Screen Reader Mode Icon Check SCREEN READER MODE to make this survey compatible with screen readers. MSP Survey: Vulnerability Management & Compliance Research We're conducting research to understand how MSPs approach vulnerability management and compliance today. Your candid feedback—including what isn't working—will help us make better decisions. This survey takes approximately 15 minutes. Your responses will directly shape how we prioritize features and support partners in delivering these outcomes. OK Question Title * 1. What's your name? OK Question Title * 2. What's your company email address? OK Question Title * 3. What's your company name? OK Question Title * 4. Total endpoints you manage across all clients 0–249 250–499 500–999 1,000–1,999 2,000–4,999 5,000–9,999 10,000+ OK Question Title * 5. Number of managed clients 1–24 25–49 50–99 100–199 200–499 500+ OK Question Title * 6. MSP employee count 1–5 6–10 11–20 21–30 31–50 51+ OK Question Title * 7. Approximate annual MSP revenue $0–$499k $500k–$999k $1M–$1.99M $2M–$4.99M $5M–$9.99M $10M+ OK Question Title * 8. What % of your clients have formal security/compliance requirements today? (Insurance requirements, customer mandates, regulatory obligations, named frameworks, etc.) 0–10% 11–25% 26–50% 51–75% 76–100% Not sure OK Question Title * 9. Among clients with formal requirements, which show up in your world? (Select all that apply) None / mostly questionnaires (no named framework) HIPAA / HITECH PCI DSS SOC 2 (customer/vendor driven) NIST CSF NIST 800-171 CMMC CIS Controls ISO 27001 GLBA FTC Safeguards Rule State privacy/security requirements (e.g., NYDFS 500, CPRA) FedRAMP Not sure Other OK Question Title * 10. Which 1–3 are most common across your client base, and why? OK Question Title * 11. Do you currently offer vulnerability management or security assessments to clients? Yes, as a standardized offering Yes, but ad hoc / on request only No, but planning to within 12 months No, and not planning to OK Question Title * 12. Do you currently offer GRC/compliance services to clients? Yes, as a standardized offering Yes, but ad hoc / on request only No, but planning to within 12 months No, and not planning to OK Question Title * 13. Do you have defined recurring services for any of the following? (Select all that apply) Vulnerability management Attack surface monitoring (external exposure) SaaS posture reviews (M365/Google/etc.) Cloud posture reviews (AWS/Azure/GCP) GRC/compliance management (policies, evidence, audits, controls) vCISO / security advisory None of these are standardized offerings today OK Question Title * 14. In the past 12 months, approximately how many times have clients asked about each of the following? (Enter a number for each) Never Rarely Occasionally Routinely Constantly Vulnerability scanning / "Are we exposed?" Vulnerability scanning / "Are we exposed?" Never Vulnerability scanning / "Are we exposed?" Rarely Vulnerability scanning / "Are we exposed?" Occasionally Vulnerability scanning / "Are we exposed?" Routinely Vulnerability scanning / "Are we exposed?" Constantly Cyber insurance questionnaires / renewals Cyber insurance questionnaires / renewals Never Cyber insurance questionnaires / renewals Rarely Cyber insurance questionnaires / renewals Occasionally Cyber insurance questionnaires / renewals Routinely Cyber insurance questionnaires / renewals Constantly Proof that controls are in place (MFA, backups, EDR coverage, etc.) Proof that controls are in place (MFA, backups, EDR coverage, etc.) Never Proof that controls are in place (MFA, backups, EDR coverage, etc.) Rarely Proof that controls are in place (MFA, backups, EDR coverage, etc.) Occasionally Proof that controls are in place (MFA, backups, EDR coverage, etc.) Routinely Proof that controls are in place (MFA, backups, EDR coverage, etc.) Constantly Named frameworks (CIS/NIST/CMMC/SOC 2/HIPAA/PCI) Named frameworks (CIS/NIST/CMMC/SOC 2/HIPAA/PCI) Never Named frameworks (CIS/NIST/CMMC/SOC 2/HIPAA/PCI) Rarely Named frameworks (CIS/NIST/CMMC/SOC 2/HIPAA/PCI) Occasionally Named frameworks (CIS/NIST/CMMC/SOC 2/HIPAA/PCI) Routinely Named frameworks (CIS/NIST/CMMC/SOC 2/HIPAA/PCI) Constantly Third-party/vendor risk questions Third-party/vendor risk questions Never Third-party/vendor risk questions Rarely Third-party/vendor risk questions Occasionally Third-party/vendor risk questions Routinely Third-party/vendor risk questions Constantly "Risk score / posture" reporting (executive view) "Risk score / posture" reporting (executive