What deems a prospect good or bad for your business?
It depends on where your MSP is in its journey. If you are early and building a book of business, you will take on most clients and learn fast. Volume teaches repeatable delivery, exposes gaps in process, and funds the tools you actually need. Just keep the scope clear and price for the time you will spend.
Once you are past that stage, a worthwhile prospect looks different. They fit your operating model, accept your standard stack, and agree to a simple set of controls without debate. They can articulate who owns security decisions and they will sign risk exceptions when they decline a control. They are open to light discovery such as a scan back or DMARC review so you can price against real work. They understand that automation is not optional if they want predictable outcomes.
Qualify on three signals:
- Operational posture: MFA enforced, basic policies in place, and a named security champion who can say yes.
- Architecture fit: Modern cloud email, API-level visibility, and no insistence on legacy detours that break mail flow.
- Accountability in writing: Contracts that assign culpability when controls are declined, specify who pays regulatory or privacy fines, and align cyber insurance requirements with the environment.
For an early-stage MSP, the threshold is simple. Take the business if the client pays on time, accepts the scope you present, and agrees to a path toward better hygiene. For a mature MSP, the bar is higher. If a prospect will not accept your minimum stack, will not run basic discovery, or refuses to document liability, the short-term revenue will cost more than it returns.
Not All Revenue is Growth
Every MSP has a logo that looked appealing on the slide and punishing in the P&L. The common thread is predictable: weak email hygiene, no security champion, constant exceptions, and a manual‑only mindset. Leaders pay for that pattern through analyst burnout, noisy tickets, and stalled ARR.
The antidote is a qualification discipline that uses objective signals, AI‑assisted evidence, and contract design to make risk visible before you price it. That aligns with what MSP buyers and influencers actually value: easy integration, automation that reduces fatigue, and tools that scale across tenants.
Take a Scorecard Approach to Every Client
Build a 100‑point scorecard weighted across the prospect's overall security posture. Only you can decide how each category or signal is weighted depending on your internal capabilities and know-how.
Treat 65+ as go, 50–64 as conditional with a remediation plan, and below 50 as no‑go.
An Example to Guide Your Scorecard:
|
Signal
|
Quick Check
|
Evidence to Request
|
Score Thresholds
|
|
EDR coverage
|
Unified endpoint coverage with central policy and SOC integration.
|
EDR console coverage report, policy configuration, integration list.
|
Go: ≥95% covered
Conditional: 70–94%
No-Go: <70% or mixed unmanaged
|
|
SIEM logging & retention
|
Centralized log management with email telemetry integrated.
|
Data source map, retention policy, sample IRONSCALES connector events.
|
Go: ≥90-day hot / ≥365-day cold
Conditional: Basic audit only
No-Go: No centralized logging
|
|
Documented processes
|
Versioned SOPs for email triage, escalation, and user-reported flow.
|
SOP index tied to ITSM, last review date.
|
Go: Current and enforced
Conditional: Drafts only
No-Go: None
|
|
Security policies
|
Approved Email, Acceptable Use, Access Control, Vendor Risk policies.
|
Policy list with approval dates and employee attestations.
|
Go: Approved ≤12 months
Conditional: Outdated
No-Go: None
|
|
Incident Response plan
|
Tested IR plan with defined roles, comms tree, and carrier coordination steps.
|
Latest tabletop report, IR playbooks, insurer notification checklist.
|
Go: Tested ≤12 months
Conditional: Untested
No-Go: No plan
|
|
Email authentication posture (DMARC)
|
Clear path from p=none → quarantine → reject within 90 days.
|
Domain-level DMARC report and enforcement policy.
|
Go: p=reject
Conditional: p=none with plan
No-Go: Refuses enforcement
|
|
Automation posture (SOC/Agentic AI)
|
Comfort with AI-driven, policy-guided remediation integrated with SIEM/SOAR.
|
Automation policy summary and exception list.
|
Go: Automation enabled
Conditional: Monitor-only
No-Go: Manual-only
|
|
Executive sponsorship & risk acceptance
|
Named champion with authority and formal exception sign-off.
|
Org chart showing security ownership and signed risk register.
|
Go: Exec champion
Conditional: Partial ownership
No-Go: None
|
|
Identity hygiene
|
MFA enforced for privileged and standard accounts across tenants.
|
Conditional Access policy export, MFA enforcement report.
|
Go: Org-wide
Conditional: Partial
No-Go: None
|
|
Security awareness & training (SAT)
|
Integrated SAT and phishing simulation tied to user risk profile.
|
Training completion metrics, phishing-simulation results.
|
Go: Program active and tracked
Conditional: Partial
No-Go: None
|
Three IRONSCALES Discovery Moves That De-Risk Pricing
Run these before you talk numbers.
