Insights

The MDR Multiple Tax: What Real Security Depth Adds When You Sell Your MSP

Security-led MSPs sell for 2 to 4 more turns of EBITDA than generalists, and labour-heavy vCISO shops trade at a discount. The build vs buy vs partner math.

By Alexej Pikovsky  ·  Updated

Sell a generalist MSP at the $3M to $10M revenue tier and the market prices you at 5 to 8 times adjusted EBITDA. Sell one with real security depth (MDR, XDR, a SOC that actually detects and responds) and the same advisory data puts the specialist band at 10 to 16 times. CT separately characterizes that premium as roughly 2 to 4 extra turns of EBITDA at this revenue tier, and it is what I call the MDR multiple tax: the discount the market quietly levies on every MSP that sells security as a badge instead of a capability.

I read this from an operator's seat rather than a spreadsheet one. I spent a decade in investment banking and private equity, more than $7bn of transactions and a board seat through a $300M-plus PE exit, and I now run growth for MSPs and cyber firms. So I care less about the headline multiple than about the mechanism that produces it, and about the three ways an owner can actually close the gap before a sale. The baseline bands behind all of this sit in the MSP valuation multiples breakdown, and the buyers doing the paying are covered in private equity firms buying MSPs and private equity in cybersecurity.

One honesty note before the numbers, because it governs everything below. Every multiple in this piece is an advisory-firm synthesis estimate. CT Acquisitions builds these bands by blending disclosed deals, private databases and intermediary commentary. It is not audited transaction data, and boutique MSSP deals are mostly private, so treat the ranges as the shape of the market rather than a quote on your business.

The multiple ladder

Start with where the turns actually sit, because most owners assume security is a single lever that moves you up. It is not. There are three rungs, and one of them moves you down.

CT Acquisitions' MSSP M&A Multiples Report 2026 puts MDR and XDR specialists at 10 to 16 times adjusted EBITDA, generalist MSPs at 5 to 8 times in the $3M to $10M revenue range, and labour-based MSSPs (the vCISO and advisory-heavy shops) at 4 to 7 times, the deepest discount tier on the board. Their separate MSP guide tracks the generalist floor at 3.5 to 5.0 times below $5M of EBITDA, 4.5 to 8.0 times from $5M to $15M, and 11 to 15 times plus once you reach platform scale.

The MSP multiple ladder at the $3M to $10M revenue tier (CT Acquisitions synthesis estimates, 2026)
Business typeMultiple (adj. EBITDA)Where it sits
Labour-heavy MSSP (vCISO, advisory)4 to 7xThe deepest discount tier: revenue is people, not product
Generalist MSP5 to 8xThe baseline everyone starts from
MDR / XDR specialist10 to 16xThe premium: recurring, tooled, defensible security

Read the ladder carefully and the counterintuitive part jumps out. Adding the wrong kind of security is worse than adding none. A generalist that bolts on a vCISO-led advisory practice can slide from the 5-to-8 band down toward 4-to-7, because it has swapped scalable recurring revenue for billable human hours. The premium is not for the word security on your website. It is for a specific shape of revenue.

A cross-check keeps this grounded. Aventis Advisors' IT services multiples land in the same neighbourhood for the generalist tier, and the public-market ceiling from Houlihan Lokey's cybersecurity coverage (high-growth listed cyber names around 15.5 times revenue) is a different animal entirely, a read-through on what the top of the market pays, not a comp for an SMB MSP. The private bands are where you and I live.

Why buyers actually pay the premium

The premium is not sentiment. Buyers pay up for security revenue because of what that revenue does after they own it, and they discount hard the moment it fails their diligence test.

Auxo Capital Advisors puts the mechanism about as plainly as it gets. In their MSSP M&A analysis: "Buyers do not value a label. They value recurring, sticky, standardized, and defensible security revenue." That is the whole premium in one sentence. Recurring means it renews without a resell. Sticky means the client cannot rip it out in a quarter. Standardized means it scales without a custom build per account. Defensible means a competitor cannot undercut it on price alone.

