What deems a prospect good or bad for your business?
It depends on where your MSP is in its journey. If you are early and building a book of business, you will take on most clients and learn fast. Volume teaches repeatable delivery, exposes gaps in process, and funds the tools you actually need. Just keep the scope clear and price for the time you will spend.
Once you are past that stage, a worthwhile prospect looks different. They fit your operating model, accept your standard stack, and agree to a simple set of controls without debate. They can articulate who owns security decisions and they will sign risk exceptions when they decline a control. They are open to light discovery such as a scan back or DMARC review so you can price against real work. They understand that automation is not optional if they want predictable outcomes.
Qualify on three signals:
For an early-stage MSP, the threshold is simple. Take the business if the client pays on time, accepts the scope you present, and agrees to a path toward better hygiene. For a mature MSP, the bar is higher. If a prospect will not accept your minimum stack, will not run basic discovery, or refuses to document liability, the short-term revenue will cost more than it returns.
Every MSP has a logo that looked appealing on the slide and punishing in the P&L. The common thread is predictable: weak email hygiene, no security champion, constant exceptions, and a manual‑only mindset. Leaders pay for that pattern through analyst burnout, noisy tickets, and stalled ARR.
The antidote is a qualification discipline that uses objective signals, AI‑assisted evidence, and contract design to make risk visible before you price it. That aligns with what MSP buyers and influencers actually value: easy integration, automation that reduces fatigue, and tools that scale across tenants.
Build a 100‑point scorecard weighted across the prospect's overall security posture. Only you can decide how each category or signal is weighted depending on your internal capabilities and know-how.
Treat 65+ as go, 50–64 as conditional with a remediation plan, and below 50 as no‑go.
An Example to Guide Your Scorecard:
|
Signal |
Quick Check |
Evidence to Request |
Score Thresholds |
|
EDR coverage |
Unified endpoint coverage with central policy and SOC integration. |
EDR console coverage report, policy configuration, integration list. |
Go: ≥95% covered Conditional: 70–94% No-Go: <70% or mixed unmanaged |
|
SIEM logging & retention |
Centralized log management with email telemetry integrated. |
Data source map, retention policy, sample IRONSCALES connector events. |
Go: ≥90-day hot / ≥365-day cold Conditional: Basic audit only No-Go: No centralized logging |
|
Documented processes |
Versioned SOPs for email triage, escalation, and user-reported flow. |
SOP index tied to ITSM, last review date. |
Go: Current and enforced Conditional: Drafts only No-Go: None |
|
Security policies |
Approved Email, Acceptable Use, Access Control, Vendor Risk policies. |
Policy list with approval dates and employee attestations. |
Go: Approved ≤12 months Conditional: Outdated No-Go: None |
|
Incident Response plan |
Tested IR plan with defined roles, comms tree, and carrier coordination steps. |
Latest tabletop report, IR playbooks, insurer notification checklist. |
Go: Tested ≤12 months Conditional: Untested No-Go: No plan |
|
Email authentication posture (DMARC) |
Clear path from p=none → quarantine → reject within 90 days. |
Domain-level DMARC report and enforcement policy. |
Go: p=reject Conditional: p=none with plan No-Go: Refuses enforcement |
|
Automation posture (SOC/Agentic AI) |
Comfort with AI-driven, policy-guided remediation integrated with SIEM/SOAR. |
Automation policy summary and exception list. |
Go: Automation enabled Conditional: Monitor-only No-Go: Manual-only |
|
Executive sponsorship & risk acceptance |
Named champion with authority and formal exception sign-off. |
Org chart showing security ownership and signed risk register. |
Go: Exec champion Conditional: Partial ownership No-Go: None |
|
Identity hygiene |
MFA enforced for privileged and standard accounts across tenants. |
Conditional Access policy export, MFA enforcement report. |
Go: Org-wide Conditional: Partial No-Go: None |
|
Security awareness & training (SAT) |
Integrated SAT and phishing simulation tied to user risk profile. |
Training completion metrics, phishing-simulation results. |
Go: Program active and tracked Conditional: Partial No-Go: None |
Run these before you talk numbers.
Standardizing this stack lowers ticket volume, shortens MTTR, and improves renewal likelihood by making outcomes consistent across tenants. It also anchors pricing to a defined operating model, which reduces custom work, limits exception handling, and keeps service levels predictable for both your team and the customer.
In selling IRONSCALES solution, an MSP could lead with inbox-level email security delivered via API and continuous post-delivery scanning where threats actually live. Layer in agentic SOC automation for autonomous clustering and remediation with adjustable guardrails that demonstrate control, not chaos, to leadership. Round it out with awareness training and simulations that use real inbox attacks to personalize learning, plus managed DMARC with hosted records, auto-flattened SPF, alerting, and executive-ready reporting. Publish a standard stack and stick to it so you can protect margin and set clear expectations.
Make risk and cost allocation explicit in your MSA and SOWs. If a customer declines recommended controls such as DMARC enforcement or automation, document the decision in an exception register with executive signatures, and state that operational costs and fines tied to non-compliance are customer-owned. Align cyber-insurance terms so that if choices reduce insurability or increase premiums, the customer owns the delta, and cap duty to defend to your negligence, not to declined controls.
Add a RACI attachment that names owners for DMARC, automation thresholds, exception approvals, and carrier notifications. This keeps accountability clear, reduces debate during incidents, and provides a contractual basis for remediation timelines, surcharge triggers, and any temporary relaxations of automation while still protecting your margins.
Tie price to measurable risk and visible workload rather than aspirational roadmaps. Use exception multipliers so each open exception carries a monthly uplift that recedes as controls close; apply higher multipliers to choices that materially raise exposure like declining DMARC enforcement and track them in the exception register to keep incentives aligned.
Introduce DMARC timeline pricing with two rates: one for achieving enforcement by the agreed date and one if delayed. If a client refuses automation, add a manual-only surcharge tied to actual measured workload. This structure keeps cost proportional to risk, motivates remediation, protects analyst time, and creates a financial incentive to adopt automation instead of relying on hope.
Growth isn’t just about adding account volume. It’s about adding the right ones. As the volume of phishing exceeds many billions of emails daily and GenAI is fueling new attack variants, MSPs can’t afford to absorb unnecessary risk.
Qualify prospects with data, standardize around automation, and document everything. The clients who value those principles are the ones who will stay longer, pay fairly, and strengthen your business.