Ask ten MSP owners what they run and you will get ten different answers. Zoom out, though, and the picture is surprisingly consistent. MSP revenue clusters into four kinds of service, and the tools behind each one are a smaller, more predictable set than the noise suggests.
An MSP tool stack is the software layer a managed service provider runs to deliver recurring IT and security services: PSA and RMM at the core, then Microsoft management, backup, identity, endpoint protection, MDR and compliance tooling on top. In practice the stack maps onto four revenue lines, and that is the useful way to read it.
Dawn Capital, a B2B software investor, surveyed 40 MSPs across the US, UK, and Australia and New Zealand, then mapped how their revenue splits across service lines. Four categories carry almost all of it. Worth knowing up front: Dawn invests in this market (it backs Inforcer and Cork, both of which appear below), so read the framing as informed rather than neutral.
The four jobs every MSP stack does
Here is the revenue split Dawn found, biggest slice to smallest. (Funding and valuation figures throughout are from company announcements and trade coverage as of July 2026; the full sourcing note is at the end.)
That is where the money comes from. Underneath each service line sits a tool stack, and underneath the tools sits a wave of venture and private equity money that is quietly reshaping what those tools cost and who owns them. The rest of this piece walks each category: what it covers, the tools MSPs actually run, and where the capital has landed. That last part matters to you even if you never take an investor meeting, because it is what sets your renewal prices.
| Acronym | Full term | Where it sits |
|---|---|---|
| PSA | Professional services automation | Ticketing, billing, the MSP's operating system |
| RMM | Remote monitoring and management | The agent on every client endpoint; core of IT lifecycle |
| EDR / XDR | Endpoint / extended detection and response | Foundational to advanced security |
| MDR | Managed detection and response | Advanced security, sold as a service on top of EDR |
| SIEM | Security information and event management | Log analytics behind a SOC offer |
| SASE | Secure access service edge | Network security delivered from the cloud |
| MFA | Multi-factor authentication | Foundational security; a cyber-insurance requirement |
IT Lifecycle: the biggest slice
This is the unglamorous day job: keeping client IT running. Service desk and ticketing, remote monitoring and patching, documentation, backup and disaster recovery, hardware and asset lifecycle, and the distribution layer that supplies the software. It is the largest slice of revenue and the most mature slice of tooling, which is why investors picked their winners here early and mostly stopped writing new checks.
NinjaOne is the outlier: $500M at a $5B valuation, sitting on more than $500M of annual recurring revenue, and now an acquirer in its own right (it bought Dropsuite for SaaS backup).
Everyone else at scale is either private equity or defiantly not. ConnectWise sits inside Thoma Bravo. Kaseya, backed by Insight Partners and TPG, rolled up Datto for $6.2B and now runs Autotask, IT Glue and Datto RMM under one roof. The venture stories that remain are challengers betting the incumbents are bloated and disliked: Atera and SuperOps on all-in-one platforms, and HaloPSA on a bootstrapped, no-private-equity pledge that is itself the pitch.
| Tool | What it does | Backing |
|---|---|---|
| NinjaOne | RMM, patching, backup | VC · $500M · $5B |
| ConnectWise | PSA, RMM, remote access | PE · Thoma Bravo |
| Kaseya (VSA, Autotask, Datto, IT Glue) | PSA, RMM, backup, docs | PE · Insight + TPG |
| Atera | AI-first RMM + PSA | VC · $77M |
| SuperOps | Unified PSA + RMM + AI | VC · $54M total |
| HaloPSA | Modern PSA and service desk | Bootstrapped (no-PE pledge) |
| Hudu / IT Glue | Documentation | Independent / Kaseya-owned |
| Veeam, Datto | Backup and disaster recovery | PE · Insight |
| ScalePad | Asset and warranty lifecycle | PE · Integrity Growth |
| Pax8 | Software distribution marketplace | VC · $185M · $1.7B |
If most of your bill sits here, this is where consolidation pressure and price rises will hit hardest, so it is the first place to lock multi-year pricing at renewal.
Advanced infrastructure: managing Microsoft
The second slice is managing the cloud your clients actually live in, which in practice means Microsoft. Tenant management, Intune, Entra and Purview configuration, Azure and virtual desktops, and the multi-tenant admin that lets you run hundreds of client tenants without losing your mind. Dawn groups this closely with IT lifecycle, so treat the boundary as soft, but the tooling story is distinct enough to stand on its own.
