Insights

The MSP Tool Stack, Mapped to Where MSPs Actually Spend

A 2026 MSP tool stack map: four software categories, key vendors, funding signals, and where MSPs actually spend across IT, Microsoft management, and security.

By Alexej Pikovsky  ·  Updated

Ask ten MSP owners what they run and you will get ten different answers. Zoom out, though, and the picture is surprisingly consistent. MSP revenue clusters into four kinds of service, and the tools behind each one are a smaller, more predictable set than the noise suggests.

An MSP tool stack is the software layer a managed service provider runs to deliver recurring IT and security services: PSA and RMM at the core, then Microsoft management, backup, identity, endpoint protection, MDR and compliance tooling on top. In practice the stack maps onto four revenue lines, and that is the useful way to read it.

Dawn Capital, a B2B software investor, surveyed 40 MSPs across the US, UK, and Australia and New Zealand, then mapped how their revenue splits across service lines. Four categories carry almost all of it. Worth knowing up front: Dawn invests in this market (it backs Inforcer and Cork, both of which appear below), so read the framing as informed rather than neutral.

The four jobs every MSP stack does

Here is the revenue split Dawn found, biggest slice to smallest. (Funding and valuation figures throughout are from company announcements and trade coverage as of July 2026; the full sourcing note is at the end.)

MSP revenue mix by service line · Dawn Capital MSP Market Study
IT Lifecycle 35%
Advanced infrastructure 26%
Foundational security 19%
Advanced security 16%

That is where the money comes from. Underneath each service line sits a tool stack, and underneath the tools sits a wave of venture and private equity money that is quietly reshaping what those tools cost and who owns them. The rest of this piece walks each category: what it covers, the tools MSPs actually run, and where the capital has landed. That last part matters to you even if you never take an investor meeting, because it is what sets your renewal prices.

Stack acronyms, decoded
AcronymFull termWhere it sits
PSAProfessional services automationTicketing, billing, the MSP's operating system
RMMRemote monitoring and managementThe agent on every client endpoint; core of IT lifecycle
EDR / XDREndpoint / extended detection and responseFoundational to advanced security
MDRManaged detection and responseAdvanced security, sold as a service on top of EDR
SIEMSecurity information and event managementLog analytics behind a SOC offer
SASESecure access service edgeNetwork security delivered from the cloud
MFAMulti-factor authenticationFoundational security; a cyber-insurance requirement

IT Lifecycle: the biggest slice

This is the unglamorous day job: keeping client IT running. Service desk and ticketing, remote monitoring and patching, documentation, backup and disaster recovery, hardware and asset lifecycle, and the distribution layer that supplies the software. It is the largest slice of revenue and the most mature slice of tooling, which is why investors picked their winners here early and mostly stopped writing new checks.

NinjaOne is the outlier: $500M at a $5B valuation, sitting on more than $500M of annual recurring revenue, and now an acquirer in its own right (it bought Dropsuite for SaaS backup).

Everyone else at scale is either private equity or defiantly not. ConnectWise sits inside Thoma Bravo. Kaseya, backed by Insight Partners and TPG, rolled up Datto for $6.2B and now runs Autotask, IT Glue and Datto RMM under one roof. The venture stories that remain are challengers betting the incumbents are bloated and disliked: Atera and SuperOps on all-in-one platforms, and HaloPSA on a bootstrapped, no-private-equity pledge that is itself the pitch.

IT lifecycle tools
ToolWhat it doesBacking
NinjaOneRMM, patching, backupVC · $500M · $5B
ConnectWisePSA, RMM, remote accessPE · Thoma Bravo
Kaseya (VSA, Autotask, Datto, IT Glue)PSA, RMM, backup, docsPE · Insight + TPG
AteraAI-first RMM + PSAVC · $77M
SuperOpsUnified PSA + RMM + AIVC · $54M total
HaloPSAModern PSA and service deskBootstrapped (no-PE pledge)
Hudu / IT GlueDocumentationIndependent / Kaseya-owned
Veeam, DattoBackup and disaster recoveryPE · Insight
ScalePadAsset and warranty lifecyclePE · Integrity Growth
Pax8Software distribution marketplaceVC · $185M · $1.7B

If most of your bill sits here, this is where consolidation pressure and price rises will hit hardest, so it is the first place to lock multi-year pricing at renewal.

