A Quick MSP Guide to Pricing Security—With a Focus on MDR

It’s almost a weekly occurrence where I inevitably receive an email or LinkedIn message from an MSP asking about pricing. And I seem to get this question more frequently whenever we launch a new product. Since launching our newest solution—Adlumin MDR—the pricing question has become almost a daily occurrence. 

Questions like:

• “We are interested in MDR, but we are not quite comfortable yet on the retail costing model and it’s holding us back a bit from going to market.”
• “Do you have any material around go-to-market pricing/packaging on MDR?”
• “My customer is interested in MDR, but I’m not sure how I should be pricing it.”

So given the excitement and the quick adoption of MDR that MSPs are having, I thought it might be helpful to dedicate this month’s blog article to addressing their pricing inquiries. And although I’ll be referencing Adlumin MDR in this article, the guidance being provided can be applied to ANYTHING an MSP might be trying to sell. Because when it comes to figuring out the pricing of any product or solution that an MSP wants to take to market—not just MDR—the first question I always ask is:

Who are you selling to?

Depending on what type of organization you are selling to, it will help to determine what you should be charging for the new product or solution you are introducing.

When looking at the MSP space, there are two distinct customer types that MSPs could be selling to:

• A Traditional Managed Services Customer
  This is defined as an organization where there is no dedicated, internal IT administrator in-house, so your MSP acts as their outsourced IT department, and therefore assumes 100% responsibility for the care, maintenance, and protection of their network.
• A Co-managed IT Services Customer
  This is defined as an organization where there IS an IT administrator or IT department in existence within the organization, and so it is that person or that IT department who is then ultimately responsible for the care, maintenance, and protection of the organization’s network—not the MSP. In a co-managed IT services model, the MSP offers to help out and fill a void by taking over the management of one or two key functions or specific components, but not the entire network environment. 

And this is an important distinction to make, because depending on what type of organization you are targeting, whether there is the presence of an internal IT administrator or not, that will determine what you ultimately will sell them and consequently what you will charge them. 

Related Product

Adlumin MDR

Find out more

Pricing for the Traditional Managed Services Customer

Let’s look at the traditional managed services customer first. 

With this type of customer, you wouldn’t price and sell MDR (or EDR ; or Backup etc.) as an individual service, all on its own. Rather, you would include MDR as part of your top-tier layered security program. 

In my boot camp, “The Guide to Building Security Programs”, I refer to this package as your Advanced Security Program, and it’s the package that you would offer to any medium- to high-risk organization that resides in a regulated industry that has compliance standards it needs to adhere to.  If the customer you are speaking with is required to demonstrate and prove compliance, then the Advanced Security Program is the package you should be positioning to them, and I generally see that program level start at around US$200-US$275/user/month. But I have also seen it offered as high as US$400/user/month by some MSPs. 

And in my boot camp, I review what the security tech stack generally looks like for this type of program, as it includes a wide variety of other security toolsets, labor, and services beyond just MDR. MDR (or EDR or Backup etc.) isn’t sold in a silo when it comes to a traditional Managed Services customer, they are bundled together and sold as part of an overall package of security services, because you are accepting the responsibility and the risk that comes from managing and protecting an organization’s network environment. And if you are accepting that risk, then you will need to implement a layered approach with respect to their security, because no singular product can provide the required protection coverage from cyber-attacks. 

So in this case, MDR is that final layer that gets added to provide deeper visibility, and heightened threat hunting and detection services, as it can help provide a faster mean time to incident detection—thereby providing a faster mean time to response and a faster mean time to remediation for those organizations that can’t tolerate lengthy downtime and where the breach impact needs to be minimized. 

Things are Different for the Co-managed Customer Though….

But pricing is looked at differently when you are speaking with a co-managed IT services client. In this type of scenario, it is absolutely appropriate to sell your services in an a la carte format. MDR could be sold separately to an organization, because in the co-managed model you are just helping out by augmenting the in-house IT team and providing a service that your MSP will manage that’s designed to strengthen their overall security posture.

Your MSP is not in charge of the organization’s network like you are for a traditional managed services customer, the internal IT Director is. So in this case, I see MSP’s charging a minimum of $90USD/user/month, and this generally would include both EDR on the endpoint and MDR as the wrapper service to protect the rest of the network.  

If you are interested in learning more about how to build and market a co-managed MDR service, then be sure to register for my upcoming co-managed boot camps where I will go into greater detail on what a program like this would include. 

Related Product

Adlumin SecOps

Protect, detect, and respond—automatically. Stay compliant and resilient with 24/7 cloud-native security operations.

Find out more

Designing Your Pricing Schemes

So it is important to recognize who you are selling to so that you can design your pricing schemes correctly, because when done appropriately, it can have a profound impact on your MRR, average deal size, and your overall managed services revenue. 

Let’s use a car analogy to hopefully drive this point home further.

Let’s say there are two dealerships who are selling the same make of car. Dealership #1 only sells the fully loaded model, while Dealership #2, which sells the same make, doesn’t sell just the fully loaded model, but also sells lower-level models as well, as they allow their customers to pick and choose the features they want to pay for.

In most cases, Dealership #1, who sells only the fully loaded model, will generate higher revenues and will grow faster than Dealership #2. And that is because, with practice, it doesn’t take any more effort to close a fully loaded model deal, than it does to close a deal for a lower-end model that is missing features. The effort of the salesperson is pretty much the same—assuming the sales acumen and sales talent is there. 

So if you are going to spend your time creating a marketing and sales campaign targeted at the traditional managed services customer, that just focuses on selling MDR, or EDR, or backup on its own, in a non-bundled way, then you are wasting your sales opportunity. If you are going to go through all of that effort and expense anyways, why not put that time and energy into selling a bundled set of services (like your Advanced Security Program) that provides higher value, improved security coverage, and improved cyber resiliency protection?

This is the difference between making this a technical sale, where you are just reselling a toolset, which offers only minimal levels of profitability, versus turning this into a value-based sales motion, where you can charge higher prices. Because if you are going to engage with a traditional managed services prospect anyway, then you don’t want to waste the opportunity before you. Leverage the opportunity to speak to your customer about your Advanced Security Program and not just a singular product, and benefit from higher contract values and improved MRR, while also working towards reducing and mitigating your risk as their MSP. 

Stefanie Hammond is Head Sales and Marketing Nerd at N‑able. You can follow her on LinkedIn