Microsoft supplies the primitives (Intune, Entra, Purview) and a free multi-tenant console in Lighthouse. So the whole investable category is tools that manage and extend Microsoft rather than replace it, and Dawn's own data shows why: MSPs told them they would pay $20 to $80 per tenant per month for a better multi-tenant layer than Lighthouse. That willingness to pay is the wedge.
Nerdio raised a $500M round at a $1B-plus valuation for Azure and M365 provisioning and cost control. Inforcer, which Dawn backs, went from a $19M Series A to a $35M Series B in nine months for multi-tenant M365 policy management. CIPP does much of the same job as open source, and Rewst ($104M raised) automates the repetitive tenant work across the whole stack.
| Tool | What it does | Backing |
|---|---|---|
| Microsoft Lighthouse | Multi-tenant M365 admin | Microsoft-native |
| Intune, Entra, Purview | Device, identity, data governance | Microsoft-native |
| Nerdio | Azure, AVD and M365 provisioning and cost | VC · $500M · $1B+ |
| Inforcer | Multi-tenant M365 policy management | VC · $35M · Dawn + Meritech |
| CIPP | Multi-tenant M365 management | Open source (CyberDrain) |
| CoreView | M365 governance and licensing | VC · Insight |
| Rewst | Automation across the tenant stack | VC · $104M total |
Standardising on Microsoft-native where you can, then paying for one management layer on top, beats stitching together point tools you will later have to rip out.
Foundational security: the baseline
The baseline every client now expects and most cyber insurers now require, the calmest corner of the wider cybersecurity market: endpoint protection, multi-factor authentication and identity, email security, DNS and web filtering, and security awareness training. Dawn flags this layer as growing steadily as security climbs the priority list.
The tooling is a mix of platform giants and channel specialists. Microsoft Defender is the default for a lot of MSPs because it comes bundled with the licences they already sell. SentinelOne and CrowdStrike are the public-company heavyweights.
Huntress built a business worth more than $1.5B specifically by selling managed endpoint detection through MSPs rather than direct, which tells you how much the channel is worth. Most of the rest of the layer has been taken private: KnowBe4 (Vista, $4.6B) for awareness training, Proofpoint (Thoma Bravo) and Mimecast (Permira) for email.
| Tool | What it does | Backing |
|---|---|---|
| Microsoft Defender | Endpoint and email protection | Microsoft-native |
| SentinelOne | Endpoint detection (EDR/XDR) | Public (NYSE: S) |
| CrowdStrike | Endpoint detection (EDR/XDR) | Public (NASDAQ: CRWD) |
| Huntress | Managed EDR sold through MSPs | VC · $150M · $1.5B+ |
| KnowBe4 | Security awareness training | PE · Vista · $4.6B |
| Proofpoint / Mimecast | Email security | PE · Thoma Bravo / Permira |
| Duo (Cisco) | Multi-factor authentication | Cisco (public) |
| DNSFilter / Cisco Umbrella | DNS and web filtering | VC · Insight / Cisco |
This is table stakes you resell, not a differentiator, so buy for reliability and margin rather than features, and expect the bundled Microsoft option to keep eating the standalone ones.
Advanced security: the growth engine
The smallest slice of revenue today and the one everyone is chasing, because it is the fastest-growing and the highest-margin. Dawn scopes it as SOC, XDR and penetration testing; in practice it also covers managed detection and response, SIEM, zero trust, compliance and even cyber warranty. It is also where MSP owners are most frustrated with the incumbents, which is exactly why the money is flooding in.
This is the busiest funding bucket in the whole stack. Arctic Wolf has raised close to $900M for concierge SOC. Blackpoint Cyber ($190M) and Guardz ($56M, with SentinelOne investing strategically) build managed detection specifically for the channel. Todyl ($50M) bundles SASE, SIEM and detection into one platform.
