Go back to Sherweb.com
Menu
Back to top
Author: Roddy Bergeron
Cybersecurity
Cybersecurity Foundations
Detection & Response
MSP Security Stack
MSP Security Strategy

What defines a good security stack? It’s not what you’re buying

1 month ago July 18, 2025 2 min read

Most MSPs treat their security stack like a product catalog, but that approach breaks the moment a real threat hits. In this piece, Cybersecurity Technical Fellow Roddy Bergeron breaks down what a security stack for MSPs should actually look like. Read Part 2: how to make your stack move ›

Ask any MSP about their security stack, and the answer usually sounds the same: a list of tools. EDR, MFA, DNS filtering. Maybe they’ve added SASE or email protection. On paper, it sounds solid.

But ask one simple follow-up, what happens after your next critical alert? And that’s when things get quiet.

Because here’s the truth: A stack is a system designed to move, adapt and protect, without relying on your people to stitch every alert to every response. It isn’t a product lineup. It’s not a budget line item. And having security tools is not the same as having a security stack. If your people are the only glue holding your stack together, you don’t have a stack. You have a liability.

Most MSPs build a stack like they’re assembling IKEA furniture—follow the instructions, bolt on the tools, and hope it holds. The ones who figure out why that’s not enough? They’re the ones not waking up at 2 AM.

Why you’re building the wrong stack

I’m going to be honest, most MSPs think stacking is about protection. Build layers. Block threats. Add another tool when something slips through. Stack it high enough and maybe nothing gets through, right? Except that’s not how security works. And it’s definitely not how operations scale.

What most MSPs miss is simple: their stack isn’t built to move. It’s built to pause.

Your endpoint flags ransomware behavior. What happens next? Does your system isolate the device? Lock the account? Shut down lateral movement? Or does the tool fire an alert, drop it in someone’s inbox, and wait?

That pause—the time between detection and action—is where most MSPs lose control. The tools didn’t fail. The system wasn’t there. Your stack detected something. But it didn’t respond. You did.

This isn’t a product issue. It’s a workflow issue. You’re buying detection and calling it security. But detection without action isn’t security. It’s overhead.

Every tool in your stack should be reducing that pause. When your endpoint detects ransomware, it should isolate itself without waiting. When your identity system spots a breach, conditional access should lock down the account immediately. If a phishing email gets reported, your monitoring system should hunt down every copy and remove it across all mailboxes.

That’s operational security. It’s the difference between a pile of disconnected tools and a real stack.

But building that kind of system isn’t simple. It requires more than just tools—it demands integration, automation, and workflows designed to move at the speed of business. Most MSPs haven’t figured out how to get there. That’s why stacks stay stuck.

Most MSPs aren’t running a security stack. They’re running a notification system…poorly.

And you only notice it when the system waits, and your client pays for it.

The core layers that make your stack move

A real security stack is a set of operational layers designed to act fast, without waiting for human input. The core domains every MSP must cover are:

  • Identity: Not just MFA (though you should). Every login gets vetted continuously. Conditional access and role-based access controls don’t wait for compromise; they block exposure before it happens.
  • Endpoints: Not just deploying EDR. When threat actors hit, the infected device isolates itself automatically,  often before your team’s first cup of coffee.
  • Network: Beyond firewalls. Modern networks verify every connection, micro-segmentation and zero-trust models stop attackers from roaming freely inside, limiting the blast radius of an incident.
  • Data: It’s not backups alone. Knowing where sensitive data lives, building data flow diagrams, controlling access tightly and preventing leaks through DLP and cloud posture management is critical. Knowing how to recover your data in a timely manner is critical.
  • Email & Collaboration: More than spam filters. Behavioral analysis and automated playbooks catch phishing and pull malicious payloads before users even see them.
  • Monitoring & Response: It’s not about logs piling up. Automated correlation, response, and escalation move incidents fast, so your team focuses only on what needs a human touch.

If your stack can’t answer “what happens next?” for each of these, you have disconnected tools waiting for someone to notice.

For mature MSPs and MSSPs, the story continues. Once these basics are in place, you layer on additional controls that aren’t must-haves, but game-changers:

  • Human Risk Management platforms: Targeting the weakest link—your users—through ongoing training and behavioral reinforcement.
  • Advanced browser protections: Securing cloud-first workflows where traditional network perimeters no longer apply.

These are enhancements that turn a solid security foundation into a competitive edge.

Written by Roddy Bergeron Technical Fellow, Cybersecurity @ Sherweb

Roddy Bergeron's career has taken various paths including government auditing, nonprofit work, public/private partnerships with the State of Louisiana, helping build an MSP by building their managed service, managed security, vCISO and compliance programs, and now as the Cybersecurity Technical Fellow with Sherweb. Roddy has obtained many certifications over the years including his MCSE, CCNA:Security, CEH, CCSP, CISSP and CSAP. Our MSP community is extremely important to Roddy and he loves giving back to the community that has helped him out so much over the years. Roddy hopes to continue to help other MSPs succeed and raise the cybersecurity tide for our industry.

Keep reading...

Search our blog to find more articles about technology for Managed Service Providers.

AI in cybersecurity for MSPs: Insights from Hacker Summer Camp 2025 at Black Hat and DEF CON

AI is reshaping the cybersecurity landscape for MSPs, from how SOCs investigate threats to how attac[...]

Read more

You’re not losing security at the firewall. You’re losing it in the browser.

Guest writer Roddy Bergeron, Cybersecurity Technical Fellow, explores why most MSPs are losing secur[...]

Read more

Beyond tools: Integration, automation and workflow that makes security move

Most stacks can detect threats. Very few know what to do next. In this follow-up, Cybersecurity Tech[...]

Read more

NordLayer: Fast, flexible network security for MSPs

Hybrid work has become the new normal, but many MSPs still rely on traditional VPNs and firewalls th[...]

Read more

Ransomware isn’t the only risk — why true cyber resilience starts with who you trust

Guest writer Roddy Bergeron, Cybersecurity Technical Fellow, explores how Managed Service Providers [...]

Read more

2025 - ALL RIGHTS RESERVED