Beyond the Perimeter: How MSPs Can Win the Shift to User-Centric Cybersecurity

The rules of cybersecurity are changing. The accelerated shift toward cloud platforms like Microsoft 365, Google Workspace and Salesforce is redefining security priorities. As businesses embrace a digital-first approach, cybersecurity strategies are transitioning from an on-premises network and endpoint device-centric focus to a user behavior and account-centric focus.

The reason is simple. Cybercriminals are increasingly exploiting user identities and behaviors, rather than just networks or endpoints. In the State of SaaS Security 2024 report, managed service providers (MSPs) revealed that phishing, business email compromise (BEC) and cloud vulnerabilities are the biggest threats their clients face, surpassing even ransomware. These threats target the very tools that organizations rely on for collaboration, productivity and storing sensitive business information.

For MSPs aiming to strengthen their clients’ security postures and stay competitive in the cloud era, success lies in adapting to change, embracing user- and account-centric cloud security models and effectively monetizing them.

Read on to discover why traditional cybersecurity models are no longer enough, how cloud detection and response (CDR), along with SaaS backup, bolster cyber resilience, and how SaaS-onomics — a game-changing approach — helps you better protect your clients while increasing monthly recurring revenue (MRR).

Where old security models fall short

For decades, businesses have depended on traditional cybersecurity models to protect their organizations’ internal networks and devices. These methods were built around the concept of a clearly defined perimeter, such as an office building. Perimeter security operates on the assumption that everything within the network perimeter could be trusted. However, as businesses adopt cloud applications, integrate third-party services and enable end users to access data and applications remotely, the concept of a fixed network boundary is becoming increasingly outdated.

Firewalls

These network security tools were designed to block unauthorized access to internal networks. Firewalls can prevent malicious activities on a network and protect against threats like port scanning and denial of service (DoS). However, they might fall short when it comes to sophisticated attacks, such as social engineering attacks, new malware variants and zero-day exploits. Additionally, they can’t protect against internal threats, such as an employees breaching network security, either intentionally or unintentionally.

EDR

As the name suggests, endpoint detection and response (EDR) is exclusively designed to detect and respond to threats on endpoint devices, such as laptops, desktops, servers and mobile devices. EDR solutions may not provide the necessary visibility into cloud environments, SaaS applications or user activity outside the device, which are critical as organizations move to hybrid and cloud-native infrastructures.

MDR

Managed detection and response (MDR) is a cybersecurity service that delivers real-time threat hunting, 24/7 monitoring and rapid incident response. MDR is ideal for businesses looking to strengthen their security postures without increasing headcount. However, since MDR uses general rules to detect threats, it offers limited customization and context, which may not fit a company with a unique setup. They may not fully understand the nature of your business or what systems are most important, potentially missing real threats or sending too many unnecessary alerts.

Both EDR and MDR tools are inherently reactive, often identifying threats only after a compromise has occurred. With cyberthreats evolving rapidly and human error remaining a constant risk, MSPs need a layered approach to cybersecurity to effectively protect end users, their accounts and their data.

The illusion of safety with MFA and Conditional Access

Multifactor authentication (MFA) and Conditional Access policies (CAP) are critical cybersecurity tools for preventing unauthorized access and protecting sensitive data. However, with attackers leveraging sophisticated techniques, such as session token hijacking, MFA fatigue attacks, phishing and social engineering, these defenses alone are no longer enough.

MFA fatigue attacks

Threat actors bombard the targets’ authentication applications with repeated authentication requests, hoping that they will approve one by accident.

With so many SaaS apps in use today, password fatigue has become a growing concern. To make things easier, many users skip traditional logins and sign in using their Microsoft or Google accounts through OAuth. According to the SaaS Application Security Insights 2025 report, 23% of common low-severity events involved IAM (identity and access management) OAuth access.

Insider threats

MFA and CAPs offer strong protection against external attackers; however, they don’t guard against malicious internal activities. For example, a disgruntled employee or compromised insider can still cause harm from inside the trusted environment. Threat actors leveraging social engineering can manipulate internal users to grant access, even if MFA is active.

Token theft

If attackers manage to steal your clients’ session tokens (via malware or Adversary-in-the-Middle (AitM) attacks, they can bypass MFA entirely.