view) Never "Risk score / posture" reporting (executive view) Rarely "Risk score / posture" reporting (executive view) Occasionally "Risk score / posture" reporting (executive view) Routinely "Risk score / posture" reporting (executive view) Constantly OK Question Title * 15. For the topic that came up most frequently, can you briefly describe a specific client request or conversation? OK Question Title * 16. What typically triggers these conversations? Cyber insurance renewal/denial Client's customer requirement Audit / assessment request Incident / near miss Board/owner request Compliance/regulatory change Prospect requirement during sales cycle MSP initiative (you bring it proactively) Peer group / community influence Other OK Question Title * 17. Importance (next 12–18 months): How important is it to your MSP's growth to deliver… Not important to growth MSP Slightly important Moderately important Very important Critical to growth MSP Vulnerability management as a recurring service Vulnerability management as a recurring service Not important to growth MSP Vulnerability management as a recurring service Slightly important Vulnerability management as a recurring service Moderately important Vulnerability management as a recurring service Very important Vulnerability management as a recurring service Critical to growth MSP GRC / compliance management as a recurring service GRC / compliance management as a recurring service Not important to growth MSP GRC / compliance management as a recurring service Slightly important GRC / compliance management as a recurring service Moderately important GRC / compliance management as a recurring service Very important GRC / compliance management as a recurring service Critical to growth MSP Attack surface monitoring (external exposure) Attack surface monitoring (external exposure) Not important to growth MSP Attack surface monitoring (external exposure) Slightly important Attack surface monitoring (external exposure) Moderately important Attack surface monitoring (external exposure) Very important Attack surface monitoring (external exposure) Critical to growth MSP SaaS posture management (M365/Google/etc.) SaaS posture management (M365/Google/etc.) Not important to growth MSP SaaS posture management (M365/Google/etc.) Slightly important SaaS posture management (M365/Google/etc.) Moderately important SaaS posture management (M365/Google/etc.) Very important SaaS posture management (M365/Google/etc.) Critical to growth MSP Cloud posture management (AWS/Azure/GCP) Cloud posture management (AWS/Azure/GCP) Not important to growth MSP Cloud posture management (AWS/Azure/GCP) Slightly important Cloud posture management (AWS/Azure/GCP) Moderately important Cloud posture management (AWS/Azure/GCP) Very important Cloud posture management (AWS/Azure/GCP) Critical to growth MSP OK Question Title * 18. How well-served do you feel by your current tools/processes in… Not at all at all served by current tools/processes. Slightly served by current tools/processes. Moderately served by current tools/processes. Very served by current tools/processes. Completely served by current tools/processes. Identifying vulnerabilities/exposures Identifying vulnerabilities/exposures Not at all at all served by current tools/processes. Identifying vulnerabilities/exposures Slightly served by current tools/processes. Identifying vulnerabilities/exposures Moderately served by current tools/processes. Identifying vulnerabilities/exposures Very served by current tools/processes. Identifying vulnerabilities/exposures Completely served by current tools/processes. Prioritizing what matters most Prioritizing what matters most Not at all at all served by current tools/processes. Prioritizing what matters most Slightly served by current tools/processes. Prioritizing what matters most Moderately served by current tools/processes. Prioritizing what matters most Very served by current tools/processes. Prioritizing what matters most Completely served by current tools/processes. Operationalizing remediation (tickets/workflows) Operationalizing remediation (tickets/workflows) Not at all at all served by current tools/processes. Operationalizing remediation (tickets/workflows) Slightly served by current tools/processes. Operationalizing remediation (tickets/workflows) Moderately served by current tools/processes. Operationalizing remediation (tickets/workflows) Very served by current tools/processes. Operationalizing remediation (tickets/workflows) Completely served by