In June 2024, Huntress raised $150M from Kleiner Perkins and Meritech Capital at a valuation north of $1.5B, to sell security tooling to MSPs. In the same rough window, Blackpoint Cyber took $190M from Bain Capital Tech Opportunities and Accel, and Todyl took $50M from Base10 Partners. All of that capital went to companies that arm MSPs with security products to resell.
None of it went to an MSP that decided to build a 24/7 SOC, hire the analysts, buy the SIEM, and rebrand itself as an MSSP. That is not an oversight. It is the capital structure working exactly as designed, and once you see the mechanism you stop expecting it to change.
The short version of why VCs won't fund the MSP-to-MSSP transition: venture capital funds the tools sold to MSPs, private equity buys the MSPs, and the two never cross because one side is priced on revenue multiples and the other on EBITDA multiples. That gap in exit currency is the whole story. I read this from an operator's seat, because I run growth for MSPs and cyber firms and I spend my time on where the margin and the money actually land, not on the marketing. Ross Haleliuk laid out the general structural case for why VC avoids cybersecurity services in a January 2023 essay that predates most of the numbers below. This piece ties it specifically to the MSP-to-MSSP move, pairs it with 2023 to 2026 funding and multiple data, and ends on the one deal that looks like it breaks the rule and actually proves it.
Where the VC money actually goes
Start with the flow of capital, because it is not subtle once you line it up. The venture money in this corner of the market goes to the picks and shovels, the vendors that build security software for MSPs to buy and resell.
Huntress closed its $150M Series D in June 2024, led by Kleiner Perkins and Meritech with Sapphire Ventures following on, at a $1.5B-plus valuation and roughly $100M ARR growing better than 70 percent a year. Blackpoint Cyber raised its $190M growth round in June 2023 to expand a platform built to serve MSP partners. Todyl raised a $50M Series B in March 2024, led by Base10 Partners, with Datto founder Austin McChord joining the advisory board around the raise (I anchor that one on Todyl's own newsroom rather than the wire copy, since the primary release was hard to verify cleanly). Cork, a cyber-warranty company built for the channel, took a $6M seed in 2023 and a follow-on in 2025 that it describes on its own site as undisclosed, the first of several planned tranches.
Zoom out and the pattern holds at the category level. Cybersecurity-wide venture investment hit $13.97B across 392 rounds in 2025, up 47 percent from $9.5B in 2024 and the strongest year since 2022, per Pinpoint Search Group's 2025 Cyber Security Vendor Funding Report, covered by SecurityWeek and Crunchbase News. Early-stage seed and Series A made up 63 percent of round volume. That is a market pouring money into product companies at the formation stage. Almost none of it is going to a services business that already exists and wants capital to hire.
If you want the fuller map of where the tool money landed, I keep a running MSP software funding map, and the firms writing these checks show up in the roster of the most active cybersecurity VCs. The one thing they have in common is a product thesis. None of them has a services mandate.
The structural reason: labor doesn't scale
Haleliuk's essay makes the core case, so credit goes to him for the frame. A services business sells people-hours. Revenue and headcount cost grow together in a straight line, so the margin curve never bends the way a VC needs it to. A software business sells the same code to the next customer at near-zero marginal cost, which is the curve venture math is built around.
Stack three things on top of each other and you get the whole reason venture stays out of MSP-to-MSSP transitions:
Start with the model mismatch. A venture fund lives 5 to 8 years and needs a handful of outsized, non-linear outcomes to return the fund. A services business that grows revenue and cost in lockstep cannot produce that shape no matter how well it is run.
Then the scaling economics. Layer managed services onto a software business and gross margin drags down toward the 40 to 60 percent range, against the 70 to 90 percent a pure product commands. There is no version of a labor-delivered SOC that clears the software bar, because the labor is the product.
And the moats are thin. Any experienced practitioner can start a competing services shop with a laptop and a few certifications. Low barriers to entry mean no durable pricing power, and no durable pricing power means no venture-scale defensibility. I have written more on where an MSP's defensibility actually comes from in the MSP moat framework, and the honest answer is that it is rarely the kind of moat a VC underwrites.
Put those three together and a VC looking at an MSP building a security practice sees a business that scales linearly, margins in the middle, and competes in a low-barrier market. That is a fine business. It is not a venture business.
The margin gap in one table
Margins are where the argument stops being theoretical. Here is the spread, from the software ceiling down to the labor floor.
| Business model | Typical gross margin |
|---|---|
| Pure SaaS | 80 to 85 percent |
| SaaS with meaningful services | 65 to 75 percent |
| MSP / managed services | around 50 to 52 percent |
| General IT services (Accenture, Cognizant class) | 25 to 35 percent |
The SaaS numbers converge across Software Equity Group, Eqvista and CloudZero, and the tell in that table is the row that shows what happens when you bolt managed services onto software: margin slides from the 80s toward 50. The general IT services floor of 25 to 35 percent comes from Eagle Rock CFO, with public comps like Accenture near 32 percent and Cognizant near 29 percent. The MSP-specific figure, an industry average around 52 percent in 2025 with EBITDA margins near 18 percent, comes from MedHaCloud's 2026 roundup of managed-services market data, which is a secondary aggregator rather than a primary research house, so I treat it as directional rather than a hard benchmark to model against.
