If you're an MSP still selling endpoint protection and firewall management as your core security offering, I want you to do something. Pull up your P&L. Look at the revenue from those services. Now ask yourself: what happens to that number when your customers realize the attacks aren't coming through the firewall anymore?
ConnectWise released its 2026 MSP Threat Report on March 5. The headline finding is straightforward: attackers have moved away from novel exploits. They're logging in. With real credentials, through real tools, using trusted identities to walk through front doors that MSPs left open.
This isn't a blip. ConnectWise's own incident data suggests the transition is well underway. And it breaks the security model most MSPs were built on.
The math that kills your playbook
Here's the shift, expressed plainly.
The old model: attackers find a vulnerability, write an exploit, deliver it through phishing or a compromised website, and break through your perimeter defenses. Your job as an MSP was to keep the walls up. Patch fast. Block known threats. Monitor for malware signatures.
The new model: attackers steal or buy valid credentials. They authenticate through legitimate VPN interfaces. They use built-in system tools to move laterally. They target backup infrastructure first to eliminate your recovery option. They're inside the network using the same access methods your technicians use every day.
ConnectWise's Cyber Research Unit documented this across real-world incident investigations, customer telemetry, and ransomware leak site monitoring throughout 2025. The report covers North America, Europe, and Asia-Pacific, and the patterns were consistent across regions.
Patrick Beggs, ConnectWise's CISO, put it directly: "The defining theme of 2025 was the abuse of trust. Attackers are exploiting valid credentials, misconfigured VPNs, trusted updates, and even user behavior to gain access."
Translation: the perimeter is not where the fight is happening anymore. The fight is inside, at the identity layer, and most MSPs don't have the tools or the billing model to compete there.
Three findings worth losing sleep over
1. Ransomware groups stopped innovating on encryption and started innovating on access. Groups like Akira developed rapid "scan, steal, encrypt" lifecycles. They hit backup infrastructure first. They bypassed OTP-based multi-factor authentication by exploiting inherited VPN configuration artifacts. They didn't need a sophisticated exploit. They needed a credential and a misconfigured appliance.
2. Software supply chain attacks went downstream. The report documents campaigns like "Shai-Hulud," where attackers compromised npm maintainer accounts and pushed trojanized updates to thousands of downstream environments. Similar attacks hit PyPI, NuGet, RubyGems, and Rust ecosystems. If your clients use software that has dependencies (and they all do), the supply chain is now an attack surface you have to account for.
3. ClickFix attacks turned users into the delivery mechanism. Social engineering evolved from "click this link" to "copy and paste this command into your terminal." It bypasses traditional defenses entirely because the execution happens through a legitimate system utility initiated by the user. Your endpoint protection doesn't trigger because the user ran it themselves.
Each of these findings points the same direction: the traditional MSP security stack, built around perimeter defense and signature-based detection, wasn't designed to catch these attacks. Not because the tools are bad. Because the attacks increasingly don't touch the perimeter.
The business model problem
This is where it gets uncomfortable.
Most MSPs sell security as a set of products. Endpoint protection. Firewall. Maybe an email filter. The margin comes from deploying these at scale across a customer base. The operational model assumes that security is a product you install and manage.
Identity security doesn't work that way. Privileged access management, behavioral detection, identity governance, SIEM correlation across multi-tenant environments — that's services work, not product deployment. It takes deeper integration, people who actually know what they're looking at, and a pricing model that reflects the labor.
ConnectWise is, predictably, positioning its own platform to fill this gap. They announced PAM, managed EDR, SIEM, and BCDR with immutable backups. That's their sales pitch, and you should evaluate it on its merits. But the underlying diagnosis is correct regardless of which vendor fills it.
The MSP that charges per-seat for endpoint protection and calls it a security practice is running a playbook the threat landscape has moved past. The question is whether you recognized that and adapted, or whether you're going to learn it from a customer's breach notification.
What replaces it
None of this is easy. But here's what has to move.
Retool around identity. Your security practice needs to include privileged access management, conditional access policies, and identity monitoring. Not as add-ons. As the foundation. Every engagement should start with an identity posture assessment.
Price for services, not seats. Identity security and behavioral detection are labor-intensive. If you're trying to fit them into a per-endpoint pricing model, your margins will collapse. Build a security tier that reflects the actual work involved. Customers who balk at the price are customers who will blame you when they get breached.
Assume compromise. The report makes this explicit: reactive security models are no longer sufficient. Your operational assumption should be that credentials are already compromised somewhere in the environment. Build your detection and response processes around that assumption. Immutable backups are no longer optional.
Go read the actual report
Read the full ConnectWise threat report. Not the press release, the actual report. Then audit your current security offering against it. Map every finding to your service catalog. Where you have gaps, you have two choices: fill them or stop calling yourself a security provider.
The attackers already made the transition. The MSPs who survive are the ones who make it next.