current tools/processes. Executive/client-ready reporting for QBRs Executive/client-ready reporting for QBRs Not at all at all served by current tools/processes. Executive/client-ready reporting for QBRs Slightly served by current tools/processes. Executive/client-ready reporting for QBRs Moderately served by current tools/processes. Executive/client-ready reporting for QBRs Very served by current tools/processes. Executive/client-ready reporting for QBRs Completely served by current tools/processes. Framework mapping / audit readiness (evidence) Framework mapping / audit readiness (evidence) Not at all at all served by current tools/processes. Framework mapping / audit readiness (evidence) Slightly served by current tools/processes. Framework mapping / audit readiness (evidence) Moderately served by current tools/processes. Framework mapping / audit readiness (evidence) Very served by current tools/processes. Framework mapping / audit readiness (evidence) Completely served by current tools/processes. OK Question Title * 19. On the spectrum below, where do vulnerability + compliance services fit for your MSP? Not a focus area Defensive/retain clients Revenue growth opportunity Major strategic pillar Not a focus area Defensive/retain clients Revenue growth opportunity Major strategic pillar OK Question Title * 20. In the next 6 months, how likely are you to… Very unlikely},{ Unlikely Neutral Likely Very likely Standardize on a single vulnerability management approach across most clients Standardize on a single vulnerability management approach across most clients Very unlikely},{ Standardize on a single vulnerability management approach across most clients Unlikely Standardize on a single vulnerability management approach across most clients Neutral Standardize on a single vulnerability management approach across most clients Likely Standardize on a single vulnerability management approach across most clients Very likely Adopt a dedicated GRC/compliance system (vs spreadsheets/docs) across multiple clients Adopt a dedicated GRC/compliance system (vs spreadsheets/docs) across multiple clients Very unlikely},{ Adopt a dedicated GRC/compliance system (vs spreadsheets/docs) across multiple clients Unlikely Adopt a dedicated GRC/compliance system (vs spreadsheets/docs) across multiple clients Neutral Adopt a dedicated GRC/compliance system (vs spreadsheets/docs) across multiple clients Likely Adopt a dedicated GRC/compliance system (vs spreadsheets/docs) across multiple clients Very likely OK Question Title * 21. Thinking specifically about Vulnerability Management (scanning, prioritization, remediation workflow, reporting): which tools do you use today? (Select all that apply) Haven't heard of Haven't looked at Looked at, but don't use Used previously, but no longer Considering Actively Using ConnectSecure ConnectSecure Haven't heard of ConnectSecure Haven't looked at ConnectSecure Looked at, but don't use ConnectSecure Used previously, but no longer ConnectSecure Considering ConnectSecure Actively Using Nodeware Nodeware Haven't heard of Nodeware Haven't looked at Nodeware Looked at, but don't use Nodeware Used previously, but no longer Nodeware Considering Nodeware Actively Using Rapid7 Rapid7 Haven't heard of Rapid7 Haven't looked at Rapid7 Looked at, but don't use Rapid7 Used previously, but no longer Rapid7 Considering Rapid7 Actively Using Tenable Tenable Haven't heard of Tenable Haven't looked at Tenable Looked at, but don't use Tenable Used previously, but no longer Tenable Considering Tenable Actively Using Qualys Qualys Haven't heard of Qualys Haven't looked at Qualys Looked at, but don't use Qualys Used previously, but no longer Qualys Considering Qualys Actively Using Cynet Cynet Haven't heard of Cynet Haven't looked at Cynet Looked at, but don't use Cynet Used previously, but no longer Cynet Considering Cynet Actively Using Galactic Advisors Galactic Advisors Haven't heard of Galactic Advisors Haven't looked at Galactic Advisors Looked at, but don't use Galactic Advisors Used previously, but no longer Galactic Advisors Considering Galactic Advisors Actively Using Cavelo Cavelo Haven't heard of Cavelo Haven't looked at Cavelo Looked at, but don't use Cavelo Used previously, but no longer Cavelo Considering Cavelo Actively Using Augmentt Augmentt Haven't heard of Augmentt Haven't looked at Augmentt Looked at, but don't use Augmentt Used previously, but no longer Augmentt Considering Augmentt Actively Using SaaS Alerts SaaS Alerts Haven't heard of SaaS Alerts