r/MSSP

▲ 2 r/MSSP+1 crossposts

Built a SOC-as-a-Service stack on Seceon OTM for African SMEs - feedback so far

We run an MSSP out of Nairobi and spent the last year deploying Seceon OTM as our core SIEM/XDR platform for clients who can't afford a traditional 24/7 SOC build-out. Some things that stood out vs. FortiSIEM/Splunk for smaller deployments.

  1. Single-platform correlation (no bolt-on UEBA/SOAR licensing) kept our margins manageable for mid-market clients

  2. Deployment time was meaningfully shorter than a comparable splunk ES rollout

  3. Threat detection is solid out of the box, though tuning for local threat patterns takes real team effort

Curious if others running lean SOC teams have compared Seceon against alternatives- what pushed you one way or the other?

reddit.com
u/JakomAfrica — 1 day ago
▲ 3 r/MSSP

MSSPs getting burned by AI SOC. What's your solution?

I keep seeing complaints about the AI SOC vendors. Complaints like pricing, black-box verdicts, data leaving your control.

Genuine question: if the current tools are bad, where do you land?

  1. Waiting for the vendors to get better
  2. Building/owning something custom in-house
  3. AI has no place in triage, full stop

What's driving your answer?

reddit.com
u/Upbeat_Person5 — 2 days ago
▲ 6 r/MSSP

Looking for overnight SOC work

I have been searching for overnight SOC jobs for a while. Preferably remote. Where is a good place I can look?

reddit.com
u/East-Comfortable-225 — 2 days ago
▲ 3 r/MSSP+2 crossposts

What pros and cons do clients see in MSPs that outsource?

Some of the pros:

  1. They are cheaper.

  2. They provide quick turnaround.

  3. Wider service offering due to more resources.

  4. After hours coverage.

Some of the cons:

  1. Security risks.

  2. Poor quality of support due to cheaper workforce.

  3. Communication difficulty due to language and cultural barriers.

  4. It hurts the local economy.

What are the other factors not mentioned above?

reddit.com
u/1ozu1 — 4 days ago
▲ 15 r/MSSP

Need MSSP Advice

If you were starting over again what is the best advice you could give yourself before you got things rolling?

Also, what are some of the main core services that you guys are selling and what is NOT worth putting energy into?


Starting an MSSP from scratch and would love some expert advice! Thank you!

reddit.com
u/gamingwrites — 7 days ago
▲ 2 r/MSSP+1 crossposts

How are you handling the per-GB tax on cloud-native firewalls/NAT across client estates?

I run a small cloud-firewall/NAT product, and before I get to that (disclosure up front, mods OK'd this post — see the bottom), I genuinely want to compare notes with people operating this at scale across many clients, because the maths gets ugly faster for you than it does for a single tenant.

The thing I keep running into: the cloud-native egress controls are metered per gigabyte, and that meter never stops scaling with the client's traffic.

Rough numbers, US figures, so you can sanity-check against your own invoices:

  • AWS NAT Gateway — ~$0.045/GB processed, plus ~$0.045/hr per gateway.
  • AWS Network Firewall — ~$0.065/GB inspected, plus $0.395/endpoint-hr ($288/mo per AZ), billed per endpoint per AZ, so a 2–3 AZ design multiplies the hourly floor before a single byte moves.
  • Azure Firewall — a per-GB processing charge on top of a per-hour SKU floor (Standard ~$1.25/hr).

For one tenant that's an annoyance. Across an estate it's a structural margin problem, because:

  1. Your managed-service price is fixed, but your cost base floats with the client's traffic. You quote a monthly number; their egress doubles after some launch or batch job; your firewall/NAT line doubles with it and quietly eats the spread.
  2. The per-AZ hourly floors stack before any data moves. Multi-AZ inspection means paying the endpoint-hour several times per client just to be resilient — multiply across N tenants.
  3. It's two meters, not one. Egress filtering and NAT each meter per-GB, so the same gigabyte often gets charged twice on its way out.
  4. You usually can't cleanly pass it through. Clients want a predictable monthly number; a traffic-indexed true-up is painful to explain and worse to forecast.

