By Patrick Hayes, CxO & Field CISO

The ConnectWise 2025 MSP Threat Report makes a difficult reality impossible to ignore. Managed Service Providers (MSP) are no longer just supporting the IT ecosystem. They have become high-value targets within it.

Threat actors have learned that compromising a single MSP can grant access to dozens or even hundreds of downstream businesses. This approach is quieter, cheaper, and more scalable than attacking large enterprises directly. Over the past two years, attackers have leaned heavily into this strategy, with increasing levels of coordination and technical sophistication.

In this environment, the difference between a traditional MSP and a security provider like Third Wave is not marginal. It determines whether risk is contained or multiplied.

MSPs Have Become a Central Point of Failure

The report outlines several structural reasons MSPs attract sustained attacker interest. They operate privileged remote access tools, manage shared infrastructure across many customers, and often lack the dedicated security depth of large enterprises. A single successful intrusion can cascade across multiple client environments.

This concentration of risk explains why 78% of MSPs surveyed believe a serious cyberattack could put them out of business. It also explains why threat actors are aggressively targeting MSP tooling, edge devices, and remote management platforms.

Whether intentionally or not, MSPs now function as critical infrastructure for the SMB economy.

Traditional IT Management No Longer Meets the Threat

Many MSPs were built to deliver availability, efficiency, and cost control. They were not designed to operate under constant pressure from ransomware affiliates, data extortion groups, and attackers equipped with tools to evade modern defenses.

The report documents a clear shift in attacker behavior. Ransomware groups increasingly steal data without encrypting systems. Edge devices are exploited at scale. EDR bypass techniques are now common. Social engineering methods, such as ClickFix, avoid file downloads entirely and rely on native system tools.

In this threat landscape, backups alone do not provide meaningful protection. Endpoint detection alone does not provide visibility. Patch management performed on a delayed schedule creates systemic risk rather than operational convenience.

Effective defense now depends on security architecture, operational rigor, and continuous monitoring. These are the foundations of security providers.

Remote Access Tools Are High-Impact Attack Surfaces

The ScreenConnect vulnerabilities highlighted in the report illustrate the stakes clearly. The flaws were severe, widely exploitable, and present in tools with extensive privileges inside customer environments. While cloud instances were remediated quickly, unpatched on-premises systems remained exposed and were actively exploited.

Remote access platforms are no longer neutral productivity tools. They are primary attack surfaces. When patching lags or visibility is incomplete, compromise spreads rapidly across customers.

Providers like Third Wave operate with this assumption in mind. Patch cycles are aggressive. Remote access paths are hardened and monitored continuously. Tool abuse is treated as a leading indicator of compromise rather than an afterthought.

Edge Security Determines Containment or Cascade

The report recorded more than 84,000 alerts related to edge device vulnerabilities across MSP-managed environments in a single year. VPNs, firewalls, and secure gateways were frequent points of entry. Many of the exploited vulnerabilities were disclosed within the same year.

This reality demands constant attention rather than one-time configuration. Zero-day exposure and misconfiguration are unavoidable over time. Once attackers gain access at the edge, lateral movement into customer networks becomes trivial.

Security providers build their services around continuous edge monitoring and rapid response because they understand how quickly localized failures become supply-chain incidents.

Attackers Now Disable Defenses Before Acting

One of the most concerning findings in the report is the routine use of tools designed to disable endpoint detection systems before payload deployment. Techniques such as BYOVD attacks and kernel-level exploits are no longer exceptional. They are part of standard attacker playbooks.

Any security program that assumes endpoint tools will always be present and functional is operating under outdated assumptions.

Providers like Third Wave design layered detection models that combine endpoint data with network telemetry, tamper protection, centralized logging, and zero-trust principles. Security is treated as an operational system rather than a collection of products.

MSP Security Determines Client Security

The report makes an uncomfortable but necessary point. An MSP’s security posture directly shapes the security posture of every client it supports.

Patch management cannot be deprioritized. Incident response planning must account for multi-tenant impact. Security tooling must be monitored continuously and evaluated for resilience against evasion.

This is where security providers distinguish themselves. They do not simply deliver IT services. They actively reduce aggregate risk across their customer base.

The Takeaway

Organizations that rely on MSPs should treat MSP compromise as a primary risk rather than a secondary vendor concern. Due diligence must extend beyond certifications and into operational realities such as patch cadence, detection strategy, and response readiness.

Security responsibilities must be clearly defined and enforced. The relationship between client and MSP now resembles the trust model applied to cloud infrastructure providers.

Attackers focus on MSPs because the approach is effective. That reality will not change.

Providers that endure will be those that recognize their role as critical infrastructure, design their operations with failure in mind, and invest accordingly. Security providers like Third Wave represent this model in practice.

Everything else simply expands the attack surface.