Haven't looked at SaaS Alerts Looked at, but don't use SaaS Alerts Used previously, but no longer SaaS Alerts Considering SaaS Alerts Actively Using Kaseya (Network Detective or related) Kaseya (Network Detective or related) Haven't heard of Kaseya (Network Detective or related) Haven't looked at Kaseya (Network Detective or related) Looked at, but don't use Kaseya (Network Detective or related) Used previously, but no longer Kaseya (Network Detective or related) Considering Kaseya (Network Detective or related) Actively Using Other OK Question Title * 22. Which vendor is your primary? OK Question Title * 23. For your primary approach, what delivery model do you use most? Continuous/always-on Scheduled (monthly/quarterly) Point-in-time only Included informally inside another service Not sure OK Question Title * 24. When vulnerabilities are found, how are they handled most often? (Select up to 2) Manual remediation by MSP team Ticketing workflow through PSA Client IT/internal owner remediation Automated remediation/patching We typically report but don't remediate Not sure OK Question Title * 25. Satisfaction with your Vulnerability Management approach Very dissatisfied Dissatisfied Neutral Satisfied Very satisfied N/A OK Question Title * 26. What are the top 3 ways your current approach falls short? (Pick 3) Too noisy / too many false positives Hard to prioritize what matters Too much manual work to operationalize Reporting isn't client-ready Limited integrations Deployment complexity Doesn't scale well across clients Too expensive / hard to monetize Gaps in coverage (assets, SaaS, cloud, external exposure) Other OK Question Title * 27. What are the top 3 reasons your current approach works well? (Pick 3) Ease of deployment Accuracy / low noise Prioritization/risk scoring Reporting (client/QBR-ready) Multi-tenant MSP experience Remediation workflow Integrations (PSA/RMM/etc.) Price / economics Vendor support Other OK Question Title * 28. Thinking specifically about GRC / compliance management (policies, evidence, audits, controls, framework mapping): which tools/processes do you use today? (Select all that apply) Haven't heard of Haven't looked at Looked at, but don't use Used previously, but no longer Considering Actively using Apptega Apptega Haven't heard of Apptega Haven't looked at Apptega Looked at, but don't use Apptega Used previously, but no longer Apptega Considering Apptega Actively using Kaseya Compliance Manager Kaseya Compliance Manager Haven't heard of Kaseya Compliance Manager Haven't looked at Kaseya Compliance Manager Looked at, but don't use Kaseya Compliance Manager Used previously, but no longer Kaseya Compliance Manager Considering Kaseya Compliance Manager Actively using ControlMap ControlMap Haven't heard of ControlMap Haven't looked at ControlMap Looked at, but don't use ControlMap Used previously, but no longer ControlMap Considering ControlMap Actively using Drata Drata Haven't heard of Drata Haven't looked at Drata Looked at, but don't use Drata Used previously, but no longer Drata Considering Drata Actively using Vanta Vanta Haven't heard of Vanta Haven't looked at Vanta Looked at, but don't use Vanta Used previously, but no longer Vanta Considering Vanta Actively using Secureframe Secureframe Haven't heard of Secureframe Haven't looked at Secureframe Looked at, but don't use Secureframe Used previously, but no longer Secureframe Considering Secureframe Actively using Tugboat Logic Tugboat Logic Haven't heard of Tugboat Logic Haven't looked at Tugboat Logic Looked at, but don't use Tugboat Logic Used previously, but no longer Tugboat Logic Considering Tugboat Logic Actively using Spreadsheet/docs only Spreadsheet/docs only Haven't heard of Spreadsheet/docs only Haven't looked at Spreadsheet/docs only Looked at, but don't use Spreadsheet/docs only Used previously, but no longer Spreadsheet/docs only Considering Spreadsheet/docs only Actively using None / not currently offered None / not currently offered Haven't heard of None / not currently offered Haven't looked at None / not currently offered Looked at, but don't use None / not currently offered Used previously, but no longer None / not currently offered Considering None / not currently offered Actively using Other OK Question Title * 29. Which one is your primary GRC/compliance tool/approach today? OK Question Title * 30. What are you primarily using your GRC approach for today? (Select all that apply) Never Sometimes Usually Always Policy management Policy management Never Policy