MSP Security Stack: What Nobody Warns You in 2026

A working MSP security stack covers six layers: endpoint detection and response, SIEM, multi-factor authentication, DNS filtering, backup, and vulnerability scanning. Most breaches in managed environments hit gaps between those layers, not the layers themselves. This guide maps each layer to specific MSP security tools (commercial and open source), shows a sample budget split for a 1,000-endpoint book, and flags the controls auditors check against HIPAA, CMMC, and SOC 2.

It's written for MSP owners and CTOs who already know what RMM does and want to see how the security side fits without a sales pitch attached. Where the tools and budgets translate, internal IT teams running their own stacks can use the same map; the layers don't change because the buyer changed.

How to Think About the MSP Security Stack

Layered defense isn't a slogan. It's the only design that survives a single tool failing or a single vendor getting popped. When attackers hit a managed environment, they chain three things: a phishing email or unpatched edge device, a credential-theft step, and lateral movement through privileged tools. Each layer of an MSP security stack exists to break one of those steps, and each layer expects the others to do their job.

Start with the assumption that endpoints will be compromised. EDR catches what AV misses. SIEM captures the trail so you can investigate within minutes rather than days. MFA stops the credential-theft pivot. DNS filtering keeps the initial click from reaching its payload. Backup is the floor: when everything else fails, recovery time is the only metric clients remember. Vulnerability scanning shrinks the surface that everything else has to defend.

A common mistake is stacking three EDR-adjacent tools because each vendor offers a "platform," then leaving DNS filtering and email security to whatever Microsoft 365 ships by default. The result is duplicated detection logic and a wide-open delivery channel. Coverage matters more than depth at any single layer.

Endpoint Detection and Response

EDR is the most consequential line item in a managed security stack. SentinelOne, CrowdStrike Falcon, and Huntress dominate MSP conversations. SentinelOne and CrowdStrike sit in the high-end tier; both ship behavioral detection, automated rollback, and managed threat hunting. Huntress takes a different approach, pairing lightweight agents with a 24/7 SOC that triages alerts and writes incident reports for end-clients.

Defender for Endpoint deserves a mention if your books lean heavy on Microsoft 365 Business Premium or E5. The licensing math sometimes works in your favor since the agent ships with the seat. The catch is multi-tenant management: the partner portal has improved but still trails purpose-built MSP consoles.

For open-source coverage, OSSEC and Wazuh agent-based monitoring give you HIDS-style detection without a per-endpoint fee. Velociraptor handles forensic collection and live response. Neither replaces a paid EDR, but they fill gaps for low-margin clients or for retained forensic capability.

The trap to avoid is choosing EDR by feature checklist instead of by response model. A tool with great detections and no SOC behind it pushes triage onto your tier-2 techs at 2 a.m. That's a hidden labor cost that wipes out the per-endpoint savings.

Per-endpoint pricing for EDR plus managed SOC sits between $5 and $12 in 2026. Huntress lands at the low end, CrowdStrike at the high end, with SentinelOne in the middle. Partner discounts usually run 15% to 25% off list with volume tiers improving from there. Build the cost model on real device counts, not seat counts, since one user with three managed devices is three EDR licenses.

SIEM and Log Management

Wazuh has become the default open-source SIEM in MSP shops. It's free, it scales to thousands of agents on commodity hardware, and the rule library covers compliance frameworks out of the box. The cost is operational: you're running Elasticsearch, Filebeat, and the Wazuh manager yourself, plus tuning rules to suppress false positives.

For MSPs that want SIEM without the ops burden, Blumira, Arctic Wolf, and Perch (now ConnectWise) offer co-managed services. Pricing typically lands between $4 and $12 per endpoint per month depending on log volume and SOC tier. Splunk and Elastic Security exist at the enterprise end if you have a SOC team and need long retention windows.

The unsexy detail that decides everything is log sources. A SIEM with EDR alerts, Windows event logs, firewall logs, and Microsoft 365 audit logs gives you something useful. A SIEM with only EDR alerts is an expensive duplicate of the EDR console. Build the source list before you buy.

Retention is the second budget line nobody scopes correctly. SOC 2 expects 12 months minimum; HIPAA enforces 6 years for audit logs in most interpretations. Hot storage is expensive; cold storage is cheap. Figure out the split before signing.

