Can a managed Zero Trust service pay back an MSP’s investment in under a year?
Yes.
Median MSP payback is nine months.
Profitability variables for zero trust MSPs
A concise set of variables determines profitability for Zero Trust offerings.
These variables include pricing model, onboarding effort, license stacking, recurring operations, and measurable client outcomes.
Those five inputs drive gross margin, payback months, and 36-month return.
The MSP must model them explicitly to make a defensible business case.
Pricing levers that move margins
Per-user versus per-device pricing changes billing dynamics and margins.
One-time onboarding fees, minimum contract terms, and outcome bonuses shift payback windows.
Vendor selection and bundling change license burden and thus alter gross margin.
Onboarding and recurring operations
Onboarding often consumes 20–200 FTE-hours per client depending on maturity and scale.
Recurring operations range from 0.5 to 4 SOC FTEs per 1,000 users when automation is low.
Underestimating these costs commonly erodes projected margins.
Review assumptions after the first three pilot rollouts.
License stacking and vendor choice
Stacking IAM, ZTNA, EDR, and PAM can consume 25–45% of billings unless negotiated.
Choosing platform bundles — for example, Microsoft identity plus integrated EDR — lowers stack cost.
Selecting two to three core vendors simplifies support and reduces agent overhead.
Pricing tiers, ARPU and sample price points
A three-tier model covers most go-to-market approaches.
Use Lite, Standard, and Advanced tiers.
Each tier aligns service scope to ARPU bands and margin targets.
Price onboarding and recurring fees to reach target margins.
Lite tier: basic identity and access
Lite covers MFA, single sign-on, and basic ZTNA policies.
Price band: $6–12 per user per month.
Expected ARR per small client: $6k–18k.
Margin goal: 15–25% when onboarding spreads across clients.
Standard tier
Standard adds EDR, continuous authentication, and policy automation.
Price band: $15–30 per user per month.
Expected ARR per client: $18k–75k.
Margin goal: 20–35% with automated operations.
Advanced tier: full outcome SLAs
Advanced includes SASE, PAM, managed detection, and strict SLAs.
Price band: $35–75 per user per month.
Expected ARR per client: $75k+.
Margin goal: 30–40% when the MSP bundles MDR upsells.
Per-user pricing simplifies billing for remote workforces. Per-device pricing fits when device-to-user ratios exceed 2:1. Examples include manufacturing and retail point-of-sale environments.
Build a reproducible ROI and TCO model
A defensible ROI model uses five inputs.
Those inputs are setup CAPEX, monthly license cost, recurring operational labor, ARR per client, and CAC.
From these inputs the MSP calculates payback months, 36-month IRR, and TCO.
The model must run sensitivity tests across realistic ranges.
Inputs: onboarding CAPEX, monthly license cost, recurring FTE-hours, ARR, CAC, and expected incident reduction percent.
Payback months equals onboarding CAPEX divided by monthly net contribution.
TCO equals CAPEX plus the sum of monthly OPEX.
Example calculation
Example for a 500-user client: ARR $75,000, onboarding CAPEX $25,000, monthly OPEX $3,000, CAC $10,000.
Payback ≈ 9 months.
The 36-month IRR is positive when incident reduction exceeds 15%.
Sensitivity and validation
Run license cost ±30% and onboarding hours ±50% scenarios.
Run incident reduction scenarios from 10 to 40%.
Compare outputs to a gross margin band of 15–40% and CAC payback targets of 6–18 months.
Operational cost drivers that break naive ROI models
The most frequent error at this point is pricing only on vendor license markup.
That ignores the value of managed outcomes.
Onboarding labor and hidden service
Discovery, identity sync, device cleanup, and policy mapping drive onboarding hours.
Expect 20–200 FTE-hours per client depending on estate complexity.
Budgeting fewer hours than required produces schedule slips and margin loss.
Recurring monitoring and maintenance
Policy tuning, SIEM triage, and agent updates create recurring work.
Without automation expect 0.5–4 SOC FTEs per 1,000 users.
Automation can cut that burden by 30–60 percent when applied.
License stacking and agent overhead
Multiple single-purpose agents increase support tickets and patch cycles by an estimated 10–30%.
Vendor consolidation or negotiation for enterprise bundles reduces overhead and improves gross margin.
Validate cost assumptions with at least one pilot client.
SLAs, metrics and contract clauses to protect margin
Profitable Zero Trust contracts specify measurable metrics.
They include onboarding caps, license pass-throughs, and capped penalties.
Contracts must map deliverables to standards such as NIST SP 800-207 and match client compliance needs.
