Frequently Asked Questions

Transitioning from Project-Based to Recurring Revenue

Why do project-based security services limit MSP growth?

Project-based security services limit MSP growth due to unpredictable revenue, constant selling requirements, price pressure from competitive bidding, and lack of compounding revenue. According to ConnectWise Service Leadership Index data, project services gross margin across MSPs dropped from 23% to 12.9% between Q4 2023 and Q4 2024. Project work is best suited for incident response, M&A diligence, and ad-hoc compliance prep, while recurring models offer greater long-term growth. Note: Project-based models may still be appropriate for one-off or emergency engagements. [Source]

What is the four-stage process for MSPs to transition from project work to predictable recurring revenue?

The four-stage process for MSPs includes: (1) conducting a time-bounded assessment as the entry point, (2) presenting findings as a business conversation rather than a technical report, (3) proposing an ongoing program on a monthly retainer, and (4) using regular reporting to justify renewal and surface new opportunities. Standardization and automation are critical for scaling delivery and maintaining margins. Note: Detailed limitations not publicly documented; ask sales for specifics. [Source]

How do MSPs deliver ongoing security value beyond the initial assessment?

MSPs deliver ongoing security value by transitioning to a program-based model with a fixed cadence of recurring deliverables (e.g., monthly executive posture reports), quarterly strategic reviews, and annual reassessments. This approach leads to higher retention rates (90%+), increased lifetime value (up to ,000 per client with five-year retention), and top-quartile gross margins (48.7% on recurring revenue). Note: Best fit for MSPs seeking long-term client relationships; project-only shops may not benefit as much. [Source]

What are the key benefits of recurring security programs for MSPs?

Recurring security programs provide predictable revenue, higher retention, compounding growth, stronger margins (8% to 35% net margin), and reduced price pressure compared to project-based work. Partners report significant revenue growth after restructuring around tiered programs, with most gains coming from existing clients. Note: Recurring programs require operational discipline and may not suit all client types. [Source]

How can managed service providers (MSPs) transition from project-based security services to recurring revenue models?

MSPs can transition by moving from deliverables to advisory leadership, starting with a structured business impact analysis (BIA), establishing a security baseline, presenting a prioritized 90-day action plan, and scheduling recurring executive meetings. This embeds security leadership and ensures continuous renewal of advisory services. Discovery templates and scripts are available in the GTM Academy Sales Kit. Note: Transitioning requires investment in process and client education. [Source]

Features & Capabilities

What features does Cynomi offer to support recurring security programs?

Cynomi offers AI-driven automation that automates up to 80% of manual processes, centralized multitenant management, compliance readiness across 30+ frameworks (including NIST CSF, ISO/IEC 27001, GDPR, SOC 2, HIPAA), embedded CISO-level expertise, enhanced branded reporting, and a security-first design. These features enable MSPs and MSSPs to scale vCISO services, standardize workflows, and deliver consistent, high-quality outcomes. Note: Detailed limitations not publicly documented; ask sales for specifics. [Source]

What integrations does Cynomi support?

Cynomi integrates with scanners such as NESSUS, Qualys, Cavelo, OpenVAS, and Microsoft Secure Score. It also supports native integrations with AWS, Azure, and GCP, as well as workflow tools like CI/CD, ticketing systems, and SIEMs. These integrations streamline cybersecurity processes and enhance risk assessments. Note: Some integrations may require additional configuration. [Source]

What technical documentation and resources does Cynomi provide?

Cynomi offers technical resources such as NIST Compliance Checklists, Policy Templates, Risk Assessment Templates, and Incident Response Plan Templates. These resources help users implement compliance frameworks and streamline audit readiness. Access them at NIST Compliance Checklist. Note: Some resources may be specific to certain frameworks. [Source]

Use Cases & Customer Success

Who can benefit from using Cynomi?

Cynomi is designed for Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and virtual Chief Information Security Officers (vCISOs). It is best suited for organizations providing cybersecurity services to other businesses, especially those seeking to scale offerings, improve efficiency, and deliver high-quality services without increasing resources. Note: Organizations not providing managed security services may not realize the full value. [Source]

What problems does Cynomi solve for service providers?