- Silent 90-day scan-back
Surface malicious messages already in mailboxes and quantify the real remediation hours. This makes risk visible and shifts the conversation from opinion to evidence.
- DMARC assessment with an enforcement plan
Use a wizarded workflow to validate records, fix SPF look-ups, and schedule reporting. Commit to enforcement and flatten SPF to avoid the 10-lookup ceiling. This improves deliverability and reduces spoofing risk your team would otherwise eat.
- Automation demonstration
Show policy-guided remediation with analyst-in-the-loop controls. Your objective: prove that hands-free clustering and quarantine cut incident handling from minutes to seconds, while you retain control.
Productize Your Standard Stack
Standardizing this stack lowers ticket volume, shortens MTTR, and improves renewal likelihood by making outcomes consistent across tenants. It also anchors pricing to a defined operating model, which reduces custom work, limits exception handling, and keeps service levels predictable for both your team and the customer.
In selling IRONSCALES solution, an MSP could lead with inbox-level email security delivered via API and continuous post-delivery scanning where threats actually live. Layer in agentic SOC automation for autonomous clustering and remediation with adjustable guardrails that demonstrate control, not chaos, to leadership. Round it out with awareness training and simulations that use real inbox attacks to personalize learning, plus managed DMARC with hosted records, auto-flattened SPF, alerting, and executive-ready reporting. Publish a standard stack and stick to it so you can protect margin and set clear expectations.
Contract Constructs That Protect Margin
Make risk and cost allocation explicit in your MSA and SOWs. If a customer declines recommended controls such as DMARC enforcement or automation, document the decision in an exception register with executive signatures, and state that operational costs and fines tied to non-compliance are customer-owned. Align cyber-insurance terms so that if choices reduce insurability or increase premiums, the customer owns the delta, and cap duty to defend to your negligence, not to declined controls.
Add a RACI attachment that names owners for DMARC, automation thresholds, exception approvals, and carrier notifications. This keeps accountability clear, reduces debate during incidents, and provides a contractual basis for remediation timelines, surcharge triggers, and any temporary relaxations of automation while still protecting your margins.
Price Behavior, Not Hope
Tie price to measurable risk and visible workload rather than aspirational roadmaps. Use exception multipliers so each open exception carries a monthly uplift that recedes as controls close; apply higher multipliers to choices that materially raise exposure like declining DMARC enforcement and track them in the exception register to keep incentives aligned.
Introduce DMARC timeline pricing with two rates: one for achieving enforcement by the agreed date and one if delayed. If a client refuses automation, add a manual-only surcharge tied to actual measured workload. This structure keeps cost proportional to risk, motivates remediation, protects analyst time, and creates a financial incentive to adopt automation instead of relying on hope.
Implementation Checklist (90 Days)
Weeks 1–2
- Publish scorecards and embed them in the CRM/PSA flow.
- Define required evidence artifacts and storage location.
- Draft exception register and RACI attachment.
Weeks 3–6
- Pilot mailbox scan‑backs with two prospects and one existing customer.
- Baseline MTTR and analyst hours; record automation thresholds.
Weeks 7–10
- Roll out DMARC assessments; set domain‑by‑domain enforcement timelines.
- Present standard stack to all new prospects and current customers due for renewal.
Weeks 11–13
- Review outcomes, adjust score thresholds, and codify pricing rules tied to exceptions.
The Takeaway
Growth isn’t just about adding account volume. It’s about adding the right ones. As the volume of phishing exceeds many billions of emails daily and GenAI is fueling new attack variants, MSPs can’t afford to absorb unnecessary risk.
Qualify prospects with data, standardize around automation, and document everything. The clients who value those principles are the ones who will stay longer, pay fairly, and strengthen your business.
/Concentrix%20Case%20Study.webp?width=568&height=326&name=Concentrix%20Case%20Study.webp)
.webp?width=100&height=100&name=PXL_20220517_081122781%20(1).webp)