Advanced infrastructure: managing Microsoft

The second slice is managing the cloud your clients actually live in, which in practice means Microsoft. Tenant management, Intune, Entra and Purview configuration, Azure and virtual desktops, and the multi-tenant admin that lets you run hundreds of client tenants without losing your mind. Dawn groups this closely with IT lifecycle, so treat the boundary as soft, but the tooling story is distinct enough to stand on its own.

Microsoft supplies the primitives (Intune, Entra, Purview) and a free multi-tenant console in Lighthouse. So the whole investable category is tools that manage and extend Microsoft rather than replace it, and Dawn's own data shows why: MSPs told them they would pay $20 to $80 per tenant per month for a better multi-tenant layer than Lighthouse. That willingness to pay is the wedge.

Nerdio raised a $500M round at a $1B-plus valuation for Azure and M365 provisioning and cost control. Inforcer, which Dawn backs, went from a $19M Series A to a $35M Series B in nine months for multi-tenant M365 policy management. CIPP does much of the same job as open source, and Rewst ($104M raised) automates the repetitive tenant work across the whole stack.

Advanced infrastructure tools
ToolWhat it doesBacking
Microsoft LighthouseMulti-tenant M365 adminMicrosoft-native
Intune, Entra, PurviewDevice, identity, data governanceMicrosoft-native
NerdioAzure, AVD and M365 provisioning and costVC · $500M · $1B+
InforcerMulti-tenant M365 policy managementVC · $35M · Dawn + Meritech
CIPPMulti-tenant M365 managementOpen source (CyberDrain)
CoreViewM365 governance and licensingVC · Insight
RewstAutomation across the tenant stackVC · $104M total

Standardising on Microsoft-native where you can, then paying for one management layer on top, beats stitching together point tools you will later have to rip out.

Foundational security: the baseline

The baseline every client now expects and most cyber insurers now require, the calmest corner of the wider cybersecurity market: endpoint protection, multi-factor authentication and identity, email security, DNS and web filtering, and security awareness training. Dawn flags this layer as growing steadily as security climbs the priority list.

The tooling is a mix of platform giants and channel specialists. Microsoft Defender is the default for a lot of MSPs because it comes bundled with the licences they already sell. SentinelOne and CrowdStrike are the public-company heavyweights.

Huntress built a business worth more than $1.5B specifically by selling managed endpoint detection through MSPs rather than direct, which tells you how much the channel is worth. Most of the rest of the layer has been taken private: KnowBe4 (Vista, $4.6B) for awareness training, Proofpoint (Thoma Bravo) and Mimecast (Permira) for email.

Foundational security tools
ToolWhat it doesBacking
Microsoft DefenderEndpoint and email protectionMicrosoft-native
SentinelOneEndpoint detection (EDR/XDR)Public (NYSE: S)
CrowdStrikeEndpoint detection (EDR/XDR)Public (NASDAQ: CRWD)
HuntressManaged EDR sold through MSPsVC · $150M · $1.5B+
KnowBe4Security awareness trainingPE · Vista · $4.6B
Proofpoint / MimecastEmail securityPE · Thoma Bravo / Permira
Duo (Cisco)Multi-factor authenticationCisco (public)
DNSFilter / Cisco UmbrellaDNS and web filteringVC · Insight / Cisco

This is table stakes you resell, not a differentiator, so buy for reliability and margin rather than features, and expect the bundled Microsoft option to keep eating the standalone ones.

Advanced security: the growth engine

The smallest slice of revenue today and the one everyone is chasing, because it is the fastest-growing and the highest-margin. Dawn scopes it as SOC, XDR and penetration testing; in practice it also covers managed detection and response, SIEM, zero trust, compliance and even cyber warranty. It is also where MSP owners are most frustrated with the incumbents, which is exactly why the money is flooding in.

This is the busiest funding bucket in the whole stack. Arctic Wolf has raised close to $900M for concierge SOC. Blackpoint Cyber ($190M) and Guardz ($56M, with SentinelOne investing strategically) build managed detection specifically for the channel. Todyl ($50M) bundles SASE, SIEM and detection into one platform.

ThreatLocker raised a $60M Series E at roughly $1.2B for zero-trust application allowlisting. Vanta ($150M, valued around $4B) turned compliance into software, and Cork is early on cyber warranty for the small businesses MSPs serve.