In AitM attacks, cybercriminals intercept communications between a user (sender) and a legitimate service (receiver), such as Microsoft 365 or Google Workspace. By placing themselves between the two, they can steal login credentials, MFA codes and even session cookies when the unsuspecting user enters their credentials. Threat actors can then exploit them to bypass MFA, hijack accounts, exfiltrate data or move laterally within a network. According to the Microsoft Digital Defense Report, token theft surged to an alarming 39,000 incidents per day in 2024.

Suppose you’re relying on Conditional Access policies or a third-party application that claims to provide Zero Trust Network Access (ZTNA) for cloud apps. In that case, you’ve built a strong defense around normal user behavior. However, if a phishing email passes through your filters, these policies only ensure that the intended recipient is the one who receives (and ends up clicking) the malicious link.

If the user falls for the attack, they are tricked into providing their credentials on the spoofed site and then the credentials are routed to the real site, where they successfully authenticate. Since the attacker is mimicking normal user behavior, no unusual activity is detected, and MFA or CAPs are not triggered. As a result, the attacker gains access to your data without setting off any alarms.

 

CDR: What it is and why it matters

Cloud detection and response (CDR) is a cybersecurity solution specifically designed to monitor, detect and respond to threats within cloud environments.

CDR solutions continuously monitor and analyze user behaviors, assets, access patterns and application activities across cloud services. They reduce alert fatigue by eliminating false positives and prioritizing threats based on criticality, enabling MSPs and IT teams to identify and respond to threats efficiently.

Here’s how CDR differs from other security tools like SIEM and MDR.

CDR vs. SIEM

Security Information and Event Management (SIEM) focuses on log aggregation, event correlation and alerting across a wide range of sources. However, unlike CDR platforms, SIEM solutions aren’t designed to understand SaaS-specific behaviors, such as suspicious login patterns or unauthorized app connections.

CDR vs. MDR

MDR services focus largely on endpoint threat hunting led by a security operations center, also known as a SOC. They provide 24/7 threat monitoring and protection on laptops, servers and mobile devices. MDR solutions are highly effective at endpoint and network-layer detection; however, they lack deep visibility into SaaS platforms where much of today’s business-critical data resides. CDR solutions, on the other hand, specialize in detecting behavioral anomalies within SaaS environments (e.g., unusual file sharing in Google Drive and unauthorized OAuth grants in Microsoft 365), which MDR solutions aren’t designed to monitor.

In a cloud-first business environment, cybersecurity measures, such as behavioral monitoring, real-time alerting and remediation, and continuous policy enforcement, are critical to detecting and stopping threats like account takeovers, insider risks and unauthorized data access. By understanding normal user behavior and acting instantly on anomalies, MSPs can stay ahead of attackers and ensure their clients’ critical SaaS environments remain secure and compliant.

Better together: SaaS Alerts and Datto SaaS Protection

CDR platforms offer new business opportunities for MSPs by providing real-time threat detection and protection specifically for cloud environments. However, when disasters strike due to a cyberattack or human error, backup and recovery solutions help you quickly restore lost data and keep your clients’ businesses running smoothly. Together, CDR and backup deliver a complete SaaS security and business continuity strategy. That’s where SaaS Alerts and Datto SaaS Protection come in. These industry-leading solutions can help your MSP offer even greater value and resilience to your customers while saving you time.

SaaS Alerts

SaaS Alerts is an automated SaaS security solution that detects advanced threats and instantly takes action to protect your managed SaaS environments. It empowers MSPs to deliver continuous account-centric protection by detecting behavioral anomalies across Microsoft 365, Google Workspace and other SaaS apps. SaaS Alerts automates response policies, alerts MSPs to suspicious user activity and ensures faster, smarter threat detection and response.

Datto SaaS Protection

Datto SaaS Protection is a comprehensive backup and recovery solution for Microsoft 365 and Google Workspace. It combines seamless data protection with integrated advanced threat defense to keep your clients’ cloud environments secure and resilient. Our advanced SaaS backup and recovery solution provides complete, immutable backups and enables effortless data restoration. It protects businesses against accidental or malicious deletion, ransomware attacks and compliance risks while enabling rapid recovery to minimize business disruption and maintain continuity.

SaaS-onomics: A new revenue engine for MSPs

SaaS-onomics is a knowledge-driven approach to boosting MSP revenue through SaaS application security. It helps MSPs monetize SaaS security, user protection and data resilience by offering holistic account protection services.

The following strategies are derived from this approach, enabling MSPs to bundle CDR and SaaS backup into a powerful Security-as-a-Service offering to boost profit margins while enhancing client protection.

