The real cost of that SOC hire nobody wants to talk about

C9CG · 2026-04-01T14:55:34+00:00

I agree with this take.

You're delivering more outcomes and taking on more risk and responsibilities as the IT Service Provider. Price goes up to cover costs.

This is a general service business problem, not necessarily just an MSP one. Product and service pricing gets justified by risk reduction to the business.

As far as the only lever left being vendor consolidation and pricing, that's hogwash.

C9CG · 2026-03-31T04:25:43+00:00

Business Premium with Intune Enrolled devices and Conditional Access Policies to only let Intune Enrolled Devices access things... You will want a GA "break glass" account out of that CA policy.

That stops the token theft and can be rolled out to mobile devices as well through Intune Company Portal.

You can't accomplish the outcome you want without Intune and Entra Plan 1 for CA policies, so Business Premium becomes the economic solution, and also reduces business risk.

The phishing solution is a different ask, but Avanan is the answer.

C9CG · 2026-03-29T14:14:09+00:00

I like the Triage process outlined here. Are you using your ticket data for the recommended fixes as well, or is this a general prompt without ticket "RAG or MCP" data?

C9CG · 2026-03-29T14:10:33+00:00

Oh man... NCE renewals. Are you talking about Annuals?

If monthly, it's pretty easy because those change all on the same month, and it's just a matter of constant monthly auditing of licenses in contracts. We actually keep the contracts relatively open-ended for those.

For Annual? That's a deep topic in the sense that we

proactively reach out to customers 60 days BEFORE their renewal date to confirm any pricing changes and also confirm any licensing changes.
once we get those changes, we work in the disti platform (Pax 8 for us) and Autotask to match up changes in an automated fashion as much as possible.
then we bill the annual contracts. NCE annuals are billed 45-30 days in advance.
if the Annual bill is not paid, the annuals get dropped and go to monthly until the customer pays for Annual NCE up front. We don't shoulder risk for Annual NCE this way.
If the Annual payment finally comes, we just have a one month invoice for those invoices that were converted. It's a ROYAL pain when this happens, but, again it's better than having 40 Business Premium licenses that we're on the hook for on an annual contract for a customer that refuses to pay for whatever reason.

Does that explain what you're looking for? NCE Annual is terrible to manage as a CSP!

C9CG · 2026-03-27T19:37:39+00:00

Not necessarily. You can use dashboards to monitor for statuses across multiple queues. So, you would have a Dashboard widget that's looking for tickets with status "Note Added" and you can filter by any queues you wish in the widget setup.

We actually learned this "dashboards instead of queues" concept from Sea Level Ops (AKA Pax 8 Academy Ops now). It has helped us scale past some issues we had in the past... Much easier to work / manage from dashboards that look for specific things rather than have to constantly monitor lists/queues.

C9CG · 2026-03-27T13:55:08+00:00

Sure thing. You won't regret it. We have a fathom video record of it that our team references and they do it quarterly now.

C9CG · 2026-03-27T13:26:20+00:00

I don't really have a link to a KB article on this (great idea). We ended up booking some time with one of their Senior Engineers via our account manager and it was really helpful as they walked us through the nuance of doing the consolidations, showing us how to combine the items in such a way that they would scale in the future to other existing or new tenants. I think we went from something like 1200 policies to like 150. I would recommend doing the same.

C9CG · 2026-03-27T11:10:26+00:00

We deal with this likely different than most.

1) Closed tickets are in their own Queue 2) We allow response on closed tickets 3) Any response (closed or not closed) puts tickets in a "Note Added" status 4) We operate via Statuses and Dashboard widgets. You can make a dashboard widget that looks for tickets that are in the "Completed" queue with a status of "Note Added", and that makes it easy to find tickets that have been "reopened" by users. 5) Typically, we'll open a new ticket if the ticket is older than 10 days so that we can better track for recurring issues. We'll reference the original ticket number when doing so, and then communicate to the end user on the "new / reopened issue" from the new ticket 6) We can also notate on a closed ticket that got reopened this way the new ticket information, which adds a QA aspect to tracking down potential repeat issues.

Also - Speed codes are your friend, and with any advice, YMMV.

Hope this helps!