Cynomi addresses time and budget constraints by automating up to 80% of manual processes, eliminates inefficiencies from spreadsheet-based workflows, enables scalable vCISO services, simplifies compliance and reporting, bridges knowledge gaps for junior staff, and standardizes workflows for consistent delivery. Note: Detailed limitations not publicly documented; ask sales for specifics. [Source]

Can you share some customer success stories using Cynomi?

Yes. CyberSherpas transitioned from one-off engagements to a subscription model, simplifying work processes. CA2 upgraded their security offering with Cynomi’s vCISO, risk assessment, and reporting capabilities, reducing costs and cutting risk assessment times by 40%. Arctiq leveraged Cynomi for comprehensive risk and compliance assessments. See more at CyberSherpas, CA2, and Arctiq. Note: Results may vary by organization size and maturity. [Source]

Competition & Comparison

How does Cynomi compare to Apptega?

Apptega serves both organizations and service providers, requiring high user expertise and manual setup. Cynomi embeds CISO-level expertise, automates up to 80% of manual processes, and prioritizes security over compliance. Apptega's interface is noted to be less intuitive, with a steeper learning curve. Choose Cynomi if you need automation and ease of use; choose Apptega if you require highly customizable, manual workflows. Note: Apptega may be preferable for organizations with in-house expertise seeking granular control. [Source]

How does Cynomi compare to Vanta?

Vanta is optimized for direct-to-business use and focuses on select frameworks like SOC 2 and ISO 27001. Cynomi is designed for MSPs, MSSPs, and vCISOs, supports over 30 frameworks, and offers multi-tenant capabilities. Cynomi is also more cost-effective, while Vanta is often premium-priced. Choose Cynomi for service provider scalability and framework flexibility; choose Vanta for direct business compliance with a narrower framework focus. Note: Vanta may be preferable for organizations focused solely on SOC 2 or ISO 27001. [Source]

How does Cynomi compare to Secureframe?

Secureframe is compliance-first and focuses on in-house compliance teams. Cynomi links compliance gaps directly to security risks, supports more frameworks, and enables service providers to scale efficiently. Secureframe is less provider-oriented and may have a steeper learning curve. Choose Cynomi for security-first, scalable service delivery; choose Secureframe for in-house compliance management. Note: Secureframe may be preferable for organizations with established compliance teams. [Source]

Support & Implementation

What feedback have customers given about Cynomi's ease of use?

Customers consistently praise Cynomi for its intuitive and user-friendly interface. Grant Goodnight from ESI – Electronic Strategies Inc. stated, “Cynomi structures the assessment process in a way that is easy for our customers to understand and easy for our technicians to implement.” Compared to competitors like Apptega and SecureFrame, Cynomi is noted for being more accessible to non-technical users. Note: Some advanced features may still require onboarding support. [Source]

Product Security & Compliance

How does Cynomi address product security and compliance?

Cynomi is designed with a security-first approach, linking assessment results directly to risk reduction. It supports compliance readiness across 30+ frameworks, automates up to 80% of manual processes, and enables centralized multitenant management. Customers report measurable outcomes, such as CompassMSP closing deals 5x faster and ECI achieving a 30% increase in GRC service margins while cutting assessment times by 50%. Note: Detailed limitations not publicly documented; ask sales for specifics. [Source]

Educational Resources & Blog

Where can I find Cynomi's blog and educational resources?

You can access Cynomi's latest articles, educational blog posts, and archives at our blog homepage. For educational content, visit our education blog page. Note: Some resources may require registration. [Source]

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

From Project-Based Security Services to Recurring Revenue

tim coach
Tim Coach Publication date: 26 April, 2026
Education

A common and frustrating pattern in the managed services industry happens right after a major security sale. An MSP successfully pitches a high-level security engagement, and its team spends weeks running a comprehensive vulnerability assessment. 

After generating a massive report that details every technical gap, you schedule a meeting to present the findings and hand over the documentation to the executive team. 

And then you hear absolute silence. 

