the response is usually confusion. What do you mean, what else?

And right there's the problem.

You can't run cybersecurity on one tool. The generalist model buys one endpoint product and calls it done. That's it, that's the program. We don't run it that way. We've got Huntress for detection, ThreatLocker for application whitelisting, separate products for backup, security awareness training, tenant hardening. Different vendors doing different jobs. The whole point is that when one of them misses something, the next one's there to catch it.

We run seven or eight different things in our stack. When Eric explains this to a new prospect now, he sprinkles it in early. McNallan is cybersecurity-focused. Cybersecurity-heavy. That's a good thing, not a sales line. It means we take it seriously enough to actually invest in the layers no single product gives you.

Somebody might use Huntress. Great. But Huntress and ThreatLocker and immutable backup and training and tenant hardening and the rest of it, all running together? Eric hasn't seen it in a local competitor. That's not a boast. It's just what cyber takes now if you're going to call it a program.

$3 vs $60 on the Invoice

When we bid against other MSPs, we see their security line item. It's almost always around three dollars per endpoint. Ours is sixty.

Eric tells prospects this straight up: if you're paying three bucks an endpoint, that's a red flag. That's what we were at ten years ago. It doesn't buy you a security program today, it buys you an antivirus checkbox.

We're not 20x more expensive because we're gouging anyone. We're 20x more because what we're actually running on the back end is a completely different animal. Multiple products. Multiple vendors. Each one doing one specific job, and somebody on our team has to operate every single one of them. A three-dollar line item is one thing, deployed once, and forgotten about.

For context, the 2025 MSP pricing data has basic managed-security service running $40 to $45 per endpoint, with top-tier MSSPs up to $200. A three-dollar line item isn't a deal. It's a ceiling on what the provider can possibly be doing.

The generalist pitch is usually some version of "we have antivirus, you're covered." We hear it all the time. Eric's reaction to that one: "'Should be' is not a thing in our world."

A Consulting Client Found Out the Hard Way

We do consulting work for a company we don't fully manage yet. The owner hates his current MSP. He'd like to move over but he's stuck. Locked in a contract.

His current MSP's security approach? SentinelOne. One tool.

The client got breached via email.

Look, I'm not saying SentinelOne caused the breach. I'm not even saying Huntress would've caught the exact thing that got through. That's not the point. The point is when you've got one tool and that tool misses something, there's nothing underneath it. No second layer. No human looking at the alerts. No application whitelisting blocking what the engine didn't recognize. That's how a missed alert turns into a phone call about ransomware.

We're planning to layer Huntress on top of what they already have. That's the difference in approach. Not rip and replace on a handshake. Add the layer that's missing so the next miss doesn't become a breach.

What We Find on the Way In

When we onboard one of these accounts, the single biggest pattern is a lack of standards. That sounds vague, so let me make it concrete.

Standards either show up everywhere or they don't show up at all. Backup, hardware, passwords, admin accounts, firewall configs, SharePoint, network, computers. Across the board what we see is out-of-the-box configuration. The tools got bought. They got deployed. Nobody ever went back and actually tightened anything up.

The patterns we see, every time:

• Hardware that should've been retired two or three years ago. Still running, still in production, still on whatever software stack came with it.
• Cybersecurity that's bought but half-deployed. License is paid. Agent's on some of the machines. Configuration is whatever shipped out of the box.
• Backup that doesn't really work. Either it's not running, it's not tuned right, or the retention's too short to recover from anything real.
• Admin sprawl. One account had about ten Global Admin accounts that shouldn't have existed, including former employees. One of them was named Superman. The hacker went straight for it.
• License waste. 30 employees, 50 Microsoft 365 licenses, 20 just sitting there getting billed for nobody. Trivial to clean up, nobody does.
• SharePoint Wild West. One tenant had over 40 SharePoint sites, different owners, no policy. Eric calls it the Wild West.
• Security defaults still on. One spot in the admin portal tells you whether the tenant has ever been hardened. If it still says "security defaults," nobody touched it.
• Security awareness training at 60 to 70%. Not 100%. Not even 90%. Training that 30 to 40% of your people skip isn't really training.

Previous provider wasn't malicious. The model just isn't built to actually defend you. It's built to keep things running, and that's a different job.

The Mindset Underneath All of It

There's a mindset thing under all this too. Worth saying out loud.

Most of the companies we see stuck on a weak security stack aren't stuck because nobody offered them better. They signed a three-year contract and decided that's what they're rolling with. They're not open to even the idea of changing mid-contract. So whatever the provider chose on day one is what they're going to battle with for 36 months.

On the provider side, the same inertia shows up. At peer groups a couple years ago, Eric ran into guys who still had clients on Windows 7, years after everybody else had moved to Windows 10. Are you kidding me? We solved for that like two years ago. The providers weren't evil. They just weren't pushing. Status quo's easier.

That's the real generalist problem. They're not bad people. They're just settled. The check shows up, the tools are deployed, the tickets get closed most days, and nobody's asking whether what was fine in 2022 is still fine today. Cyber doesn't work like that.

The numbers say so too. Per IBM's 2025 Cost of a Data Breach report, the global mean time to identify a breach is 158 days. Another 83 to contain it. 241 days total. Roughly eight months from initial compromise to closure, averaged across the 600 breached organizations IBM surveys every year.

