Executive Summary
A regional managed service provider with 40 small business clients faced increasing demand for security monitoring capabilities. Clients across healthcare, legal, and retail sectors required 24/7 threat detection, incident response, and compliance reporting that the MSP could not deliver with existing resources.
Building an in-house Security Operations Centre would require hiring five analysts for continuous coverage, investing in SIEM infrastructure, and developing detection playbooks. The estimated first-year cost exceeded $300,000 with a 12 to 18 month timeline to full operationalisation.
CyberQuell established a white-label SOC partnership enabling the MSP to launch security services within 30 days. The partnership generated $12,400 in monthly recurring revenue in the first month with zero capital investment, while all client communications and reporting appeared under the MSP's brand.
Partner Environment
The managed service provider operates as a regional IT services company with 15 employees serving 40 small business clients across the Midwestern United States.
Client requirements included:
- 24/7 security monitoring for Microsoft 365 and endpoint environments
- HIPAA compliance reporting for healthcare clients
- PCI-DSS compliance evidence for retail clients
- incident response capabilities for business email compromise and ransomware threats
The MSP had evaluated three options for delivering security services: building an internal SOC, reselling existing MSSP services, or establishing a white-label partnership. Internal development required prohibitive capital investment. Traditional MSSP resale offered margins of 15 to 20 percent with limited brand differentiation.
Partnership Trigger
The engagement was initiated following a security incident at one of the MSP's healthcare clients.
A business email compromise attempt had targeted the client's accounts payable function. The MSP detected the incident through manual log review but lacked the monitoring infrastructure to identify the attack in real time. The client subsequently requested 24/7 security monitoring as a condition of contract renewal.
Additional clients had begun requesting security services following publicised ransomware incidents affecting similar organisations in their industries. The MSP recognised that security capabilities had become a competitive requirement rather than a differentiating offering.
Partnership Timeline
| Week | Phase | Activity |
|---|---|---|
| Week 1 | Onboarding | White-label portal configuration, branding setup, sales training |
| Week 2 | Integration | Azure Lighthouse deployment, log ingestion, detection rule configuration |
| Week 3 | Pilot | 5 pilot clients onboarded, alert tuning, process refinement |
| Week 4 | Launch | Full portfolio rollout, new client acquisition initiated |
Technical Architecture
CyberQuell designed a multi-tenant security operations architecture that maintained client data sovereignty while enabling centralised monitoring.
| Component | Implementation |
|---|---|
| Tenant Access | Azure Lighthouse for delegated multi-tenant management |
| SIEM Platform | Microsoft Sentinel deployed per-client with centralised analytics |
| Log Ingestion | Microsoft 365 audit logs, Defender for Endpoint, Azure AD sign-in events |
| Detection Rules | Custom analytics rules tuned per client environment |
| Analyst Access | Locked-down Cloud PCs with no copy or screenshot capability |
| Data Residency | All client data remains in client tenants; logs streamed, not stored |
Operating Model
The partnership established clear responsibilities between CyberQuell and the MSP.
MSP Responsibilities
- client relationship ownership and service pricing
- first point of contact for client inquiries
- sales and marketing of security services
- contract management and billing
CyberQuell Responsibilities
- 24/7 analyst coverage across L1, L2, and L3 tiers
- SIEM management, detection engineering, and threat intelligence
- incident response and remediation execution
- monthly security reports delivered under MSP branding
Incidents Detected and Contained
During the first six months of operation, the SOC detected and contained 127 security incidents across the client portfolio.
| Incident | Detection | Response Time | Outcome |
|---|---|---|---|
| Business Email Compromise Attempt | Suspicious inbox rule in executive mailbox | 4 minutes | Zero financial loss; attack contained before wire transfer request |
| Ransomware Precursor Activity | Cobalt Strike beacon via Defender for Endpoint | 11 minutes | Single device impacted; no encryption or data exfiltration |
| Credential Stuffing Attack | 2,400 failed logins across 3 tenants in 2 hours | 6 minutes | Zero successful compromises |
Partnership Results
| Metric | 30-Day | 6-Month |
|---|---|---|
| Monthly Recurring Revenue | $12,400 | $34,200 |
| Clients Onboarded | 38 | 43 |
| New Clients Acquired | 3 | 8 |
| Incidents Detected | 18 | 127 |
| Incident Containment Rate | 100% | 100% |
| Analysts Hired | 0 | 0 |
| Capital Investment | $0 | $0 |
Financial Analysis
| Metric | Value |
|---|---|
| 6-Month SOC Revenue | $205,200 |
| Partnership Cost | $82,000 |
| Net Margin | $123,200 (60%) |
| Alternative (In-House SOC First Year) | -$150,000+ loss |
Key Findings
The partnership demonstrated that MSPs can deliver enterprise-grade security services without internal SOC investment.
Key findings included:
- White-label SOC services achieved margins of 50 to 70 percent compared to 15 to 25 percent for traditional MSSP resale
- Time to revenue was 23 days from partnership initiation to first client billing
- Security services drove new client acquisition with 3 new clients signed specifically for SOC capabilities
- Client retention remained at 100 percent across the monitored portfolio
- Average incident response time of 8 minutes exceeded typical internal IT team capabilities
Remediation & Hardening
30-Day Performance
- $12,400 monthly recurring revenue generated
- 38 clients onboarded with zero capital investment
- 3 new clients acquired specifically for SOC capabilities
- 18 security incidents detected and contained at 100% rate
6-Month Performance
- $34,200 monthly recurring revenue
- 43 clients monitored with 100% retention
- 127 security incidents detected and contained
- $123,200 net margin achieved (60%)
Business Impact
The partnership enabled the MSP to transform security from a capability gap into a revenue-generating service line.
The organisation was able to:
- launch SOC services within 30 days without capital investment or hiring
- maintain full brand ownership of security services with clients
- achieve 60 percent margins on security revenue compared to 15-25 percent industry standard
- win new clients specifically seeking managed security capabilities
- retain existing clients with enhanced security posture
Key Lessons
Managed service providers can deliver enterprise security services through partnership models that preserve client relationships and brand identity.
White-label partnerships offer significantly higher margins than traditional MSSP resale arrangements while eliminating brand dilution.
Azure Lighthouse enables secure multi-tenant monitoring while maintaining client data sovereignty.
Security services have become a competitive requirement for MSPs serving regulated industries.
Time to revenue for partnership models is measured in weeks rather than the 12 to 18 months required for internal SOC development.