This approach limits unexpected scope creep.
Example SLA metrics and values
Availability for control plane services: 99.9% monthly.
Incident response times: Critical ≤1 hour, High ≤4 hours, Medium ≤24 hours.
Authentication latency target: ≤250 ms at 95th percentile.
Contract clauses that enforce economics
Minimum term: 12–36 months with non-refundable onboarding fees.
License cost pass-through with annual reconciliation prevents margin erosion.
Penalties should be capped at 5–15% of monthly fees and tied to remediation windows.
Compliance addenda and deliverables
Map service components to NIST SP 800-207 controls and to CISA maturity checkpoints.
Charge additional fees for regulatory evidence packages for HIPAA or PCI scopes.
This protects margin where audits increase workload.
Three anonymized MSP case studies with numbers
The data below is anonymized but reflects real project archetypes observed in the field.
Each case shows investment, ARR, margin and payback months.
These examples illustrate why standardization matters.
SMB-focused MSP: standardized stack
Investment: $35,000 professional services and $8,000 tooling.
ARR after 12 months: $120,000 across eight clients.
Gross margin: 28%.
Payback: 10 months.
Standardized stack and onboarding automation enabled fast scale.
Enterprise MSP
Investment: $120,000 initial delivery.
ARR after first year: $360,000.
Gross margin: 35%.
Payback: 16 months.
Higher CAPEX supported an in-house SOC and premium outcome guarantees.
Vertical healthcare MSP
Investment: $85,000 initial delivery.
ARR after first year: $90,000.
Gross margin: 18%.
Payback: 22 months.
HIPAA mapping and bespoke integration raised onboarding labor and reduced early margins.
This analysis does not apply when the MSP is purely a break/fix provider with customers under 20 users. It also does not apply when the MSP acts only as a reseller with no delivery capability. Avoid this approach when customers require bespoke architectures that forbid standardization.
Pricing decision matrix: per-user, per-device, outcome
A simple decision matrix helps pick the right model.
Use user density, device ratio, and willingness to fund SOC CAPEX to choose.
| Model |
Implementation time (weeks) |
Initial CAPEX ($/1,000 users) |
Monthly OPEX per 1,000 users ($) |
ARPU/user/mo ($) |
Gross margin (%) |
Payback (months) |
| Per-user subscription |
2–6 |
5,000–25,000 |
2,000–8,000 |
6–30 |
15–30 |
6–14 |
| Per-device subscription |
3–8 |
7,500–35,000 |
3,000–10,000 |
8–40 |
15–32 |
8–16 |
| Outcome-based (MDR/MSSP) |
6–16 |
25,000–150,000 |
8,000–30,000 |
35–75 |
25–40 |
12–24 |
A practical 36-month comparative example clarifies tradeoffs for a 1,000-user scenario.
- Per-user subscription at $15/user/mo with $15,000 onboarding CAPEX and $4,000 monthly OPEX. Over 36 months revenue $540,000, OPEX $144,000, and gross contribution ≈ $381,000 (after license costs). Payback ≈ 5–8 months depending on license share.
- Per-device subscription at $20/device/mo with device:user ratio 1.5:1. Onboarding CAPEX $22,500 and monthly OPEX $6,000. Over 36 months revenue $720,000, OPEX $216,000, and contribution ≈ $481,500 (after license costs). Higher operations and agent overhead can compress margins.
- Outcome-based (MDR) at $50/user/mo with higher CAPEX $75,000 and monthly OPEX $18,000. Over 36 months revenue $1,800,000, OPEX $648,000, and contribution ≈ $1,077,000 (after license costs). Payback lengthens to 12–24 months and delivery risk rises.
Toggling a 20–40% license-stack surcharge across scenarios quickly shows which model preserves margin under vendor inflation.
Sales playbook and unit economics
Target CAC ranges and payback goals make or break growth.
Successful MSPs target CAC between $6,000 and $18,000 depending on sales motion.
CAC payback targets should not exceed 18 months for most plans.
Acquisition and upsell strategy
Referral-driven SMB deals sit at the lower CAC end.
Enterprise direct sales sit at the higher CAC end.
Bundle PAM, MDR, and compliance services to lift ARPU by 25–60% versus a base package.
Renewal metrics then justify premium pricing.
Renewal metrics to track
Track ARR retention and net revenue retention above 100%.
Aim for time-to-value within 90 days and strong SLA compliance rates.
These metrics prove business value to executive buyers and support upsell conversations.
Frontline sales need concise numeric responses for non-technical executives who control budgets.