Eric puts it bluntly: doing cyber right is a full-time job. You need people whose actual job is researching, testing, and swapping tools when something better comes along. A generalist MSP doesn't have those people. The math on a three-dollar line item won't pay for them. An MSSP does, because that's what the business is.

What "Layered" Actually Looks Like

We've got clients paying us more for security than they're paying for support. Throws people off the first time they hear it. Then you walk through it: support is one job. Security is seven or eight running in parallel, every one of them a specialist function.

The stack isn't one big tool. It's a chain:

1. Endpoint detection and response with real human analyst review (Huntress)
2. Application whitelisting (ThreatLocker). Deny by default, approve what's needed.
3. Backup with proper retention and immutability. Multiple products. One getting compromised doesn't kill the other ones.
4. Security awareness training and phishing simulation. Humans are the weakest layer. Train them.
5. Microsoft 365 tenant hardening and Secure Score management. The platform doesn't harden itself.
6. Conditional access, MFA enforcement, identity monitoring. Stop the attacker at the door.
7. Network and perimeter monitoring. See the traffic, not just the endpoints.
8. Quarterly audits and policy review. This is the part that dies at a generalist MSP.

Take any one of those out and the whole thing weakens. Run one of them by itself and you've got a product, not a program.

This isn't an opinion. Two numbers from 2025 that ought to change how business owners shop for IT:

• SMBs are attacked roughly four times more than large enterprises, and ransomware shows up in 88% of SMB breaches vs. 39% for big organizations (Verizon 2025 DBIR SMB Snapshot). The threats aren't waiting for enterprise targets.
• Third-party involvement in breaches doubled in a single year, from 15% to 30% (Verizon 2025 DBIR). That includes MSP-initiated compromises. When attackers hit one MSP, they land in every client that MSP manages.

So What Should You Do With This

If you're working with a generalist MSP and you've made it this far, the question isn't whether your provider's a bad company. Most aren't. It's whether security is actually their job or just a line item they bill while their real attention is somewhere else.

Common Questions About MSP vs MSSP

What's the actual difference between an MSP and an MSSP?

An MSP runs your IT, help desk, patching, email, backup, basic antivirus. Security is one line item. An MSSP is built around cybersecurity, with layered tools from different vendors, real human analysts watching alerts around the clock, threat hunting, and compliance support. For an MSP, security is one thing on the list. For an MSSP, it's the whole business.

Do I need an MSSP if I already have an MSP?

If your current MSP runs more than one security tool, has a named SOC or MDR provider behind them, and can show you what they caught last month, you might already have something close to MSSP-grade. If your security line item is under $20 per endpoint, probably not, and what you've got is really antivirus with a label on it.

Can a regular MSP do cybersecurity?

Some can. Most can't at the level modern threats need. A generalist MSP usually runs one or two security tools as part of a broader IT service. Fine for basic hygiene. Not fine for ransomware, AI phishing, token theft, or supply chain attacks. The math on a generalist contract doesn't pay for the research, testing, and layered operation real cybersecurity needs.

Is an MSSP worth it for a small business?

For most companies between 25 and 300 employees, yes. SMBs get attacked roughly four times more than large enterprises, and 88% of SMB breaches involve ransomware. Cyber insurance carriers are now requiring MFA enforcement, EDR, immutable backups, and a documented incident response plan, all of which are MSSP-tier services.

How much does an MSSP cost compared to a regular MSP?

Industry-wide it's about $40 to $45 per endpoint for basic managed security, with top-tier MSSPs up to $200. Generalist MSPs often bundle security at the antivirus tier, around $5 to $15 per endpoint, because that's all they're really paying for. Expect MSSP-grade to cost you 3 to 6 times what your current security line item is. You're getting a different program for it.

Sources & Citations

External claims in this article are drawn from the following primary sources. Statements about McNallan's own clients, pricing, and process come from interviews with Eric Thompson, McNallan Technology Solutions.

• Verizon: 2025 Data Breach Investigations Report (third-party involvement in breaches doubled from 15% to 30% in a single year)
• Verizon: 2025 DBIR SMB Snapshot (SMBs attacked roughly four times more than large enterprises; ransomware involved in 88% of SMB breaches vs. 39% for large organizations)
• IBM: Cost of a Data Breach Report 2025 (mean time to identify a breach: 158 days; mean time to contain: 83 days; total: 241 days, surveyed across 600 breached organizations)
• Huntress: 2025 Cyber Threat Report (RMM abuse surged 277% year-over-year; ~24% of all observed incidents involve RMM tooling)
• CISA: Joint Advisory AA22-131A: Protecting MSPs and Their Customers (Five-Eyes advisory on APT targeting of MSPs)
• CISA: Joint Advisory AA25-163A: SimpleHelp RMM Ransomware (active exploitation of unpatched RMM tooling in 2025)
• Microsoft Security Blog: Defending against evolving identity attack techniques (adversary-in-the-middle phishing bypassing standard MFA)
• Microsoft Learn: Plan for mandatory Microsoft Entra MFA (MFA blocks over 99% of account-compromise attempts)
• Coalition: 5 Essential Cyber Insurance Requirements (carrier requirements: MFA enforcement, EDR/MDR, immutable backups, documented incident response, security awareness training)
• Kaseya: MSP Pricing Guide (per-endpoint and per-user managed-service pricing benchmarks)
• MSSP Alert: 2025 MSSP Pricing Report ($40–$45 per endpoint typical; up to $200 for top-tier MSSPs)