Closure Is Finite
What’s changing in security right now is to stop looking for a single new product, and instead look at the repeated evidence that the industry is reorganizing around one hard constraint: defender capacity. Discovery is infinite. Closure is finite. Here’s how the winners will be measured.
Start with Acronis. Acronis rolled out “Acronis MDR by Acronis TRU,” positioned as a 24/7/365 managed detection and response service designed explicitly for MSPs. The key detail isn’t just that it’s MDR — it’s the promise that MSPs can deliver continuous monitoring and rapid incident response without standing up a full security operations center.
Now pair that with what Anthropic is doing on the vulnerability side. VentureBeat reports Anthropic has launched “Project Glasswing,” built around an unreleased model — Claude Mythos Preview — aimed at finding and helping patch serious software vulnerabilities. Anthropic’s headline choice is telling: they say they do not plan to make the model generally available because of its cybersecurity capabilities. That’s the hype headline. But listen to what’s underneath it: the company is framing this as a scale problem, to the point where they’re putting a coalition around it — AWS, Apple, Google, Microsoft, and others — and committing up to one hundred million dollars in usage credits for the effort, plus direct support for open-source security organizations.
And if you want a hard number that shows why this is turning into a capacity problem, here’s one: WatchGuard is citing its Threat Lab research showing a 1,500% surge in new endpoint malware variants. WatchGuard says this is based on its Threat Lab research; note it’s ‘variants,’ not necessarily 1,500% more incidents.
Put those together and the signal is clear: the bottleneck isn’t tooling—it’s defender time.
Close the Gap
Discovery has become cheap, continuous, and increasingly automated — while remediation is still slow, fragile, and human-bounded. When you can generate more “things that might be wrong” than you can safely validate, prioritize, and fix, the system reorganizes around the constraint. Not around the best ideas, not around the most features — around the scarcest operational bandwidth.
That’s what’s sitting underneath the Anthropic Mythos reporting. Business Insider describes a model that Anthropic chose not to release broadly, not because it’s abstractly “powerful,” but because it can accelerate vulnerability work in a way that breaks normal controls. The story includes details about high-severity findings in major operating systems and browsers, and even scenarios where the model was induced to break out of a sandbox and demonstrate the exploit path. If a tool can find and chain vulnerabilities faster than teams can govern the output, the bottleneck isn’t the model—it’s operations: triage, validation, and controlled deployment.
Now connect that to the market reality Jay McBain is describing in his channel ecosystem analysis: most of the IT economy is already delivered through partners, and partners “surround” nearly all of it once you include the services that happen before, during, and after a transaction. That’s not just a statement about distribution. It’s a statement about where the work of turning technology into a stable operating environment actually lives. When the hard part isn’t acquiring a tool but continuously keeping the environment safe, coherent, and current, the value migrates to the layer that can run a repeatable operational process across many customers.
So as vulnerability discovery accelerates — whether by better scanners, better AI, or simply more attack surface — the system’s center of gravity shifts toward packaged operating motions: controlled access, standardized workflows, and managed execution. Not because anyone prefers bureaucracy. Because at a certain scale, the only way to keep up is to turn remediation into an operational discipline that can be delivered reliably, over and over, even when the rate of new risk exceeds the rate of available expert attention.
Govern or Absorb
For MSPs, security stops being judged by what you deploy and starts being judged by what you can close. Remediation throughput is a scoreboard: closure rate, MTTR by severity, and backlog age past SLA. If discovery is infinite but closure is finite, the winner is whoever can prove the closure rate. Example: ‘90% of high-severity vulns patched within 14 days, critical alerts triaged in 15 minutes, and no critical backlog older than 30 days.’
As AI risk gets normalized and business volatility stays high, buyers ask one sharper question: ‘Who’s accountable when this fails?’ That turns into procurement language, contract terms, and board expectations—and for SMBs without security staff, it attaches to the operator already running the environment.
So here’s the fork.
One path is the MSP that becomes the governing layer for automation-driven security: the firm that can translate endless discovery into a disciplined operating program, define what gets fixed when, enforce baselines, manage exceptions, and report outcomes in language a business can understand.
The other path is the MSP that keeps stacking tools, keeps absorbing alerts, keeps eating the edge cases, and quietly becomes the unpaid shock absorber between accelerating threat discovery and slow human remediation.
In this shift, you either become the provider that simplifies and governs the automation layer — or you get trapped absorbing complexity without being paid for it.
Why Do We Care?
Because when discovery is automated and continuous, the scarce resource isn’t tools—it’s the operational capacity to validate, remediate, and prove control. That pushes accountability to the MSP running the environment day to day. And when underwriting demands proof—MFA enforcement, patch SLAs, EDR coverage, backups, incident response testing—the MSP isn’t just delivering IT. You’re producing audit-ready evidence on a schedule. The fork is simple: govern and price remediation throughput deliberately, or absorb accelerating complexity and liability under flat fees.
What to Consider
- Audit every current security contract for remediation language. If your agreements specify what you deploy but not what you remediate or within what timeframe, you have unpriced liability. Fix this before a client’s insurer or attorney does it for you.
- Do not adopt MDR SLA claims from vendor marketing as your client-facing commitments. Establish your own internal benchmarks under real conditions before committing to response windows, addressing the throughput issue explicitly. A vendor claim means nothing if your staffing model can’t support it at 2:00 AM on a Sunday.
- Separate discovery reporting from remediation execution in client communications. Clients who see a flood of vulnerability findings without a corresponding remediation cadence will either panic or disengage. Build a reporting layer that shows rate of closure, not just rate of discovery.
- Begin pricing remediation as a metered or tiered service now, before the market forces the conversation. Define what’s included in base coverage, what triggers a remediation work order, and what constitutes an out-of-scope incident requiring separate engagement.
If this trend continues, MSP security offerings will be re-written into two priced contracts—“continuous discovery” and “remediation throughput”—and the MSPs that refuse to sell remediation as a metered, SLA-backed operating motion will see security margins collapse under exception handling and incident ownership.