What is "Why MSSPs Are Hitting a Margin Wall" about?

Revenue scales with customers. Cost scales with customers. Most managed security practices are quietly subsidizing security with their other services — and the board is starting to notice.

Why MSSPs Are Hitting a Margin Wall

Ask any MSSP CFO how managed security delivery is performing relative to the rest of the book and you'll usually get the same answer: gross margin is flat or compressing while revenue grows. The growth looks healthy on the topline. The math underneath isn't.

The reason is simple. Traditional managed security delivery scales by adding analyst hours. Every new customer adds alert volume. Every new customer adds SOP variance. Every new customer adds three new tools that need to be reconciled into the ticketing system. The cost per incident climbs even as the unit price per customer is held flat by competitive pressure.

The three forces compressing margin

Alert volume per customer keeps growing as the threat surface expands. The same alert that took 8 minutes to triage in 2022 takes 12 minutes in 2026 because the context has gotten richer and the false-positive rate has gotten worse.
Analyst supply is constrained. Senior tier-2 analysts cost more every year and quit faster. Most MSSPs are competing for the same 50,000 people across the entire North American market.
SOP drift is invisible until it explodes. Two analysts handling the same incident class will quietly diverge over six months. The result is uneven delivery quality, escalation overhead, and eventually a customer who churns because their experience doesn’t match the SLA.

The two paths most MSSPs try

The first path is to outsource the actual delivery to an MDR vendor. The math here looks attractive on a spreadsheet — until you realize you’ve handed your customer’s security relationship to a third party who uses their SOPs, their analysts, their black box. You lose control, you lose margin to them, and the customer relationship is now mediated by a vendor whose interests are not aligned with yours.

The second path is to build it. Hire analysts, write SOPs, deploy a SOAR platform, and pray the math works. It usually doesn’t. Hiring is slow. SOAR build-out takes 6–12 months and never quite finishes. The platform never gets the institutional adoption you need because building it well requires engineering capacity most MSSPs don’t have.

The third path: agentic delivery

What changes the equation is automating the actual analyst work, not just the orchestration around it. AI agents that triage, investigate, enrich, and document. SOPs that execute themselves as Gamebooks rather than living in a Confluence page nobody reads. A control plane that lets one analyst supervise the work of fifty agents across a thousand customer workspaces.

This is the path ContraForce is built for. The unit economics flip: cost per incident drops, throughput per analyst rises, and the same headcount can serve five times as many customers without sacrificing delivery quality. The board stops asking why margin is flat.