- Sample objection scripts:
- Objection: “This is too expensive.” Response: “If you consider a $25K onboarding and $3K monthly operations for a 500-user rollout, our package yields payback in ~9 months and produces positive net contribution over 36 months.”
- Objection: “We already have VPNs/EDR.” Response: “VPNs and point solutions leave lateral risk. Our bundled approach reduces expected incident volume and mean time to contain. We quantify a 15–30% reduction in incident cost in similar clients and translate that into avoided emergency remediations.”
Sales artifacts, SLA template and contract clauses
The MSP needs reusable sales artifacts: proposal language, an SLA table, and contract clauses that lock economics.
Reuse these snippets directly in proposals and in sales enablement.
Sample SLA table
Service: Zero Trust Managed Service
Term: 12–36 months
Availability (control plane): 99.9% monthly
Incident Response: Critical <= 1 hour | High <= 4 hours | Medium <= 24 hours
Authentication latency: <= 250 ms (95th percentile)
Penalty: Credits up to 10% monthly fee, capped at three occurrences per year
Onboarding fee: Non-refundable, charged at signing
License pass-through: Annual reconciliation, customer pays third-party increases
Sample contract clauses
Onboarding and scope: Customer accepts a defined onboarding plan with timeboxes. Any work outside the plan is billable at $X/hour. License pass-through: Third-party licensing costs are passed through at cost plus 0% unless otherwise negotiated. Service credits: Service credits apply per SLA schedule. Total credits capped at 15% of monthly fees. Minimum term and termination: Minimum term 12 months.
Early termination incurs remaining committed fees or a buyout equal to 50% of remaining fees. Compliance support: Additional fees apply for audit evidence packages and regulatory evidence beyond the standard scope.
Negotiating license bundles with major vendors reduces license spend by an estimated 10–25 percent and markedly improves gross margin for the MSP.
Zero Trust profitability flow
Shows inputs, outputs and decision gates for MSP pricing and operations
Inputs: ARR, CAC, onboarding CAPEX, license cost
Processing: automation, SOC capacity, vendor bundling
Outputs: gross margin, payback months, 36-month IRR
For a visual validation, the flow above reflects how discovery data maps to a pricing decision graph used in actual proposals.
Opinion and recommendation paragraph
A pragmatic path works best: build a standardized stack and automate onboarding to under 40 FTE-hours.
Price services so CAC payback stays under 12 months for growth targets.
This works in theory, but in practice it requires strict delivery standards and vendor negotiation.
Without those conditions payback stretches and margins compress.
Start with three pilot clients to validate assumptions before a broader roll-out.
External sources and evidence
NIST published SP 800-207 on Zero Trust Architecture, which provides the control taxonomy for scoping services.
CISA released a Zero Trust Maturity Model, which maps operational checkpoints to deliverables.
The IBM Cost of a Data Breach Report 2023 reported an average breach cost of $4.45 million, useful when quantifying avoided loss.
NIST SP 800-207 (2020) and IBM Cost of a Data Breach Report 2023.
A custom TCO review from sales operations or vendor relations can validate these benchmarks against the MSP's book of business.
Frequently asked zero trust questions
Is ZTNA better than VPN for my clients?
Yes for remote-first and identity-centric deployments: ZTNA reduces lateral movement risk compared with VPN and supports conditional access. For legacy on-premise apps that lack modern authentication, VPN may remain necessary during migration.
What five areas must an MSP cover for zero trust?
Identity, device posture, network segmentation, application and workload protection, and continuous monitoring. NIST SP 800-207 structures these areas and supports scoping and pricing decisions.
How long until a zero trust service pays back?
Typical payback ranges from six to eighteen months, with a median of nine months for mid-market pilots when onboarding is automated and CAC stays within $6k–$18k. Longer paybacks appear when onboarding exceeds 80 FTE-hours.
What hides in naive ROI models?
Underestimating onboarding hours and recurring monitoring labor is the usual culprit. Expect onboarding of 20–200 FTE-hours per client and recurring 0.5–4 SOC FTEs per 1,000 users without automation.
How should MSPs price licenses and pass-throughs?
Pass through third-party license increases with annual reconciliation and include a clear onboarding fee. Negotiate enterprise bundles with vendors to reduce license spend by an estimated 10–25 percent.
When should an MSP avoid offering zero trust?
Avoid if the business is strictly break/fix for customers under 20 users, if there is no delivery capability, or if customers demand bespoke, non-standardizable architectures that block reuse and automation.
How should renewal conversations be framed?
Lead with measured outcomes: ARR retention, time-to-value within 90 days, and documented SLA compliance. Use these metrics to justify price increases and to secure multi-year renewals.