MSSP - Managed Security Service Provider
A Managed Security Service Provider (MSSP) handles cybersecurity tasks as an external service provider: 24/7 SOC operations, SIEM management, vulnerability management, threat hunting, and incident response. MSSPs enable small and medium-sized businesses to achieve enterprise-level security without maintaining their own SOC team. What sets them apart from MDR (Managed Detection & Response) is their ability to actively respond to threats.
Managed Security Service Providers (MSSPs) are the answer to a fundamental challenge: Cybersecurity requires 24/7 operations, specialized expertise, and expensive tools—very few companies can afford a full-fledged in-house SOC team. MSSPs offer these capabilities as a service.
MSSP vs. MDR vs. In-House SOC
In-House SOC:
- What: A company’s own Security Operations Center with its own staff
- Costs: Very high: 3–5 full-time analysts = €300,000–500,000/year + SIEM license, tools, infrastructure
- Advantages: Full control, deep organizational expertise
- Disadvantages: Expensive, difficult to staff, challenging to maintain 24/7
- Suitable for: Companies > 1,000 employees, critical infrastructure
MSSP (Managed Security Service Provider):
- What: External SOC operations, monitoring, alerting
- Costs: 5,000–50,000 EUR/month depending on scope
- Advantages: 24/7 monitoring, specialized expertise, SLAs
- Disadvantages: Less organizational context, reactive (alert → follow-up)
- Suitable for: Companies with 100–1,000 employees without their own SOC
MDR (Managed Detection & Response):
- What: MSSP + active response (containment, isolation)
- Cost: 15,000–80,000 EUR/month
- Advantages: Response even when the CISO is unavailable; threat hunting included
- Disadvantages: More expensive; active interventions require clear authorization
- Suitable for: Companies that need rapid incident response
MSSP Core Services:
- 24/7 SOC Monitoring: Round-the-clock SIEM monitoring, triage (separating false positives from genuine alerts), escalation of critical alerts with immediate customer notification
- SIEM-as-a-Service: MSSP operates SIEM infrastructure (Splunk, Microsoft Sentinel, IBM QRadar), log ingestion from all sources (firewall, AD, endpoints, cloud); customers often have their own SIEM portal (reports, dashboards)
- Vulnerability Management: Regular scans, prioritization, reporting; patch SLA tracking: who is responsible for which system?
- Threat Intelligence Integration: MSSP-owned threat intelligence feeds, IOC matching against customer data
- Incident Response Retainer: X hours of IR per year included; in the event of an incident, the MSSP IR team responds (remotely or on-site)
Selecting an MSSP
Selection Criteria:
- Certifications and credentials: ISO 27001 certified (MSSP has its own certification), SOC 2 Type 2 (particularly relevant for US customers), BSI qualification (for KRITIS-relevant companies), ENISA-compliant (EU requirements); Employee certifications: CISSP, CISM, GIAC certifications
- Technical capabilities: Which SIEM? (Microsoft Sentinel: cloud-native; Splunk: powerful); in-house threat intelligence or only external feeds?; IR capability: can they actively intervene if necessary?; MDR capability: endpoint isolation, account lockout?
- Response times (SLA): Critical alert → escalation: < 15 minutes?; On-site incident response: < 4 hours?; When is a report provided for a critical incident?; Contractual penalty for SLA violation?
- Data protection and data residency: Where is the SIEM operated? (Data center in Germany/EU?); Are logs transferred to the U.S.? (Data protection issue!); GDPR-compliant AVV concluded with the MSSP?; MSSP subcontractors: who has access to customer data?
- Company References: Customers in similar industries and of similar size, real-world incident response experience (not just theoretical), reference calls with existing customers
Typical MSSP Pricing Models:
- Per endpoint/asset: X EUR per monitored endpoint/month – scalable and transparent
- Per log volume (EPS): X EUR per event per second – unpredictable, can become expensive
- Package prices: Starter 5–15 EUR/endpoint/month (Basic Monitoring), Professional 20–40 EUR/endpoint/month (+ Threat Hunting), Enterprise customized (+ MDR + IR retainer)
Example for a company with 200 employees:
| Item | Cost/Month |
|---|---|
| MSSP, 200 endpoints at 25 EUR each | 5,000 EUR |
| SIEM log volume | 2,000 EUR |
| IR retainer (20h) | 3,000 EUR |
| Total | ~10,000 EUR |
Comparison: internal SOC with 2 full-time analysts + SIEM = ~250,000+ EUR/year → MSSP is more cost-effective with 24/7 coverage instead of 8/5 coverage.