The point does not depend on the exact decimal. An MSSP built on human delivery lives structurally below the software line, and no amount of good management moves a labor business into software territory. It moves it a few points, not thirty.
The currency mismatch that closes the loop
Here is the mechanical core of the whole thesis, and it is the piece most people miss because they never convert the two multiples into the same unit.
Software companies are valued on revenue. A high-growth security software business raising growth-stage venture is priced at some multiple of ARR. Services businesses, MSSPs included, are valued on EBITDA, some multiple of the actual profit the labor throws off. Those are different currencies, and when you convert one into the other the gap is enormous.
The services multiples come from CT Acquisitions' MSSP and Cybersecurity Services M&A Multiples Report 2026, which is the most current and most granular set I found. These are advisory synthesis estimates rather than audited transaction data, so read them as a well-informed frame, not a printed comp sheet.
| Segment | EBITDA multiple | Revenue-equivalent at realistic margin |
|---|---|---|
| MSP with a security practice bolted on | 6x to 9x | roughly 1.1x to 1.6x |
| Pure-play MSSP | 7x to 10x | roughly 1.3x to 1.8x |
| Platform-scale MDR / XDR specialist | 10x to 16x | roughly 2x to 3.2x |
Now do the conversion out loud, because that is where the argument becomes concrete. A pure-play MSSP at 9x EBITDA, run at a realistic 18 percent margin, is worth about 1.6x revenue. A platform-scale MDR at 16x EBITDA and a 20 percent margin, which is about as good as services economics get, lands near 3.2x revenue. Compare that to a security software company raising or exiting at 8x to 12x revenue on CT Acquisitions' own directly fetched comp set, with a secondary citation via Houlihan Lokey's Cybersecurity Index putting the high-growth median as high as 15.5x revenue (a figure I would treat as indicative rather than audited).
Same ARR base. A 4x to 10x gap in exit currency. That is the mechanical reason a dollar of MSP-to-MSSP transition capital can never return what a dollar into the tool vendor returns. The venture fund is not being short-sighted. It is doing the multiplication, and the multiplication says the transition business exits in the wrong currency at a fraction of the multiple. The buyers who do pay for that EBITDA are private equity, which is why the PE firms buying MSPs and the MSP security exit multiple are the frame an MSP owner should actually plan around.
The counter-examples that prove the rule
Four companies get thrown at this argument as though they break it: Expel, Arctic Wolf, BlueVoyant and Deepwatch. All four raised serious venture or growth capital, and all four wear the MDR or managed-security label. So the naive version of the thesis, that VC never touches security services, is wrong. The sharper version survives every one of them.
Expel raised a $140.3M Series E in November 2021, co-led by CapitalG and Paladin Capital Group, crossing a $1B valuation and later expanding to $288.8M in total funding. Expel sells managed detection and response, but it pitched and priced itself as an automation-forward software platform with analysts on top, not a labor shop. Arctic Wolf has raised close to $900M, including a $150M Series F in 2021 at a $4.3B valuation, and it has sat at that 2021 mark for years without a venture-scale exit, which tells you something on its own. BlueVoyant has raised close to $700M across its rounds, again on a product-plus-services narrative. Deepwatch, whose Series B was led by Goldman Sachs, raised a $180M round in 2023 that combined equity with strategic and credit capital from Springcoast Capital Partners, Splunk Ventures and Vista Credit Partners rather than a clean venture equity check, which is itself a signal that pure venture economics stopped being the right instrument as the business scaled.
The pattern across all four is the same, and it is the whole thesis in one sentence. Every VC-backed "MSSP" is a national-scale, founder-led, product-first company that raised on a software narrative and wrapped services around a proprietary detection or automation layer. Not one is a regional MSP that added a security practice and went looking for venture money to fund the headcount. Different starting point, different company, different capital need. VC will fund 5 to 10 category-defining MDR platforms nationally, each needing $100M-plus and 8 to 10 years, built by founders who started with a software thesis. It will not fund the transition motion an actual MSP attempts, which is to hire SOC analysts, buy a SIEM, and rebrand.
Titan and General Catalyst: the exception that proves it
Then there is the deal that looks like it finally breaks the rule. In September 2025, General Catalyst led a $74M round into Titan, a startup founded by veterans of Google, Vanta, Scale AI, Snap and Waymo, built to buy up MSPs. Its first acquisition was RFA, a New York IT services provider with around 250 employees. On the surface, that is venture capital funding MSP consolidation, the exact thing I just spent 2,000 words saying VC will not do.
Look at the model and it proves the thesis rather than breaking it. Titan is not funding an MSP's organic decision to build a SOC and become an MSSP. It is buying MSPs outright and re-platforming them onto proprietary, in-house AI service-desk automation, with the explicit goal of converting the labor-cost curve into something closer to software economics before any security layer gets added. General Catalyst's Hemant Taneja framed the thesis around companies that already have "existing customers and data," which MSPs do, and the stated ambition is a $100B company, an Accenture or Cognizant equivalent for the SMB channel.