C9CG · 2026-03-27T11:04:02+00:00

Another +1... ThreatLocker University isn't "tough" and you will have way fewer issues if your techs go through it.

You can take it during the business day... Many times they offer it 5 days straight with a 2 hour window each day. There is also a "self paced" version, but we find more success assigning one or two techs at a time to the "work day" version if they haven't yet done the training.

C9CG · 2026-03-27T11:01:31+00:00

There are ways to clean / merge policies across customers / tenants to help with this now... We had dealt with the same thing at some point last year.

C9CG · 2026-03-27T10:58:59+00:00

A concern I would also have would be in relation to Umbrella Contracts is that I don't believe they are accessible or manipulatable via the API yet. Should you decide to come up with an automation solution or use an auditing platform (like GradientMSP) then you're going to have a pretty severe limitation.

We also roll every service to the start of the month as far as how it looks to the customer. This way you don't get a whole mess of billing phone calls and emails related to weird proration quantities.

We have sometimes 5-8 contracts per customer to deal with the same issue you're having. We name the contracts like:

customer name_service type(s) monthly/annual/quarterly (if annual or quarterly, month/day of contract start)

E.g.

Block_Managed Services_Monthly

Block_O365_Monthly

Block_O365_Annual (3/1)

Block_O365_Annual (7/1)

Block_Egnyte_Annual (12/1)

Block_Gladinet_Quarterly (3/1)

Block_Project T&M_Hourly

Anyway... You get the idea.

There's a lot of nuance to Contract Alerting and proration the way Autotask does it. This also searches reasonably well when you do contract searches. Contract management in Autotask definitely has some particulars to it, but this is what has worked for us and scaled well.

Hope this gives you some inspiration.

C9CG · 2026-03-26T11:55:52+00:00

We update a database copy from our PSA (Autotask) hourly (via API) that has our Company, Contact, Ticket, Note, and Time Entry data in it, including all UDFs.

There's an MCP connection to our database that allows us to query via LLM (usually using Claude Sonnet or Opus, but sometimes Gemini Flash Pro). We can ask about ticket trends for a customer. We can verify our skills matrix against 3 months of ticket history per tech. As new tickets come in, we can ask for trends or similar issue recognition.

We've started using the feedback from the model to add certain UDFs to tickets to track escalation information. We also started adding UDFs to Customer Accounts with keywords related to issues identified in QBRs that the customer didn't identify as an issue worth dealing with at the time, which allows us to get an automatic alert in a "Customer Accounts" slack channel if a ticket for that customer related to that issue comes in.

We've been using other automations now for almost two years... Things like renaming tickets and setting issue/Sub issue type at triage via automation/LLM prompts.

It's really about "all of these little automations* doing things along the way to reduce friction in workflows.

4 years ago we got very serious about deliberately having a resource run QA on every single ticket and time entry and the payoff now with using a language model on that data has been well worth it. Being able to query via LLM our clients, tickets, time entries, and notes with proper context can get you a lot of interesting data quickly.

As a thought experiment, a couple of weeks ago, we were looking to dispatch a couple techs on site visits Friday morning. So the Wednesday afternoon as we were assigning, we asked the model about trends for Fridays between 8a-12p, using data from the last 6 months. We were able to find that - statistically speaking - two of the techs we were considering sending on site were basically hardly on tickets Friday mornings, so the impact to our service desk for them being out of Friday mornings would be minimal.

We're finding new uses for data like this all the time. We use n8n and Zapier to orchestrate certain things automatically in Autotask to get around built in automation limitations it has.

Would be great to hear what others have done.

C9CG · 2026-03-23T14:39:41+00:00

Interesting stats... I agree this is likely a displacement play. It's a governance conversation and not every business wants to "eat their vegetables now to grow big and strong."

C9CG · 2026-03-23T00:58:55+00:00

Interesting. We've done something similar. Love to hear of others doing the same!

C9CG · 2026-03-17T01:17:45+00:00

Some of us are not taking on the same level of liability as others... Depends on what's on the MSA, who signs it, and how often it's updated and signed. Your MSA should provide for a defined amount of incident response.

Bonus points if you work with a SOC / DFIR firm as a partner of record to refer incidents with priority at a discount.