• The add-on model
  Offer CDR and SaaS backup as a mandatory addition to Microsoft 365 or Google Workspace management services. Customers can choose to opt out by signing a "decline services" waiver, shifting responsibility away from your MSP while encouraging adoption. Effectively communicate how these services provide extra protection and peace of mind for a nominal fee each month. You can price the add-on services between $3 and $10 per user/month.
   
• Cybersecurity bundle
  Package CDR and SaaS backup as part of a full cybersecurity bundle, alongside endpoint protection, email security or dark web monitoring.
  
  Position it as essential for clients concerned with compliance, ransomware, phishing defense and data integrity. Depending on your service offering, the cybersecurity bundle can be priced between $25 and $40 per user/month.
   
• All-inclusive model
  All-inclusive service options make it easier for MSP sales teams to pitch to clients and speed up the sales cycle. Fully integrate CDR and SaaS backup into the core managed services package. Roll it into the overall per-user/month fee with no separate line item.

For MSP clients, these models offer a clear, predictable service structure without surprise costs. All-inclusive models offer comprehensive protection in one package, which improves client retention and stickiness.

MSP benefits

By strategically bundling CDR and SaaS backup into a SaaS Security-as-a-Service offering, your MSP can:

• Gain higher margins with minimal infrastructure overhead
  By bundling CDR and SaaS backup as a value-add to existing Microsoft 365 or Google Workspace services, your MSP can create a new, high-margin revenue stream without investing heavily in additional infrastructure or staff.
   
• Improve client stickiness through proactive risk management
  Bundling proactive threat detection and response with data protection services strengthens your security posture for clients, reduces churn and deepens your role as a trusted security advisor.
   
• Differentiate yourself from commodity MSPs
  Offering cloud threat detection and backup as core services can be a competitive differentiator for your MSP as it demonstrates a mature, proactive approach to modern IT management.

Blueprint for MSPs to win

Use the blueprint provided below to gain a competitive edge and win more deals. From identifying potential opportunities to bundling high-value services, this guide shows you exactly how to increase revenue, strengthen client relationships and lead in the cloud-first era.

1. Assess current SaaS security and backup coverage across clients
   Having clear visibility into gaps and risks across client environments will enable you to make smarter security recommendations and upsell opportunities.
    
2. Educate clients on modern risks
   Establish your role as a strategic partner by helping clients understand evolving threats like phishing, ransomware and SaaS account takeovers.
    
3. Bundle CDR and SaaS backup into a managed offering
   As discussed in the section above, by bundling CDR and SaaS backup, your MSP can deliver comprehensive, proactive protection while creating new recurring revenue streams and strengthening client relationships.
    
4. Automate response playbooks
   Streamline threat detection and response using tools like SaaS Alerts to minimize risk exposure and reduce IT workload.
    
5. Report outcomes to clients to demonstrate ongoing value
   Leverage powerful reporting tools like SaaS Alerts and Datto Hero Reports to showcase the real-world impact of your services through regular, actionable reporting that reinforces your value as a reliable partner.

The future is user-centric and SaaS-driven

As businesses continue to move critical workloads to the cloud, MSPs have a unique opportunity to lead with a cloud-first, user-focused security model. This modern approach enables MSPs to better protect their clients’ SaaS environments, user accounts and data while expanding their service portfolio.

Thousands of MSPs worldwide trust SaaS Alerts and Datto SaaS Protection to protect their clients and grow their businesses. By partnering with SaaS Alerts and Datto, your MSP can deliver superior protection, ensure rapid recovery, differentiate itself in a competitive market and position its services as a premium offering.

Future-proof your clients and your MSP business. and Request a demo of Datto SaaS Protection and SaaS Alerts today and see how you can turn SaaS security into a powerful growth engine.

About the author: Angela Chang is a Product Marketing Specialist at Kaseya, where she oversees the SaaS Backup modules, including Datto SaaS Protection and Spanning. Since joining Kaseya in 2022, Angela has built a strong foundation in client success and business growth — beginning as an Associate Account Manager, advancing to Senior Account Manager of Key Accounts, and ultimately transitioning into Product Marketing. Prior to joining Kaseya, Angela worked as a trusted Personal Banking Associate at TD Bank, where she leveraged her customer-first mindset and financial acumen to help clients meet their personal and business goals. She holds a Bachelor of Commerce in Marketing from the University of British Columbia.