Read that carefully. Titan is VC trying to defeat the exact problem that makes organic MSP-to-MSSP transitions unfundable in their native form: linear labor scaling. The capital is going to a software and AI thesis wrapped around acquired service businesses, the same product-first, services-wrapped pattern as Expel and Arctic Wolf, just pointed at horizontal IT services instead of security specifically. It is the one narrow door through which venture money touches MSP economics, and it works by trying to eliminate the labor curve, not by underwriting it. Nobody at Titan is writing a check for an existing MSP's team to become a SOC. They are writing a check to buy the team and then automate the labor out of it. The economics of that AI-automation bet are the same ones I dug into in AI SOC economics, and they are the only version of this story where the venture math closes.
What this means if you run an MSP
If you own an MSP and you are building a security practice, the read is direct: do not raise venture capital for it, and do not structure the business as though a venture round is the goal. The funding data and the multiple data point the same way. VC money in this space goes to the tools you buy from, not to you, and the underlying margin structure of a services business cannot support the return a venture fund needs.
Underwrite the security line as a private-equity exit from the start. PE is the buyer of record for MSSP economics, paying 6x to 16x EBITDA depending on scale and how much of the business is genuine platform versus headcount. That means the levers that matter are the ones PE pays up for: recurring revenue quality, retention, the share of your delivery that is automated or productized rather than pure labor, and clean, provable numbers. The closer your delivery gets to software economics, the higher up that 6x-to-16x band you land, which is the same dynamic behind the median MSP deal and the sequencing in the MSP exit lifecycle.
My operator read, labeled as judgment rather than data: the MSPs that win the next few years will not be the ones that raise the most capital. They will be the ones that build enough proprietary automation into delivery to climb the EBITDA multiple, then sell into the PE market that actually pays for it, while treating the venture-funded tool vendors as suppliers to negotiate with rather than a model to copy. The capital structure has already sorted who plays which role. Pick yours on purpose.
If you want the pieces that sit next to this one, I mapped where the tool money went in the MSP software funding map, the buyers on the other side of the table in PE firms buying MSPs, and the exit math in the MSP security exit multiple. If you run an MSP or a cyber firm and you want a straight operator read on which side of this structure your business should be built for, that is the work I do, and my inbox is open.
Frequently asked questions
Because an MSP-to-MSSP transition is a labor-scaling problem, not a product problem. Revenue and headcount cost grow together, gross margins land around 40 to 60 percent instead of software's 70 to 90 percent, and exits cap out at single-digit to mid-teens EBITDA multiples instead of the revenue multiples venture funds need to hit fund-return math inside a 5-to-8-year window. Ross Haleliuk laid out the general version of this case in 2023, and the MSP vertical fits it cleanly.
Software is priced on revenue, often 8x to 12x ARR or higher for high-growth names. Services businesses, MSSPs included, are priced on adjusted EBITDA, typically 6x to 16x depending on scale and platform status, which converts to roughly 1.1x to 3.2x revenue at realistic services margins. Same top line, a 4x to 10x gap in exit currency. That gap is the mechanical reason venture capital funds the tools and private equity buys the services businesses.
Blackpoint Cyber raised $190M in 2023 from Bain Capital Tech Opportunities and Accel. Huntress raised a $150M Series D in 2024 at a valuation above $1.5B, led by Kleiner Perkins and Meritech. Todyl raised a $50M Series B in 2024 led by Base10 Partners. All three arm MSPs with security products to resell rather than funding an MSP's own move into managed security.
Yes. Expel, Arctic Wolf, BlueVoyant and Deepwatch have all raised significant venture or growth capital. But all four were built and pitched from day one as proprietary detection or automation software platforms with a services layer on top, sold and priced like product companies. None is an existing regional MSP that added a security practice and raised venture money to fund the headcount. That distinction is the whole thesis.
Titan's model is not funding an existing MSP's organic move into security. It is buying MSPs outright and re-platforming them onto proprietary AI service-desk automation to convert the labor-cost curve into something closer to software economics before any security layer gets added. It is the one narrow door venture capital uses to touch MSP economics, and it works by trying to eliminate the labor-scaling problem, not by underwriting it. Nobody at Titan is writing a check for an existing team to become a SOC.
Per CT Acquisitions' 2026 M&A multiples synthesis, which is an advisory estimate rather than audited transaction data: 7x to 10x EBITDA for pure-play MSSPs, 6x to 9x for an MSP with a security practice bolted on, and 10x to 16x for platform-scale MDR or XDR specialists. The top of that range is reserved for businesses with genuine platform economics, not headcount-driven service delivery.
Plan for private equity. The funding and multiple data both point the same way. PE is the buyer of record for MSSP economics at 6x to 16x EBITDA depending on scale, while venture money in this space goes almost entirely to the tool vendors MSPs buy from. An MSP building a security line should underwrite it as a PE-exit business from the start and build proprietary automation into delivery to climb the multiple, rather than chase a venture round the margin structure cannot support.