So the real question for this sub: how are you actually dealing with this? The options I've seen MSSPs take, none free:

  • Eat it as cost of goods — fine until a chatty tenant turns a profitable account unprofitable.
  • Pass it through as a metered line item — honest, but kills the "predictable managed service" pitch and invites bill-shock arguments monthly.
  • Centralise inspection (one shared firewall behind a GWLB / transit hub) to amortise the hourly floors — helps per-hour, does nothing for per-GB, concentrates blast radius.
  • Roll your own on pfSense/OPNsense/VyOS to dodge the meter — kills per-GB cost but you now own patching, HA, config drift and multi-tenant management by hand.
  • Stay on the mega-NGFWs (Palo, Fortinet, Check Point) where MSSP programs and multi-tenancy are mature — but the licensing/complexity is a different pain, and overkill if all you need is egress + NAT.

Genuinely interested in what's working: are you centralising, DIY-ing the NAT/firewall layer, passing per-GB through, and how are you keeping fleet management sane? And for those who've moved off cloud-native — what did the migration actually cost in engineer time?

Disclosure (mods approved this post): I'm the founder of Enforza, which is one of the options above — so take this as "here's what we built and why", not a neutral survey. It's a cloud-managed firewall + secure NAT gateway you run as a normal Linux VM (an NVA) inside the client's own network/account, built on standard Linux network primitives. It does L3/L4/L7 egress filtering (by FQDN/SNI), ingress, east-west and secure source-NAT, and runs as a transparent appliance behind an AWS Gateway Load Balancer if you want centralised inspection without re-architecting routing.

Why it's relevant to this thread: it's priced flat per firewall, no per-GB data-processing charge — so the cost base stops floating with each client's traffic. At modest egress it tends to land 60–80% cheaper than a cloud-native firewall stacked with a NAT gateway — directional, workload-dependent, so run your own numbers, don't trust mine. To be straight about what it does and doesn't:

  • It replaces the firewall/NAT metering — you still pay AWS/Azure for the VM and normal bandwidth. Not a way to dodge your CSP's infra bill.
  • No TLS decryption and no key custody. FQDN/SNI filtering reads the hostname already in the clear (SNI, Host header, DNS).
  • Multi-tenant by default (each client an isolated tenant), whole fleet from one console — GitOps/policy-as-code or UI — with logs to each client's own SIEM, not through us.
  • Small bootstrapped team, but not a weekend project — in production ~3 years. It's the focused egress/NAT/inspection set most cloud teams use, not a full enterprise NGFW suite; I won't pretend it matches Palo/Fortinet feature-for-feature.

Site's in my profile / I'll drop it in a comment if anyone wants it rather than linking in the body. Mostly I'd rather hear how you're solving the per-GB problem today — happy to be told the DIY or centralised route beats what we do for your shape of estate.

reddit.com
u/enforzaGuy — 7 days ago
▲ 1 r/MSSP

End to End discovery for on-prem redources

Hey MSSP folks, I'm a security researcher and work in the same domain. I have recently built a security agent that can map the entire on-prem and hybrid infrastructure including databases, containers and network stack with just one lightweight agent without ever touching the network gear.

If you currently can't determine which of your on-prem or cloud resources are exposed, or can't walk outside-in and inside-out of your enterprise infrastructure i can help bridge that gap.

I've developed the product and am currently looking for an time bound, metric based active pilot. If anyone is facing the same issue, lets get connected and see how i can be of help.

reddit.com
u/Sweaty-Zucchini-996 — 7 days ago
▲ 4 r/MSSP+1 crossposts

AI SOC - real or hype?

AI SOC feels like a distraction at best.

Not because the tech isn't legit, it is. But most SOC environments I scope have half configured log sources, parsers not touched in a year, non existent alert tuning.

You don't have clear enough data for AI to do anything useful. garbage in and garbage out.

Fix your signal quality first then talk about AI.

Anyone actually solving for data quality before bolting on AI? or everyone's skipping to the demo?

reddit.com
u/Interesting_Rule_230 — 12 days ago
▲ 1 r/MSSP

Managing domains across a bunch of clients — the silent failures are what kill me. How do you actually stay on top of this?