Multi-Factor Authentication and Identity

MFA is the single highest-ROI control in any MSP security stack. Push-based authenticators (Duo, Microsoft Authenticator, Okta Verify) cover the bulk of cases. FIDO2 hardware keys (YubiKey, Token2) belong on admin accounts, especially the global admin and any RMM or PSA console login.

For Microsoft 365 environments, Conditional Access policies in Entra ID P1 do most of the work: block legacy auth, require MFA on risky sign-ins, restrict admin operations to compliant devices. P2 adds risk-based policies and Privileged Identity Management. The licensing decision usually comes down to whether the client already has Business Premium or needs an add-on.

Don't skip the MFA-bypass paths. Token theft via adversary-in-the-middle phishing kits like Evilginx is the dominant 2025-2026 attack pattern. Phishing-resistant MFA (FIDO2, Windows Hello for Business, certificate-based) is the only durable answer for high-privilege accounts. Push fatigue attacks against tier-1 MFA are still landing too, so number matching should be on by default.

Identity management itself sits one layer above MFA. JumpCloud, Microsoft Entra, and Okta cover SSO, lifecycle, and conditional access. For MSPs running 50 small clients, JumpCloud's pricing model and multi-tenant features tend to win on operations cost.

DNS Filtering and Web Protection

DNS filtering catches the click before it loads. DNSFilter and Cisco Umbrella lead the MSP market; both ship multi-tenant consoles, threat intelligence feeds, and reporting that maps to client-facing reviews. ControlD and NextDNS are gaining traction at the lower end with cleaner pricing and decent multi-site features.

For open-source pilots, Pi-hole and AdGuard Home work for small offices but lack the central management an MSP needs across many clients. They're useful for testing or for tiny accounts; they aren't a fleet solution.

The pairing matters: DNS filtering plus a secure web gateway plus email security is the delivery-channel triangle. Skip any one and the other two compensate at higher cost. Most managed security stack failures we see at the help desk trace back to this triangle being incomplete, not to advanced threats slipping past EDR.

Cloudflare Gateway deserves a separate mention. The Zero Trust tier is cheap, integrates with most identity providers, and gives you a DNS-and-HTTP filter plus tunneling in one console. For MSPs already running Cloudflare DNS, the upsell is straightforward.

Backup and Disaster Recovery

Backup is where MSP security stacks earn their fee or lose the client. Three numbers matter: RPO (how much data you can afford to lose), RTO (how fast you can be operational), and immutability (whether ransomware can reach the backups). Anything that can't show those three for the last 30 days isn't doing the job.

Datto BCDR and Acronis Cyber Protect dominate the SMB MSP market. Datto's image-based backups and rapid spin-up are well-suited for client environments with on-prem servers. Acronis bundles backup, EDR, and patching in one agent, which simplifies the stack at the cost of vendor concentration risk.

Veeam Backup for Microsoft 365 is the de facto choice for SaaS data protection. Microsoft's native retention is not a backup; it's a versioning floor with a 30-day holdback in most plans. Auditors and lawyers know the difference; clients who lose a mailbox find out the hard way.

For Linux servers and self-hosted workloads, BorgBackup, Restic, and Proxmox Backup Server give you immutable, encrypted, deduplicated backups without per-server fees. Pair them with offsite replication and you've covered most non-domain workloads at marginal cost.

Test restores quarterly. A backup that hasn't been restored isn't a backup; it's an assumption. Record the RTO measured in real drill results rather than the vendor's marketing number, and keep the drill artifact (timestamps, screenshots, ticket reference) in the same evidence folder you'll hand to the auditor.

Vulnerability Scanning and Patching

Patching is half a security control and half an operations workflow. Action1, NinjaOne Patch Management, and Kaseya VSA handle third-party patching across Windows fleets. Microsoft Intune covers OS and Microsoft 365 apps natively if you're already in that environment. Atera bundles patching with RMM, which works for shops that don't want a separate console.

For vulnerability scanning specifically, Tenable Nessus is the historical default. Qualys VMDR, Rapid7 InsightVM, and Tenable.io cover the cloud-managed end. OpenVAS (now Greenbone) is the open-source option; it's slower and noisier than commercial scanners but free and capable for compliance-style scans.

The workflow that breaks teams is scanning monthly, patching on a different schedule, and reporting on a third schedule. Pick one tool per function and chain them. A vulnerability appears in the scanner; the patch manager addresses it; the report ties to the same CVE list. Anything else creates report fatigue and missed patches.