ThreatLocker raised a $60M Series E at roughly $1.2B for zero-trust application allowlisting. Vanta ($150M, valued around $4B) turned compliance into software, and Cork is early on cyber warranty for the small businesses MSPs serve.
| Tool | What it does | Backing |
|---|---|---|
| Arctic Wolf | Concierge MDR and SOC | VC · ~$900M raised |
| Blackpoint Cyber | MDR built for MSPs | VC · $190M |
| Guardz | AI-native detection and response for MSPs | VC · $56M · SentinelOne |
| Todyl | SASE, SIEM and MXDR platform | VC · $50M |
| Microsoft Sentinel | Cloud SIEM | Microsoft-native |
| ThreatLocker | Zero-trust application allowlisting | VC · $60M · ~$1.2B |
| vPenTest (Vonahi) | Automated penetration testing | Kaseya-owned |
| Vanta | Compliance and GRC automation | VC · $150M · ~$4B |
| Cork | Cyber warranty for SMBs | VC · $6M |
This is where to build a real practice rather than resell a checkbox. Whether the margin from AI-driven security lands with you or your vendor is its own unit-economics question. Moving one client from foundational to advanced security is the single fastest way to lift both revenue and margin at the same time.
What this means for your stack
Three things follow directly from the map.
Your tool bill funds the payback. A $5B valuation is a promise to investors, and the promise gets kept out of your subscription line. Expect price increases, aggressive bundling and pressure to consolidate onto platforms. If you can lock multi-year pricing at your next renewal, do it.
The automation vendors will consolidate. A crowded field of AI-technician and automation startups is selling to you right now, and 85% of MSPs told Dawn they are still fighting manual processes, so the demand is real. Most of these vendors will end up inside Rewst or the platform players rather than surviving alone. Bet your operations on the category leaders, and where you experiment with a smaller tool, keep your data portable.
Security is where the stack is heading, and it is also the line buyers pay up for in MSP valuation multiples. It is the smallest revenue slice and the fastest-growing one, the incumbents are the least liked, and it carries the best margins. If you make only one deliberate move on your stack this year, make it moving clients up from foundational to advanced security.
For the investor's-eye view of the same market, I mapped where the venture money actually went and who is now raising to buy MSPs outright in two companion pieces.
FAQ
They come from Dawn Capital's MSP revenue mix: IT lifecycle (35%, the largest), advanced infrastructure (26%, mostly managing Microsoft), foundational security (19%, the baseline every client expects), and advanced security (16%, the fastest-growing and highest-margin). Each service line runs on its own tool stack, and each stack has drawn its own wave of venture and private equity money.
NinjaOne has raised the most at $500M, valued at $5B. Pax8, the distribution marketplace, sits at a $1.7B valuation. Arctic Wolf has pulled in close to $900M for its SOC, and Nerdio raised a $500M round for Azure and M365 management. On the security side, Huntress ($150M) and Vanta ($150M) lead, with Inforcer at roughly $54M across two rounds.
Yes. Every large valuation is a promise to investors, and that promise gets paid out of your subscription line. A $5B valuation like NinjaOne's has to be recouped from the fees MSPs pay, which means price increases, aggressive bundling, and pressure to consolidate onto platforms. The defensive move is simple: lock multi-year pricing at your next renewal before the increases land.
For most MSPs, yes. Microsoft supplies the primitives across nearly every category (Intune, Entra, Purview, Defender) and even a free multi-tenant console in Lighthouse. The money sits in the layer that manages and extends it, not in replacing it. Standardise on Microsoft-native where you can, then pay for one strong management layer on top rather than stitching together point tools.
Foundational security is the baseline every client expects and most cyber insurers require: endpoint protection, MFA, email security, DNS filtering, and awareness training. You resell it for reliability and margin, not as a differentiator. Advanced security is the higher-margin practice you build: SOC, XDR, managed detection and response, SIEM, zero trust, and compliance. Moving a client from one to the other is the fastest way to lift revenue and margin together.
A note on the numbers
The category split comes from Dawn Capital's MSP market study, which measured revenue mix across service lines for 40 MSPs in the US, UK and ANZ in early 2025. It is a useful frame, though it is an investor's study rather than neutral analyst research, and the percentages are read from the report's own chart. The funding figures trace to company press releases and reputable trade coverage, cross-checked during research. Funding data is self-reported at origin, so treat totals as directionally exact rather than audited.
I keep a running research file with the full breakdown, including investors per round. If you want it, ask me on LinkedIn.