Six months go by, and eventually, someone on the client side asks what they are supposed to do next. When you reach this point, you are simply delivering a finite project. 

Projects answer technical questions, but they don’t build scalable, predictable recurring revenue. When a security service ends with the final report, you’ve built a deliverable business, not an advisory practice. Shifting your service model requires a new approach to initiating and maintaining client relationships. 

The Difference Between Deliverables and Leadership 

Many service providers sell deliverables because it feels safe. A technical assessment has a clear beginning, middle, and end, making it easy to scope, assign, and invoice. 

The problem is that a project-based approach leaves clients responsible for the next steps. Faced with a long list of technical vulnerabilities, they feel overwhelmed and often file the report away, returning to daily operations without taking action. 

True advisory guides long-term business decisions. When your service creates a recurring executive conversation about risk management, you establish a permanent leadership position. You shift from an external vendor to an embedded partner who actively protects their financial interests. Securing that position requires understanding how the business functions before analyzing its technical security. 

Starting With Business Impact Analysis 

Before discussing compliance frameworks or security controls, you must understand the client’s operational context. Recommending a technology stack without understanding their business model is like prescribing medication without a diagnosis. 

You need to know how their daily operations work, who processes payroll and on which systems, and which server would cost them hundreds of thousands if it went offline for a week. You must understand the precise processes that generate revenue. 

This is where a structured business impact analysis (BIA) becomes your most powerful sales tool. A proper analysis is a repeatable, efficient way to identify critical functions, expose financial vulnerabilities, and map operational dependencies—without a month-long consulting engagement. 

If a logistics company’s routing software fails, trucks cannot leave the warehouse, leading to lost revenue, breached service-level agreements, and damaged client trust. By understanding that operational reality, your recommendations become strategic business continuity plans that executives will fund. 

The First Four Hours Matter More Than the Next Forty 

If you want to build predictable, recurring security revenue, you must set the proper tone during your very first engagement. The way you structure the initial onboarding dictates whether the client treats you as a temporary auditor or a permanent strategic leader. 

You must establish a clear rhythm of communication immediately. Start by setting a firm security baseline and conducting the business impact analysis. Use that data to build a prioritized 90-day action plan. Presenting a focused 90-day roadmap prevents the client from feeling overwhelmed by a massive list of theoretical risks. You show them exactly what needs to happen right now to protect their most critical assets. 

Once the initial plan is established, schedule a recurring quarterly meeting with executives. This creates an operational rhythm that integrates directly into their corporate governance. 

Designing the Recurring Executive Conversation 

The quarterly executive meeting acts as the driver for your recurring revenue. Instead of reviewing technical spreadsheets or small software changes, focus the discussion on translating security metrics into plain, executive-level language that highlights revenue, cost, and risk. Use this dedicated business forum to frame cybersecurity as a critical business function deserving of ongoing investment. 

During these recurring meetings, you guide the leadership team through four specific discussion points. 

  • What specific security controls improved over the last quarter 
  • What operational changes occurred within the business that require new protections 
  • What new market risks emerged that threaten their core revenue streams 
  • What strategic investments are required for the upcoming 90-day cycle 

This structured cadence forces the client to view security as an ongoing journey rather than a one-time event. They see continuous progress, they understand the evolving threat landscape, and they recognize your active role in protecting their organization. This level of advisory naturally renews itself year after year, and it scales predictably across your entire client base. 

Transforming Security into Embedded Leadership 

You do not accidentally stumble into recurring security revenue. You have to design it deliberately. By implementing the right operational structure and maintaining a strict cadence of executive communication, you translate raw technical data into tangible business protection. 

When you anchor your services to revenue, cost, and risk, you stop being viewed as an easily replaceable project resource and become embedded leadership. Embedded leadership is incredibly sticky, highly profitable, and entirely insulated from standard budget cuts. 

Building this level of advisory discipline requires the right frameworks and tools. We have organized everything you need to transition away from project-based selling and build a scalable recurring revenue engine. 

Check out our GTM Academy Sales Kit to access the exact discovery templates, scripts, and langauage you need to establish lasting security leadership with your clients. 

See you out on the road, 
Coach