There is a quiet pattern in the MSP industry that nobody enjoys talking about. An MSP signs a 50-employee accounting firm for managed services. Six months in, the client needs a SOC 2 pentest. The MSP introduces them to a pentest vendor — one of the well-known generalist shops. Pentest happens. Report is delivered. Client and pentest vendor have several hours of direct conversation about findings.
Eight months later, the MSP loses the account. The pentest vendor's parent company also offers managed security services. The client liked working with them. The relationship moved.
This story repeats often enough that we built a different operation specifically to break it.
The structural problem with generalist pentest vendors
Most pentest firms that take MSP referrals operate on a horizontal commercial model. They sell pentesting to whoever pays — direct enterprise, SMB, MSPs, MSSPs, brokers. The pentest is the entry product. The retention move is everything adjacent: managed detection and response, vCISO services, GRC platforms, ongoing security monitoring, compliance advisory.
When a generalist vendor receives an MSP referral, the math is straightforward. The pentest is a $4,000 engagement. The downstream lifetime value of that client across MDR, vCISO, and compliance services is $80,000 to $200,000. Of course they want a direct relationship with your client.
Some vendors have informal “we do not poach” handshakes. Those handshakes hold until they don’t. Account executives change. Founders sell their firms. Sales targets shift. The contractual relationship between your client and the pentest vendor has no clause preventing direct cross-sell, because it never had one to begin with.
What channel-only actually means
Our model inverts this. We sell only through MSPs, MSSPs, vCISOs, GRC firms, and audit shops. We do not have a direct sales motion to end customers. There is no enterprise team. There is no SMB inbound funnel sitting next to the channel funnel waiting to convert your introductions.
The contractual piece matters. Every reseller agreement we sign includes a non-solicitation clause covering both the testing engagement and the client relationship for 24 months after engagement close. Your account executive owns the relationship; we run the test, deliver the report, and step out.
This is enforceable because our entire commercial structure is set up to support it. We do not have other product lines that would benefit from a direct client conversation. We are not running a “land with pentesting, expand into MDR” playbook. The pentest is the product.
How the same operation can serve two markets without conflict
A reasonable question we get from prospective MSP partners: “Don’t your testers also work on direct customer engagements somewhere else?” The answer is yes — the same OSCP and OSCE-certified operators who run engagements through our channel program also run engagements through a direct-to-client SMB pentesting brand for companies who buy pentesting straight from a vendor. The work is the same. The brands and commercial models are deliberately separate.
Why this matters: when an SMB ends up at the direct brand because they Googled “SOC 2 pentest” and clicked an ad, that customer never enters the channel program’s customer base. There is no shared sales pipeline, no overlapping account list, no risk of an SMB inbound conversation referencing one of your accounts. The direct brand handles direct buyers. The channel brand handles MSP clients. The Chinese wall is structural, not a promise.
What this changes for the MSP
A few practical implications:
Margin model shifts. Reseller pricing on a manual external pentest sits below the direct retail price. The gap is yours to capture, either as additional margin on a fixed client price or as a competitive lever against MSPs who are reselling at retail. On a typical SOC 2 pentest engagement, MSP partners see margin in the 35 to 50 percent range depending on volume and bundling.
Branding is yours. White-labeled reports come out under your firm’s branding — your logo, your color scheme, your contact details on the cover. Findings reference your firm as the engagement coordinator, not ours. Your client sees a pentest delivered by the MSP they already trust, with a third-party attestation footer noting the testing was performed by independent assessors. That is the structure auditors actually want.
Direct delivery support, when you want it. Some MSP partners want the pentest report delivered to their client directly with our team on the call as “the security team.” Others want to deliver the findings themselves and have us available as a silent backstop. Both work. We adapt to the model the partner runs, not the other way around.
Sales enablement that is real. The pre-sale support most pentest vendors offer is a one-page PDF and a Calendly link. Ours includes scoping calls with your prospects under your branding, sample report walkthroughs you can send during the deal, and a 30-minute quote turnaround on signed scopes. The sales motion needs to be fast for MSP environments where the client is comparing quotes from three providers.
The cases where this matters most
Three scenarios where the channel-only commercial model becomes genuinely consequential:
SOC 2 ongoing requirements. A SOC 2 Type II report requires annual pentest evidence. That is a recurring revenue line for whoever holds the relationship. If that pentest vendor has any incentive to deepen the client relationship, you will lose the client over a multi-year horizon.
Industries with intense vendor consolidation pressure. Healthcare, financial services, and government clients increasingly want to consolidate vendors. An MSP that brings in a pentest partner with adjacent service offerings is creating the very consolidation pressure that will dislodge them.
Reseller programs operated by larger MSP brands. If you are a regional MSP operating under a national MSP brand’s reseller program, the parent organization often has its own preferred pentest vendor relationships — and those relationships are often built around vendors who do offer adjacent services. A channel-only alternative gives you something the parent brand does not have a structural conflict with.
What to ask a prospective pentest reseller partner
Three questions that separate channel-only from “channel-friendly”:
- Show me your direct sales pipeline. If a vendor has a meaningful direct enterprise or SMB sales pipeline, your client referrals will eventually flow into it. Vendors selling only through partners will tell you so straight up.
- What is your contractual non-solicitation language? Look for explicit non-solicit on both the testing engagement and the broader business relationship, with a specific time horizon. Twelve months is the floor; 24 is reasonable. “We do not poach” without a clause is not enforceable.
- Who owns the customer relationship in the report? White-labeled reports should reference your brand on every page, not “tested by [pentest vendor]” with your logo as a footnote. Ask for a sample.
Three answers tell you whether you have a channel-only partner or a channel-tolerant vendor.
If you want to evaluate the program for your client base, our partner intake form opens the conversation. We send sample reports, reseller pricing, and a partner agreement draft within one business day. No demo deck, no SDR follow-up, no enterprise procurement theater.
.avif){kind=logo}
.png){kind=logo}
.png)
.png)
