Breach, Then Switch
The observable shift starts with four facts showing up at the same time: MSPs are reporting repeated breaches, customers are signaling willingness to switch providers, third-party verification models are emerging, and SMB buyers say security matters even as their own readiness remains weak.
Start with BetaNews, which cites a CyberSmart survey that found 75% of MSPs experienced at least one breach in the past year, and more than half—54%—were breached two or more times, with 32% hit three or more times. In the same reporting, MSPs ranked AI as the top threat they’re facing, and a majority said their customers’ risk increased over the last twelve months. That’s not a theoretical exposure—it’s repeat, measurable incidents inside the provider layer.
Now pair that with new research from WatchGuard, based on a global survey of 842 IT and cybersecurity professionals across 20 countries. WatchGuard’s headline is a paradox: 94% of clients using a dedicated MSP say they feel adequately protected, and yet 58% say they plan to change providers within three years. WatchGuard points to the drivers being rising costs without added value, major security incidents, and slow response times. Whatever “good enough” used to mean, it’s being redefined in the market right now—and buyers are telling us they’ll move.
Then look at how the industry is formalizing proof. IT Channel Oxygen reports on Assurix awarding what it describes as its first MSP trustmark in the UK, built around 64 security and operational controls, with the accreditation designed to be “live evidence” and subject to suspension if standards slip. The founder’s claim is that dozens of providers are already in assessment, and the goal is to scale to 1,500 UK MSPs over five years. Regardless of whether that specific number is achieved, the important observable fact is that third-party verification structures are showing up, and they’re being marketed as buyer-facing credibility.
And finally, MSP Channel Insights pulls in data from a global IDC study of 2,210 SMBs: 52% put cybersecurity and data protection among their top priorities, 60% plan to increase spend, and yet only 13% of micro-businesses describe their approach as proactive. The same coverage notes that half of SMBs reported a breach or attack in the past year, and that 81% say they’re unprepared for AI-related threats.
Those are the signals: more breaches, more switching intent, more formal verification, and buyers saying security matters—while admitting they’re not ready.
SaaS Blind Spot
The mechanism underneath this shift is that security has moved into the messy middle of modern operations—identity, SaaS sprawl, cloud apps, and now AI-connected workflows—and most organizations don’t have a clean, consistent way to see what’s happening across all of it, let alone enforce the same controls everywhere. So the market keeps pushing security toward systems that can impose consistency: one view, one set of policies, one workflow for detection and response, one place to prove what happened.
That’s exactly what WatchGuard is signaling with its acquisition of Perimeters.io and the launch of WatchGuard Cloud Detection and Response, CloudDR. The pitch is not “another tool.” It’s continuous visibility and automated response across more than forty cloud applications—Microsoft 365, Salesforce, HubSpot, even OpenAI—delivered in a multi-tenant service designed for MSP operations. In plain terms, the control problem isn’t at the endpoint anymore. It’s in the cloud application layer, where misconfigurations, identity misuse, and shadow usage hide in plain sight unless someone is stitching the story together.
The same gravitational pull shows up in Omdia’s Cybersecurity MSP Ecosystems Leadership Matrix for 2026. The “champions” Omdia calls out—Acronis, Bitdefender, ESET, SentinelOne, Sophos, WatchGuard—aren’t being rewarded for single features. They’re being rewarded for building ecosystems that assume security is delivered as an outcome through automation, multi-tenant integration, and tight linkage into PSA and RMM operations. That’s the market preference: fewer handoffs, fewer swivel-chair processes, more repeatable execution.
That is the mechanism: evidence becomes valuable only when an outside party makes it economically consequential. That can happen when a customer makes proof part of renewal or procurement, an insurer makes controls part of eligibility or claims review, a trustmark becomes recognized enough to influence selection, or the MSP uses evidence obligations to separate premium managed environments from unsupported risk. Without one of those triggers, Evidence Ops is internal overhead. With one, it becomes a pricing, retention, and liability-management tool.
Prove or Pay
So the consequence is not just more security work. It is a change in where responsibility lands. That is the operator consequence: insurance, AI governance, and cloud application security are all turning evidence into an operational deliverable. If the MSP does not define that deliverable in the service model, the market will define it during renewals, audits, incidents, and claims reviews.
Here’s proof point number one. Huntress and Acrisure are rolling out a cyber insurance program that offers eligible businesses access to cyber or tech E&O coverage with no deductible, and a streamlined application process—specifically tied to organizations using Huntress’s managed endpoint detection and response and identity threat detection. That’s a clean market signal: insurance is increasingly being packaged around the assumption that the provider’s security operations are part of the risk profile. When underwriting starts to ride on whether a certain kind of managed detection and response is in place, you’re no longer just selling “security.” You’re selling something that has to survive an external review of controls, coverage terms, eligibility criteria, and the conditions under which a claim gets paid. In that world, the MSP gets pulled into the question of what was deployed, how it was run, and what proof exists that it was operating as intended.
Proof point number two is NIST moving quickly toward AI cybersecurity guidance, including staged “control overlays” for predictive AI and then agentic AI. The detail that matters here is the direction: guidance that can be turned into checklists, assessments, and “show your work” requirements. Once those overlays exist, the conversation stops being “are we being responsible,” and becomes “which controls are in place, how do we know, and where is the record.”
One path is to become the MSP that simplifies and governs the automation layer—documenting controls, managing identity and permissions, preserving logs, producing audit-ready artifacts, and making security something you can prove. The other path is to keep absorbing complexity as it spills out of cloud apps, AI workflows, and compliance overlays—getting the incident call, getting the blame-adjacent questions, and doing the evidence work anyway, just without scope, contract language, or margin.
Why Do We Care?
Because the bad MSP decision is to treat this as another tool-selection cycle. The structural shift is not that customers need one more security product. It is that customers, insurers, procurement teams, and trust frameworks are beginning to ask whether security can be proven after the fact.
If an MSP misunderstands that, it will keep selling protection while giving away proof. It will absorb evidence requests during renewals, claims reviews, incidents, and audits as unpaid support work. That is where margin leaks, liability expands, and the provider loses control of the security conversation.
The strategic question is whether evidence-backed security becomes a paid operating model or remains a reactive burden hidden inside support.
What to Consider
- Restructure contracts to explicitly scope evidence obligations. Unmanaged SaaS applications, unmanaged identities, and ungoverned AI workflows should carry explicit exclusions, separate line items, or premium-tier requirements. Otherwise, the MSP absorbs post-incident evidence work without contract language, margin, or liability boundaries.
- Treat trustmarks as a 12-to-18-month investment with uncertain payback. Assurix and similar frameworks are worth monitoring for buyer adoption signals — specifically, whether enterprise procurement teams, insurers, or channel buyers start recognizing them. The hidden flaw is that trustmarks only create pricing power if the market understands them. Pursue accreditation only if you have the operational infrastructure to maintain it continuously; a suspended trustmark is worse than no trustmark.
- Stand up an Evidence Ops function — even if it starts as one named owner with defined scope. That owner should be responsible for control mapping, log-retention standards, monthly evidence packs, and post-incident documentation. Without ownership, evidence production stays reactive, inconsistent, and unpriced.
If this trend continues…
MSPs will be selling evidence-backed security tiers within three years. Premium packages will be priced around insurer-recognized controls, monthly evidence packs, and contractual response documentation, while lower-tier customers receive explicit exclusions for unsupported SaaS, unmanaged identities, and ungoverned AI workflows.