Most MSPs sit on a security revenue base they have not built. The clients are already inside the building, the demand keeps arriving reactively whenever an insurance carrier or auditor forces it, and the practice gets paid less than it could for work it already does. The question is whether your operating model converts that demand into recurring revenue or leaves it on the table.
The conditions favor the practices already holding the relationships. Cybersecurity spending is projected to reach $302.5 billion globally by 2029 at a 14.4% compound annual growth rate, per Forrester. The 2025 State of the vCISO survey found 67% of providers now offer vCISO services, up from 21% a year earlier. With 96% of those providers reporting client demand, outside security leadership has gone mainstream. Your existing book sits inside that demand curve, and the security line typically carries one of the strongest margin profiles in the MSP business.
Most practices are still missing the architecture. Project-based security work, the default for MSPs that have leaned in so far, doesn’t compound: each project ends, needs a fresh sale to replace, and prices against the market floor rather than the relationship ceiling. The MSPs growing fastest build security as a recurring engine from the book they already serve.
Where Your Security Recurring Revenue Is Already Hiding
Run the math on your own book and the pattern holds: in a typical book of 100 active clients, fewer than 20 buy anything beyond baseline managed IT for security. The other 80 pay for support, monitoring, and ticketing while sitting on a posture none of them, you included, could describe in a board meeting. That is a model gap, not a sales gap. The demand and the relationship both exist; what’s missing is the operating model that turns them into recurring revenue.
Many of these clients have a security budget growing under their feet, raised year over year because a carrier, an auditor, or a customer questionnaire forced it. The friction sits between the client paying you for security and you billing them for it, and it is structural rather than relational.
The opportunity is converting the book client by client, each managed IT client moving from “paying you for IT” to “paying you for IT and the security program alongside it.” How that engagement is scoped, priced, and turned into predictable monthly revenue is the architectural question. The three-tier model below is one practical answer.
Why Project-Based Security Work Caps MSP Growth
Project-based revenue caps the practice for four structural reasons, and each compounds the others.
Revenue becomes unpredictable. Quarterly and annual numbers are hard to forecast when every engagement is discrete, which makes hiring, tooling, and partner-program investment riskier than they should be, and lumpy revenue forces the conservative choices that slow expansion.
The practice is always selling. Every completed project opens a pipeline gap to fill before the next utilization cliff, and a practice on project revenue never stops chasing the next deal, the opposite of what most owners want their business to feel like.
Price pressure erodes the advantage. Project work goes out to bid and gets judged line by line, and the relationship you built over years of managed IT delivery doesn’t carry into a standalone proposal sitting next to two other quotes.
And it never compounds. The fifth assessment is worth no more than the first, there’s no monthly base that grows with retention, and the work stays linear with practitioner hours, so the ceiling sits where senior capacity sits.
The proof is in the margins. Project services gross margin across MSPs dropped from 23% to 12.9% between Q4 2023 and Q4 2024, citing ConnectWise Service Leadership Index data, as utilization slipped and competition intensified. Project-dependent practices ended that year with materially less profit per hour than the recurring side produced.
Project work still has its place: incident response, M&A diligence, and ad-hoc compliance prep are best priced as projects. But a practice anchored on projects has a ceiling already showing, and the architecture below replaces it with a floor that lifts every year.
A Three-Tier Model for Security Recurring Revenue
The shape that lifts revenue per practitioner is a tier ladder. A service catalog lists what you can sell; a ladder is a progression that lets each engagement migrate up as the client’s maturity and regulatory exposure grow. Each tier carries a defined scope, a typical MRR range, and an upgrade trigger that surfaces inside the program.
| Tier | Scope | MRR per client | What unlocks the next tier |
|---|---|---|---|
| Security Baseline | Annual risk assessment, basic policy review, quarterly check-in, reactive guidance | $500–$1,500 per month | Findings expose gaps that justify ongoing program management |
| Security Program Management | Continuous compliance, risk register, policy lifecycle, IR planning, monthly executive reporting | $2,000–$5,000 per month | New frameworks, scope expansion, vendor risk needs |
| Strategic Advisory | Board-level reporting, multi-framework coverage, M&A diligence, third-party risk program, strategic roadmap | $5,000–$15,000+ per month | Becomes the renewing core, harder to displace than the underlying IT contract |
Pricing ranges synthesize current public benchmarks; Cynomi’s vCISO costs guide gives the line-item view.
Security Baseline is the entry tier: get every client paying something monthly, even $500–$1,500, low enough to absorb inside an annual renewal without a procurement fight. The deliverable is real, an actual risk assessment with prioritized findings, but the scope is bounded so the economics survive at small-account pricing.
