Cybersecurity has become table stakes for MSPs, but many struggle to price add-ons profitably without commoditizing their core value. Getting security pricing right means balancing market demand, your overhead, and client risk tolerance—not just marking up a vendor's license fee by 20%.
Why Security Add-Ons Are Your Margin Play
Most MSPs bundle basic antivirus and firewall management into their standard monthly stack. Security add-ons—advanced threat protection, dark web monitoring, security awareness training, incident response—sit in the premium tier where you actually build margin. A typical MSP on a $500/month managed IT contract operates at 35–45% gross margin; a $150–300/month security stack can hit 50–65% if priced and packaged correctly.
Clients are also more forgiving on security spend because the cost of breach notification, downtime, and regulatory fines is staggering. A ransomware hit costs an average SMB $150,000–$500,000 including recovery. That context makes a $200/month advanced endpoint detection and response (EDR) solution look like a bargain.
Breaking Down Realistic Security Pricing Models
Per-user licensing remains the simplest model for SMBs. EDR tools (CrowdStrike Falcon, Microsoft Defender for Endpoint, Sophos) typically cost $8–$25 per endpoint per month wholesale. You resell at $18–$40 per user monthly, depending on your support level and market positioning. For a 50-user client, that's $900–$2,000 monthly recurring revenue.
Bundled security tiers work better for upselling. Tier 1 ($80–120/month) covers advanced antivirus, web filtering, and basic vulnerability scanning. Tier 2 ($200–300/month) adds EDR, dark web monitoring, and quarterly security assessments. Tier 3 ($400+/month) includes 24/7 threat hunting, managed SIEM, and incident response retainers. Most mid-market clients land in Tier 2.
Managed Security Service Provider (MSSP) partnerships let you white-label or resell SOC services without hiring analysts. Costs range from $1,500–$5,000/month for a managed firewall and intrusion detection setup. Your margin depends on volume: single-client engagements yield 30–40% margin; at scale (10+ clients), you might hit 45–55%.
Pricing by Service Type
- Endpoint Detection & Response (EDR): $15–$35/endpoint/month (your sell price)
- Dark Web Monitoring: $50–$150/month (flat rate, high margin)
- Vulnerability Assessments: $400–$1,200 per assessment (project-based)
- Security Awareness Training: $2–$8 per user/year (massive margins)
- Ransomware Backup Add-Ons: $40–$80/100GB/month
- Managed Firewall/UTM: $200–$600/month
- Incident Response Retainer: $1,500–$3,000/month (retainer + $200–$400/hour overages)
Packaging and Positioning Tips
Avoid itemizing every tool. Customers don't care that you're reselling four different vendors—they care about outcomes. Frame packages around business outcomes: "Tier 2 eliminates 95% of ransomware risk and includes a response retainer" reads better than "EDR + SIEM + backup replication."
Position security as a necessity, not an option. Tie it to compliance (HIPAA, PCI, GDPR) or audit requirements specific to their industry. A healthcare practice needs different language than a law firm, even if the underlying stack is similar.
Start with a risk assessment ($500–$2,000 one-time). Use it to justify which tier they actually need. Many clients will pay for Tier 2 if you show them the specific vulnerabilities in their environment.
Track your vendor costs meticulously. If your wholesale cost jumps, your retail price needs to move within 30–60 days. Margin creep kills cash flow.
Getting Visibility and Leads
Listing your security packages on platforms like Mercoly helps you get found by buyers actively searching for managed security services, win qualified leads faster, and sell add-on packages directly to clients who understand their value. It also positions you alongside competing MSPs, which keeps pricing realistic.
Frequently Asked Questions
Q: Should I include security in my base managed IT price or always sell it separately? A: Separate it. Base contracts create price-per-user anchors; bundling security dilutes perceived value and makes future upsells harder. Keep core IT (patch management, helpdesk, backup) as your foundation and position security as a premium layer.
Q: How do I handle clients who say they already have antivirus from their previous IT vendor? A: Run a 30-day free trial of your preferred EDR solution and generate a threat report. Most legacy solutions catch 60–70% of modern threats; your newer platform will find what they're missing. Tangible proof of incremental value justifies switching and pricing.
Q: What's a realistic sales cycle for security add-ons? A: 4–8 weeks for existing clients (low friction), 8–12 weeks for new prospects. Budget cycles and risk assessment timelines slow deals, so start conversations early and use security assessments as deal accelerators.
Start pricing your security stack this week and test it with your next three renewal conversations.