And here is the discount trap, again from Auxo, again verbatim: "MSSP premiums often disappear when security revenue is less recurring than marketed. If a buyer discovers that the security story depends on one-time projects, remediation, tool resale, or custom consulting, it may reclassify revenue and reduce the premium attached to the business."

Reclassify is the word to sit with. A buyer's diligence team takes your security line apart, sorts the recurring managed revenue from the one-time projects and the resold licenses, and reprices each bucket at its true multiple. The badge on the pitch deck does nothing. The revenue underneath it does everything. That same recurring-versus-project distinction runs through the whole exit, which is why it anchors the MSP exit-readiness work long before a buyer shows up.

The three paths: build, partner, buy

If the premium is for real recurring security capability, there are exactly three ways to get one before you sell. Each has a real number attached, and the numbers decide the path more than strategy does.

Build: stand up your own SOC

Building an in-house 24/7 SOC is the most expensive path and the slowest. Blackpoint Cyber puts a minimum viable SOC at roughly $1.2M to $3M a year, with staffing at 65 to 70 percent of that cost, 8 to 12 analysts to cover a single 24/7 seat, analyst salaries of $80K to $120K, and a SOC manager at $140K to $175K. Blackpoint sells MDR, so read their build number as the high end of the argument, but the shape is right and it matches the independent read from Expel ($2M to $2.5M a year) that I broke down in the AI SOC economics piece.

The problem with build is not just the cash. It is that every dollar of SOC payroll lands on your P&L as cost, which lowers the very EBITDA you are trying to multiply, and my read is that the capability is not diligence-grade for a near-term exit; I would not underwrite a build inside a two-year window. Build is for the MSP with scale and time, not the owner eyeing an exit inside two years.

Partner: white-label an MDR

Partnering is the fast path, and for most owners planning an exit 1 to 3 years out it is the right one. You resell a third-party SOC under your own wrap and turn a capability you cannot afford to build into a recurring line you can.

MDR partner pricing, wholesale (per endpoint, per month)
ProviderWholesale rateSourcing
Huntress$2.50 to $3.50Published, best-sourced anchor
Blackpoint$8 to $15Third-party reported, partner-quote only
Todyl, ConnectWise SOCNot publicQuote only, no listed pricing

The cleanest anchor is Huntress, whose MSP partner rate runs $2.50 to $3.50 per endpoint per month. Blackpoint sits higher at a reported $8 to $15 per endpoint, though that is a third-party read of partner quotes rather than a published card. Todyl and ConnectWise SOC do not publish partner pricing at all, so anyone quoting you a firm number for those is guessing. Which tools sit around the MDR layer is mapped in the MSP tool stack.

The diligence catch on partnering is the one Auxo named. Resold, white-labelled MDR can get reclassified as tool resale if the buyer decides the security value lives with your vendor and not with you. You close that gap by owning the client relationship, the response runbook, the tier-3 judgment calls and the renewal, so that what you sell is a managed service with your name on the outcome, not a license with a markup.

Buy: acquire a boutique MSSP

Buying capability outright is the path with the least public data, and that opacity is itself the useful fact. Boutique MSSP deal sizes are almost never disclosed. Barracuda's acquisition of Evo Security went out undisclosed. Worklyn Partners' acquisition of Quadrant Information Security was also undisclosed, though Worklyn's roll-up fund is public at $35M, which frames Worklyn's fund capacity for boutique tuck-ins, though it says nothing about what any single deal cost.

The practical read: because comps are private, buying an MSSP is a negotiation without a public anchor, and you are pricing it off the same recurring-revenue quality test a buyer will later apply to you. If you cannot verify that the target's security revenue is recurring and sticky, you are buying the badge you were trying to avoid, at a premium. The wider field of who acquires in this market sits in who buys MSPs.