For SMB clients, scanning quarterly with monthly patching is a defensible baseline. Quarterly external scans plus weekly internal patching ratings tracked against a 30-day SLA is what most cyber insurance carriers expect to see in 2026.

A Sample Stack and Budget Allocation

A 1,000-endpoint book with 50 clients is a useful reference shape. The split below assumes mid-tier commercial tools where it counts and open source where it makes sense.

Total runs roughly $20 to $37 per endpoint per month before margin, which sets a floor on what you can charge for a managed security service. Margins below 30% on this stack rarely survive a mid-year price hike from one vendor.

The other lever is consolidation. An MSP stack audit often surfaces $3 to $5 per endpoint of duplicate spend, usually in EDR, RMM-bundled patching, and SaaS backup overlapping with BCDR. Cleaning up those overlaps frees room for the layers most stacks are short on (DNS filtering, email security, vulnerability scanning) without a price increase to clients. For broader procurement work, reducing IT costs covers the contract side.

Compliance Mapping for HIPAA, CMMC, and SOC 2

Auditors don't care about your stack diagram. They care about evidence and control coverage. Map each layer to the framework before you buy.

For HIPAA, the Security Rule requires access controls (MFA, role-based access), audit controls (SIEM with multi-year retention), integrity controls (file integrity monitoring, often via EDR), and contingency plans (backup with documented RTO and RPO). The technical safeguards section reads like an MSP security stack checklist.

CMMC 2.0 Level 2 is where most defense-adjacent SMBs land. The 110 NIST 800-171 controls map closely to the stack: AC family to identity and MFA, AU family to SIEM, IR family to EDR plus SOC, MP and SC families to encryption and DNS controls, and RA plus SI families to vulnerability scanning and patch management.

SOC 2 Type II is the broadest. The Trust Services Criteria (Security, Availability, Confidentiality) map to the same controls but with an emphasis on continuous monitoring evidence: alert logs, ticket trails, change management. Most SOC 2 audit failures we see in MSP-run environments come from missing or inconsistent evidence, not missing controls. Document everything the SIEM alerts on, even non-events; auditors love a quiet log with timestamps.

For MSPs running their own platform, an AI-native all-in-one MSP/IT platform like OpenFrame ships native PSA and pulls security telemetry into one operating layer, which removes some of the cross-tool evidence-gathering pain. It's the affordable, no-lock-in option for shops that want fewer consoles between ticket and audit log.

Frequently Asked Questions

What's the minimum viable MSP security stack for a small client?

EDR with managed SOC, MFA on every account, DNS filtering, and immutable backup. That's four tools and roughly $12 to $18 per endpoint per month. Skip any one and you've left a delivery channel, a credential pivot, or a recovery floor unguarded.

How is open source different from free for an MSP security stack?

Open source means you can read the code, modify it, and self-host without vendor approval. Free can mean free tier, freemium, or community edition with feature gates. Wazuh, OpenVAS, and Velociraptor are open source. Many "free" tools are not, and they often relicense at the worst time.

Which MSP security tools count for cyber insurance applications?

Carriers in 2026 expect MFA on all admin and remote-access accounts, EDR (not just AV) on every endpoint, immutable offline backups, and documented patching SLAs. Some now require phishing-resistant MFA on privileged accounts and a documented incident response plan with stated RTO and RPO targets.

Should an MSP run its own SIEM or buy co-managed?

If you have a tier-2 security analyst and a tuned ruleset, self-hosted Wazuh is cheaper and more flexible. If you don't, a co-managed SIEM (Blumira, Arctic Wolf, Perch) costs more per seat but removes the staffing cost of 24/7 alert triage. The break-even point sits around 2,500 endpoints for most shops.

How does email security fit into the MSP security stack?

Email is a delivery channel, like DNS and the web. Native Microsoft 365 Defender or Google Workspace Security covers the basics; Proofpoint Essentials, Avanan, and Material Security handle advanced phishing and BEC detection above that. Most MSPs underspend here relative to the threat volume.

What's the right way to track MSP security stack ROI?

Three metrics work: incidents prevented (alerts triaged before escalation), incidents contained (mean time to respond), and audit findings (counted, not weighted). Vendor-supplied dashboards rarely show any of these cleanly, which is why most MSPs build a quarterly internal report rather than rely on a single console.

If your stack can't tell those stories on demand, the gap isn't security; it's reporting.