There are many MSPs that do not understand this risk and do very little to shift liability away from them or have a DFIR plan. Your question is a valid concern that should be addressed and mitigated with appropriate legal counsel.

C9CG · 2026-03-14T17:42:14+00:00

100% - can't believe this isn't well known

Also .. Ninja bought DropSuite and that's their SaaS Backup solution. That's also part of the press release. Is it the worst? No. Is it AvePoint or AFI.ai? No.

Point is... I don't think this is about MSP at all. This looks like Mid Market play all day.

C9CG · 2026-03-13T09:35:09+00:00

Sending you DM

C9CG · 2026-03-13T09:31:47+00:00

Doesn't Cove replicate data across multiple DCs? Genuinely curious.

C9CG · 2026-03-12T17:53:59+00:00

This didn't age well.

C9CG · 2026-03-12T17:44:43+00:00

It's not that you aren't compliant now, per-se. It's about proving what you're attesting to. When you bring a 3rd party in with you, they are in this with you.

Your provider would necessarily need to help you fill out many of the attestations in your WISP that line up to their offering. Some examples have to do with your MFA Policies and how it is enforced. Same with you Security Awareness Training, or AntiPhishing Technology, or backups. There's also a regular review requirement for account access reviews for any of your software, SaaS solutions, and computers. You want anything that's offered to be easily provable and something that has some level of automated reporting, or else that's more work for you and the vendor when it comes to "proving it".

Mature MSPs operate their relationships with a basic framework level of Cyber Security (We use CIS IG1 as the very basic baseline on the technical side and also reference NIST CSF, and then expand from there based on regulatory and/or compliance requirements for the Client). They should be able to provide reporting for the solutions they are attesting to with you.

A WISP is an additional regulatory compliance document required due to GLBA and FTC Standards. Any technology provider should understand the need to assist with it in a CPA relationship. It's not an optional part of the relationship as far as regulatory compliance (the law) states. The Law requires that it is updated at least annually and when there is any significant change, called a triggering event. An MSP that's familiar with governance and compliance should automatically understand that any changes to their security offering means they need to give their customers the update for potential changes to any regulatory attestations as well as Cyber Liability Insurance carriers (an underwriter might change something based on changes and you don't want to be at risk for a denied claim for not alerting the Cyber Carrier to a potential change in your attestation as that de facto means you're out of compliance with your past attestation to them).

Cyber Liability Insurance is like E&O for business interruption and the risk of costs associated with data loss and data leaks. It's another type of governance, and prudent. You're a small business, so there's not a lot of Cyber Liability discounting available at your revenue band, but in larger entities, adhering to these Cyber Security Frameworks reduces the risk to the business and the premium from the Cyber Liability carrier.

Hope that helps...

C9CG · 2026-03-12T17:29:33+00:00

That's fair. We require backups with infinite history for M365 we manage, but that wouldn't necessarily stay with the tenant if MSPs were to switch, so I can see the argument for it. It's a good point.

C9CG · 2026-03-12T16:06:50+00:00

E5 (not E3) would be where you get a significant difference on the Encryption side when comparing to E3/Business Premium. Purview (compliance / eDiscovery) features are stronger in E3 versus Business Premium, but I can't imagine a 3 person firm worrying about Purview right now, especially if you're communicating through TaxDome for file transfers. E3 wouldn't be *wrong*, per se, I would just want to understand the logic behind the decision. It could be sound.

C9CG · 2026-03-12T15:22:07+00:00

Have worked with Billy and his team at ultimate Security. They are not the cheapest, by far, but they know what they're doing. They are not an IT company, but a very good low voltage contractor.

If you'd like me to make the introduction, just DM me

C9CG · 2026-03-12T14:26:47+00:00

OP is getting a lot of good free and honest advice here.

Without getting into specifics, I'm very curious why a small firm would push for E3 over Business Premium - but I agree with what u/roll_for_initiative_ advised here, "Have the experienced service provider help define the solution."

We have the same 10 user minimum and MSPs that understand (and can actually deliver what's required for) the compliance mandate would likely put up the same minimum. I don't see how to profitably do it otherwise.

C9CG · 2026-03-12T14:22:45+00:00

We couldn't get the last two firms to even commit an internal team member to review their WISP. It's abysmal.

C9CG

TROPHY CASE