Compliance economics

Compliance certifications get sold to MSP owners as a multiple lever. They are not, on their own. They are a gate that lets you sell the revenue that moves the multiple, which is a different thing.

SOC 2 Type II runs $30K to $150K all-in, with most SMBs landing between $30K and $80K, an audit fee of $12K to $100K-plus, and $10K to $40K a year of ongoing maintenance per the recurring-cost breakdowns. CMMC ranges much wider by level: Level 1 at $5K to $15K, Level 2 at $63K to $200K-plus, Level 3 north of $300K, and MSP-delivered CMMC managed security priced at $3K to $25K-plus per month per client.

What compliance actually costs
ProgramCost rangeNote
SOC 2 Type II (total)$30K to $150KMost SMBs $30K to $80K; audit fee $12K to $100K+; maintenance $10K to $40K/yr
CMMC Level 1$5K to $15KBasic safeguarding
CMMC Level 2$63K to $200K+The common contractor requirement
CMMC Level 3$300K+Highest assurance
MSP-delivered CMMC managed security$3K to $25K+/moThe recurring revenue line, per client

Notice which line is the point. The certification costs are one-time or annual overhead. The $3K to $25K per client per month of managed CMMC delivery is the recurring, sticky, defensible revenue a buyer pays a premium for. The cert is the toll you pay to be allowed to sell it.

One nuance that saves real money: an MSP serving defense-contractor clients does not need its own CMMC certification to deliver the service. It needs to operate at the level its clients are required to meet. That distinction, and the land-grab it has opened up, is the whole subject of the MSP CMMC land grab. Chasing your own top-level cert when your clients only need you to run their environment at their level is spending Level 3 money for a Level 1 requirement.

The worked example

Put real numbers on a real business. Take a $2M EBITDA MSP planning an exit in two years. What follows is operator math, my own estimate built off the sourced ranges above, not a quote or an audited figure.

The prize. Moving from the generalist band toward the specialist band is worth 2 to 4 extra turns. Even the conservative 2 turns on $2M of EBITDA is $4M of additional enterprise value at sale. That is the number every path below is competing against.

The build cost. Standing up your own SOC runs $1.2M to $3M a year on Blackpoint's estimate. Take the low end. That $1.2M is a payroll line that reduces your EBITDA while you build, so you are spending down the base you are trying to multiply, and you likely run out of runway before the capability is diligence-grade for a two-year exit. Build does not fit this timeline.

The partner cost. Say the MSP manages 5,000 endpoints across its client base. At Huntress wholesale of $2.50 to $3.50, that is roughly $150K to $210K a year of cost. Mark it up to clients at a normal managed-service margin and it becomes a recurring revenue line that raises EBITDA rather than a payroll line that lowers it. If you keep the relationship, the runbook and the renewal, that revenue passes the recurring-and-sticky test.

The comparison. Partnering adds recurring, marked-up, marginable revenue for low-six-figure annual cost, and it is live in months, not years. Build costs seven figures a year, eats the EBITDA base, and misses the window. Against a $4M-plus prize at exit, the partner path is the only one whose economics and timeline both work for an owner two years out. The one condition attached to all of it is diligence quality: the revenue has to survive a buyer taking it apart line by line.

The demand behind the premium

The premium is not a temporary quirk of one advisory firm's model. It sits on top of a demand shift that shows up in the operators' own numbers.

Kaseya's 2025 global MSP benchmark, drawn from roughly a thousand MSPs, found that "67% of all respondents said security is one of their five fastest-growing revenue categories." Kaseya sells security tooling, so the survey is not neutral, but two thirds of a thousand-MSP sample naming security as a top growth line is a hard signal about where the market is pulling revenue.