I look after domains for a handful of clients and the thing that stresses me out isn't the loud failures — it's the silent ones. The cert that quietly expired on a staging domain nobody checked. The DNS record someone changed and forgot to mention. The SPF that crept past 10 lookups and started soft-failing. A domain that nearly lapsed because the renewal email went to an inbox no one reads.

Right now I'm juggling separate things for each: one tool for SSL expiry, another for blacklist checks, WHOIS for expiry, something else for DMARC reports. Half of them just *tell me there's a problem* and leave me to figure out the fix at 11pm.

So I'm trying to sanity-check how other people handle this before I over-engineer my own setup:

  1. Which of these has actually bitten you — cert expiry, domain expiry, a DNS change you didn't make, DMARC/deliverability, or a blacklist listing? Curious which one *really* hurt.
  2. Do you run a bunch of single-purpose tools, or have you found something that does it all? And honestly — do you *want* one dashboard, or do you prefer best-of-breed and stitching it yourself?
  3. When you get an alert, is "your cert expires in 7 days" enough, or do you wish it told you the exact fix for your DNS provider?
  4. For anyone managing client domains — how do you report "everything's healthy" back to clients without it being a manual chore?

Genuinely after how *you* deal with it.

reddit.com
u/Avinash-DS — 10 days ago
▲ 2 r/MSSP+3 crossposts

Built a free, self-hosted M365 reporting/alerting tool — would value feedback from people who run tenants

We all know the gap: the M365 admin center is fine for daily ops, but it won't proactively tell you when a sign-in looks off, when app secrets are about to expire, when license allocation drifts, or when risky users show up. You end up manually pulling the same Graph reports over and over.

I built an open-source tool called Argus to close that gap, and I'm sharing it here because this is the crowd that actually lives with the problem.

What it does
- Scheduled report jobs (hourly/daily/weekly/cron) across Identity, Security, and Infrastructure — sign-in anomalies, risky users, MFA status, license utilization, app secret expiry, device compliance, and more
- Conditional delivery — it only emails you when something matters (count over a threshold, an anomaly is detected, or data changed since last run), so you're not training yourself to ignore a daily noise report
- Baseline anomaly detection (z-score vs. historical) for catching unusual spikes
- HTML email reports from editable templates, sent from a single least-privilege scoped mailbox

How it's built / why it might fit a managed environment
- Self-hosted, single Docker container. Your tenant data never leaves your infrastructure — no SaaS, no third party
- Connects to Microsoft Graph with least-privilege, app-only permissions (e.g. read-only IdentityRiskyUser.Read.All, AuditLog.Read.All; no broad Mail.Send — Exchange RBAC scoped to one mailbox)
- Credentials are AES-256-GCM encrypted at rest; the only thing in the environment is a master key
- Stack: Bun + Next.js + SQLite + TypeScript. docker compose up and it's running

It's free and open source (not a product, nothing to buy, no signup). I'd genuinely value feedback from people who manage real tenants:
- Does the report catalog cover what you'd actually want alerts on, or what's missing?
- Is the least-privilege permission model what you'd expect before pointing it at a production tenant?
- Would conditional/anomaly-based delivery actually cut noise for you, or do you want everything logged regardless?

Repo: https://github.com/RohiRIK/argus

Happy to answer anything about the architecture or the permission model in the comments.

u/Comfortable_Cat_6207 — 12 days ago
▲ 5 r/MSSP

Cloud security for MSSPs: what are customers actually paying for?

Hello,

I've been spending a lot of time looking at how MSSPs approach cloud security, and one thing I've noticed is that there's no shortage of tools. The harder part seems to be turning those tools into services customers actually value.

I'm building a cloud security platform for MSSPs, and I'm trying to make sure I understand the operational challenges rather than just adding another list of features.

For those of you managing AWS, Azure, or GCP environments:

What has been the biggest challenge in delivering cloud security as a service?

Is it customer demand, operational overhead, alert fatigue, reporting, remediation, or something else entirely?

reddit.com
u/kloudnative — 11 days ago