Security Program Management is where the practice lives. It runs compliance frameworks, the risk register, policy lifecycle, incident response planning, and leadership reporting on a regular cadence. The work is continuous and priced to match, which is why clients renew without negotiating: the program is load-bearing for their business and replacing it costs more than keeping it. Partners at this tier report an average of $2,500 per month in stacked advisory services on top of licensing.
Strategic Advisory is the premium ceiling, where the relationship turns fiduciary. Board reporting, multi-framework coverage, vendor risk programs, and M&A support surface here, because the client is buying the security leadership their business has outgrown the ability to assemble internally. The MSPs who run this tier credibly already have the methodology and reporting infrastructure in place, which is what makes advisory profitable rather than a loss leader.
The upgrade mechanic is what makes the ladder recur instead of churn. Each tier surfaces findings or conversations that justify the next: a Baseline assessment generates a remediation roadmap that becomes Program Management; a Program Management engagement surfaces a vendor-risk question or a board presentation that becomes Strategic Advisory. The existing book is the pipeline for the higher tiers, and the upgrade conversation arrives inside the program rather than from outside it.
The Portfolio Math Behind Security MRR
The model matters more than the pricing, because the model scales across the portfolio. Pricing tweaks move the margin a few percent; a model change compounds across every client at every tier. Run the architecture across a representative book of 100 clients and the math shifts in ways a bid-price difference never could.
| Security penetration | Tier mix (Baseline / Program / Advisory) | Portfolio MRR | Annualized |
|---|---|---|---|
| 20 of 100 clients | 15 / 5 / 0 | ~$30,000 per month | ~$360,000 |
| 40 of 100 clients | 20 / 15 / 5 | ~$112,500 per month | ~$1,350,000 |
| 60 of 100 clients | 25 / 25 / 10 | ~$212,500 per month | ~$2,550,000 |
Your own book will look different, but the shape of the curve is the point, and the shape is what the model produces independent of pricing.
Two things compound. Retention runs higher than IT-only work, because the security program is harder to unwind than the support contract underneath it and the documentation, risk register, and institutional knowledge all sit with the provider. Mix shift builds on top: each year some Baseline clients move to Program Management and some Program Management clients move to Strategic Advisory, so portfolio MRR grows even when the client count holds flat.
That is why margin tracks better here than elsewhere. Average MSP net margins span 8% to 35% from bottom to top quartile, per a 2025 profitability study, and recurring security work tends to sit toward the upper end of that range. The top quartile runs the same services as everyone else; it just keeps more of the revenue base in recurring tiers and stays disciplined about the annual upgrade conversation. Some partners report 54% revenue growth after restructuring around a tiered program, most of the lift coming from existing clients climbing the ladder rather than new logos.
From Security Assessment to Recurring Revenue
The mechanical question is how the practice gets from where it sits today (project work, a few compliance retainers, the occasional vCISO conversation) to a tiered, predictable book. The four-stage move is consistent across published MSP guidance: use a time-bounded assessment as the entry point, present findings as a business conversation rather than a technical report, propose an ongoing program on a monthly retainer rather than another project, and use reporting to justify renewal while surfacing the next conversation.
The hinge is the second stage. Most MSPs deliver a strong technical assessment and a weak business conversation, handing over a remediation roadmap with no narrative, and the client asks the wrong question: “how much to do all of this once?” The right question, which a well-framed conversation guides them to, is “how would we run this as a program?”
Two habits decide who closes that conversation. Standardization lets one analyst hour serve several clients, because shared assessment methodology, policy libraries, and reporting templates keep the hour productive across the book. Automation is where margins are won or lost, since manual evidence collection, policy drafting, and report assembly are the cost centers that turn 30% margins into 12% inside a year. Both live in the platform layer, not the analyst layer, and both are what make the ladder deliverable at portfolio scale.
Building a Security Practice for the Next Five Years
If you’re building a security practice now, the tailwinds favor you. Carriers increasingly require documented controls before underwriting, and as of January 2026, 19-plus US states have comprehensive privacy laws on the books, per IAPP’s tracker, with more on the calendar. Customer contracts pull SMBs into security questionnaires regardless of whether their owners would have prioritized it, and the demand pattern rewards partners ready to deliver a program, not a project.
The market is shifting toward practices that run security as an ongoing program. The question is whether yours has the architecture to capture that demand or the project habits that leave it for someone else.
The architecture is buildable, and the math works at portfolio scale once the back end is disciplined. Cynomi is the Security Growth Platform built for that shift, with standardized methodology, automated delivery, and portfolio-level revenue intelligence that surfaces the client gaps and unbilled MRR already sitting in your book. The security revenue hiding in your existing portfolio is bigger than the line you bill today, and the ladder above is the path from one to the other.