On the margin side, the ConnectWise-owned Service Leadership Index reported top-quartile MSPs running about 20.6 percent adjusted EBITDA against an 8.7 percent median in its 2024 data, corroborated in the 2026 release. Read that honestly: it is a top-quartile-versus-median gap driven by operational maturity across the board, not a clean security-attribution figure. Security is one of the levers the best operators pull, not the sole cause of the spread. But the pattern is the same one the multiple ladder rewards. The operators who run tighter, more recurring, more defensible businesses earn both the margin and the multiple, and security-led revenue is one of the cleanest ways to build that shape of business before you sell.

FAQ

How much do 2 to 4 extra turns of EBITDA add on a $2M EBITDA MSP?

Each extra turn is $2M of enterprise value on a $2M EBITDA business, so two turns is $4M and four is $8M. The CT Acquisitions bands put the full generalist-to-specialist gap at 2 to 4 turns at the $3M to $10M revenue tier, so the security premium on a $2M EBITDA MSP is worth roughly $4M to $8M at sale if the security revenue is real. Those are advisory-firm synthesis estimates, not audited comps, so treat them as the shape of the prize.

Is white-label MDR enough to claim real security in diligence, or do buyers see through it?

Buyers see through it when the value lives with the vendor and not with you. Auxo Capital Advisors is explicit that reselling can get reclassified as tool resale, which strips the premium. White-label MDR passes diligence when you own the client relationship, the response runbook, the tier-3 judgment calls and the renewal, so the buyer is acquiring a managed service with your name on the outcome, not a license with a markup. The wrapper is fine. Being only a wrapper is not.

Fastest path from zero: buy, build, or partner?

Partner. Building an in-house SOC costs $1.2M to $3M a year on Blackpoint's estimate and, in my read, is not diligence-grade on a near-term exit timeline. Buying a boutique MSSP is fast but priced without public comps because those deals are mostly undisclosed. Partnering with an MDR at $2.50 to $3.50 per endpoint (Huntress wholesale) turns security into a recurring revenue line in months, which is the only timeline that fits an exit 1 to 3 years out.

Does SOC 2 or CMMC move the multiple by itself?

No. Certifications are a gate, not a lever. SOC 2 Type II ($30K to $150K) and CMMC (Level 2 at $63K to $200K-plus) are the toll you pay to be allowed to sell managed security to clients that require it. What moves the multiple is the recurring revenue the cert unlocks, for example the $3K to $25K-plus per client per month of managed CMMC delivery. Buy the cert for the revenue it gates, not for the badge.

What do buyers ask in diligence to separate real security revenue from resold antivirus?

They sort your security line into buckets and reprice each one. Recurring managed revenue earns the premium. One-time projects, remediation work, tool resale and custom consulting get reclassified down to their true multiple, which is where Auxo says the premium disappears. Expect questions on renewal rates, contract length, whether you or the vendor owns the response, and how much of the revenue survives if a single project pipeline dries up. The test is recurring, sticky, standardized and defensible.

Is acquiring a boutique MSSP worth it, and what do those deals cost?

It can be, but you are negotiating without a public anchor because boutique MSSP deals are almost never disclosed. Barracuda's Evo Security purchase and Worklyn's Quadrant acquisition both went out undisclosed; Worklyn's roll-up fund is public at $35M, which frames the fund's capacity for boutique tuck-ins without saying anything about what any single deal cost. Buying is only worth it if you can verify the target's revenue is recurring and sticky, otherwise you are paying a premium for the badge you were trying to build past.

Does labour-heavy vCISO revenue hurt the multiple versus having no security at all?

Yes, and this is the counterintuitive part. CT Acquisitions puts labour-based MSSPs (vCISO and advisory-heavy) at 4 to 7 times, the deepest discount tier, below the 5 to 8 times generalist baseline. A generalist that adds an advisory-led security practice can slide down the ladder, because it has swapped scalable recurring revenue for billable human hours. The premium rewards product-shaped security revenue. Adding people-shaped security revenue can cost you turns.