Managed security service providers (MSSPs) are a vital part of the cybersecurity ecosystem, often serving as the first, and sometimes the only, line of defense across multiple clients. Their role is also growing in importance, largely due to the persistent global skills shortage. However, new benchmarking data reveals blind spots that could limit their strategic value.
Hack The Box’s Global Cyber Skills Benchmark 2025 analyzed nearly 800 teams and more than 4,500 participants worldwide. While MSSP teams performed strongly in OSINT (64.5%) and forensics (62.8%), they lagged in preventive and offensive disciplines such as secure coding (18.7%), web security (21.1%), and adversary emulation.
The results, which were mapped to the MITRE ATT&CK framework, show a clear imbalance. Although MSSPs are great at detection and response, they are falling short in prevention and protection. Detection is obviously an essential skill, but it’s reactive only. As adversaries exploit AI automation, supply-chain vulnerabilities, and custom exploits, MSSPs risk the need to be more than reactive responders; they need to become active defenders of an organization’s resilience.
Scale vs depth
The MSSP operating model generally includes standardised tooling, multitenant platforms, and is built for speed and efficiency, but it lacks depth. The problem is that detection scales easily, while prevention needs context-specific expertise and secure engineering fluency. When it comes to prevention tools, they alone can’t compensate for missing skills. And that’s why capability, not tooling, is now the main differentiator for an MSSP.
Continuous Threat Exposure Management (CTEM), a concept introduced by Gartner, is a useful framework for proving resilience. CTEM reframes the narrative from “How fast can we detect?” to “How much risk did we actually remove?” It scopes attack surfaces, simulates threats, validates controls, and measures improvement.
For MSSPs, embedding CTEM helps to turn technical skills into business value. It will provide proof that cybersecurity investments are actually reducing risk exposure and by how much.
Skills as a differentiator
To close the gap between detection and prevention, MSSPs should start with data-driven workforce benchmarking. This will help ensure money spent on professional skills development delivers genuine operational impact.
Generic training won’t help. MSSPs need role-based learning paths aligned to core functions, such as SOC analyst, threat hunter, red team operator, and secure developer. Short, verifiable micro-credentials are also important to support continuous improvement.
The focus isn’t just about training. It is about implementing carefully planned upskilling and having the ability to prove capability to clients and boards alike.
MSSPs should also consider building industry-aligned capability pods, where there are specialised teams focused on vertical threat landscapes. A finance pod might prioritize blockchain and application security; energy and manufacturing pods could focus on ICS and OT defence; retail pods might tackle supply chain and web application threats.
These pods deepen contextual understanding of threats and help to strengthen protection. To avoid siloing skills, pod governance should include a process to ensure structured knowledge transfer and continuous feedback loops.
Offensive emulation and AI risk
Offensive emulation is one of the weakest areas for many MSSPs, with the benchmarking figures showing Pwn/exploitation solve rates averaging just 9.8%. Regular red teaming exercises and adversary emulation training will help improve and validate defences under real-world conditions and feed directly into CTEM metrics, turning simulations into proactive indicators of resilience.
MSSPs are early adopters of AI-assisted tooling, with solve rates in the benchmarking averaging 38.3%, which is above the global mean. But AI without a secure engineering discipline is a double-edged sword because it has the potential to accelerate vulnerabilities faster than they can be fixed.
To mitigate this, MSSPs must reinforce secure-by-design skills and integrate AI governance checklists into development and automation pipelines.
Speaking the boardroom language
Traditional SOC metrics like MTTD (Mean Time to Detect) or MTTR (Mean Time to Respond) do not accurately reflect investment value. Executives want to see measures of exposure reduction, such as fewer exploitable weaknesses, faster patching, and tangible improvements in secure coding proficiency.
By combining skills benchmarking with CTEM, MSSPs get the ability to communicate actual progress. For example: “Secure coding proficiency up 20%, with a 25% reduction in client-side web vulnerabilities.” That’s the kind of language that needs to be used in the boardroom to translate technical performance upskilling into trust in the MSSP’s business.
SME hybrid working requires a rethink when it comes to network design
Inside the SME tech revolution: The quiet role of the channel in driving real change
Why digital resilience now belongs in the channel boardroom
Beyond the handshake: Building a purpose-built partner economy that solves customer problems
Why trust not tech will decide the channel’s future
How the partnership model can transform the channel
How SMBs can DIY their IT implementation and support
What the fragmentation of UC means for the channel