Advanced security tools
ToolWhat it doesBacking
Arctic WolfConcierge MDR and SOCVC · ~$900M raised
Blackpoint CyberMDR built for MSPsVC · $190M
GuardzAI-native detection and response for MSPsVC · $56M · SentinelOne
TodylSASE, SIEM and MXDR platformVC · $50M
Microsoft SentinelCloud SIEMMicrosoft-native
ThreatLockerZero-trust application allowlistingVC · $60M · ~$1.2B
vPenTest (Vonahi)Automated penetration testingKaseya-owned
VantaCompliance and GRC automationVC · $150M · ~$4B
CorkCyber warranty for SMBsVC · $6M

This is where to build a real practice rather than resell a checkbox. Whether the margin from AI-driven security lands with you or your vendor is its own unit-economics question. Moving one client from foundational to advanced security is the single fastest way to lift both revenue and margin at the same time.

What this means for your stack

Three things follow directly from the map.

Your tool bill funds the payback. A $5B valuation is a promise to investors, and the promise gets kept out of your subscription line. Expect price increases, aggressive bundling and pressure to consolidate onto platforms. If you can lock multi-year pricing at your next renewal, do it.

The automation vendors will consolidate. A crowded field of AI-technician and automation startups is selling to you right now, and 85% of MSPs told Dawn they are still fighting manual processes, so the demand is real. Most of these vendors will end up inside Rewst or the platform players rather than surviving alone. Bet your operations on the category leaders, and where you experiment with a smaller tool, keep your data portable.

Security is where the stack is heading, and it is also the line buyers pay up for in MSP valuation multiples. It is the smallest revenue slice and the fastest-growing one, the incumbents are the least liked, and it carries the best margins. If you make only one deliberate move on your stack this year, make it moving clients up from foundational to advanced security.

For the investor's-eye view of the same market, I mapped where the venture money actually went and who is now raising to buy MSPs outright in two companion pieces.

FAQ

What are the four categories of MSP tools?

They come from Dawn Capital's MSP revenue mix: IT lifecycle (35%, the largest), advanced infrastructure (26%, mostly managing Microsoft), foundational security (19%, the baseline every client expects), and advanced security (16%, the fastest-growing and highest-margin). Each service line runs on its own tool stack, and each stack has drawn its own wave of venture and private equity money.

Which MSP software companies have raised the most funding?

NinjaOne has raised the most at $500M, valued at $5B. Pax8, the distribution marketplace, sits at a $1.7B valuation. Arctic Wolf has pulled in close to $900M for its SOC, and Nerdio raised a $500M round for Azure and M365 management. On the security side, Huntress ($150M) and Vanta ($150M) lead, with Inforcer at roughly $54M across two rounds.

Are MSP tools getting more expensive?

Yes. Every large valuation is a promise to investors, and that promise gets paid out of your subscription line. A $5B valuation like NinjaOne's has to be recouped from the fees MSPs pay, which means price increases, aggressive bundling, and pressure to consolidate onto platforms. The defensive move is simple: lock multi-year pricing at your next renewal before the increases land.

Should an MSP build its stack on Microsoft?

For most MSPs, yes. Microsoft supplies the primitives across nearly every category (Intune, Entra, Purview, Defender) and even a free multi-tenant console in Lighthouse. The money sits in the layer that manages and extends it, not in replacing it. Standardise on Microsoft-native where you can, then pay for one strong management layer on top rather than stitching together point tools.

What is the difference between foundational and advanced security for an MSP?

Foundational security is the baseline every client expects and most cyber insurers require: endpoint protection, MFA, email security, DNS filtering, and awareness training. You resell it for reliability and margin, not as a differentiator. Advanced security is the higher-margin practice you build: SOC, XDR, managed detection and response, SIEM, zero trust, and compliance. Moving a client from one to the other is the fastest way to lift revenue and margin together.

A note on the numbers

The category split comes from Dawn Capital's MSP market study, which measured revenue mix across service lines for 40 MSPs in the US, UK and ANZ in early 2025. It is a useful frame, though it is an investor's study rather than neutral analyst research, and the percentages are read from the report's own chart. The funding figures trace to company press releases and reputable trade coverage, cross-checked during research. Funding data is self-reported at origin, so treat totals as directionally exact rather than audited.

I keep a running research file with the full breakdown, including investors per round. If you want it, ask me on LinkedIn.