management Sometimes Policy management Usually Policy management Always Framework mapping / controls Framework mapping / controls Never Framework mapping / controls Sometimes Framework mapping / controls Usually Framework mapping / controls Always Evidence collection & audit readiness Evidence collection & audit readiness Never Evidence collection & audit readiness Sometimes Evidence collection & audit readiness Usually Evidence collection & audit readiness Always Risk register / risk assessments Risk register / risk assessments Never Risk register / risk assessments Sometimes Risk register / risk assessments Usually Risk register / risk assessments Always Vendor risk management Vendor risk management Never Vendor risk management Sometimes Vendor risk management Usually Vendor risk management Always Client-facing reporting / QBRs Client-facing reporting / QBRs Never Client-facing reporting / QBRs Sometimes Client-facing reporting / QBRs Usually Client-facing reporting / QBRs Always Internal MSP compliance only Internal MSP compliance only Never Internal MSP compliance only Sometimes Internal MSP compliance only Usually Internal MSP compliance only Always Not sure Not sure Never Not sure Sometimes Not sure Usually Not sure Always OK Question Title * 31. Satisfaction with your GRC/compliance approach Very dissatisfied Dissatisfied Neutral Satisfied Very satisfied N/A OK Question Title * 32. Top 3 ways your current GRC approach falls short Too much manual effort Not MSP-friendly / not multi-tenant Difficult to maintain ongoing evidence Reporting isn't client-ready Limited framework coverage Doesn't connect well to technical findings (vulnerabilities/posture) Too expensive / hard to monetize OK Question Title * 33. Top 3 reasons your current GRC approach works well (Pick 3) Easy to operationalize Framework coverage/mapping Evidence collection & audit readiness Client-ready reporting Multi-tenant MSP workflow Integrations Price / economics Vendor support Other OK G) Platform Expectations OK Question Title * 34. If a single platform combined vulnerability management with GRC/compliance, how interested would you be? Not interested Slightly interested Moderately interested Very interested Extremely interested Not interested Slightly interested Moderately interested Very interested Extremely interested OK Question Title * 35. What integrations would be essential for you? (Select all that apply) PSA (ConnectWise, Autotask, Halo, etc.) RMM (Datto, NinjaRMM, ConnectWise, etc.) Microsoft 365 / Entra ID Google Workspace AWS / Azure / GCP EDR (SentinelOne, CrowdStrike, etc.) SIEM / SOC platform Backup / BDR Other OK Question Title * 36. If you were in charge of product development and could design the ideal solution for your MSP to deliver vulnerability + risk/compliance services, what would it do? OK Question Title * 37. What prevents you from having that ideal solution today? (Pick up to 3) Nothing, my current approach meets my needs Too expensive Too complex to deploy/support Not MSP-friendly / multi-tenant gaps Doesn't fit how we run operations (PSA/RMM workflow) Reporting isn't client-ready Too noisy / low confidence results Doesn't help drive remediation follow-through Clients won't pay consistently Contract/vendor friction Other OK Question Title * 38. How do you prefer to monetize vulnerability/risk/compliance services? (Select all that apply) Included inside managed services agreement (bundled) Add-on package (tier upgrade) Standalone per-endpoint service Project + recurring monitoring vCISO retainer OK Question Title * 39. Which statement is closest to how you price these services? Price primarily based on outcomes/value; tool costs are secondary Price based on tool cost + a target service markup Prefer to minimize resale economics and focus on service margin Not sure / varies by client OK Question Title * 40. For a recurring Vulnerability Management service (including reporting and prioritization), what monthly price per endpoint would you consider… So inexpensive you'd question quality: $_____ per endpoint/month A good value: $_____ per endpoint/month Expensive, but would consider: $_____ per endpoint/month Too expensive to consider: $_____ per endpoint/month OK Question Title * 41. Any additional thoughts or comments you'd like to share related to vulnerability management, compliance/GRC, or how MSPs deliver these services? OK Question Title * 42. Would you be open to a 20-minute follow-up conversation? Yes No OK Question Title * 43. What's a good phone number? OK DONE