Vulnerability management is one of the most in-demand services MSSPs offer โ and one of the hardest to scale profitably. Running VM for 30 clients with a team of eight analysts requires architectural and operational discipline that most MSSP platforms were not originally built to provide.
This guide covers the structural decisions that separate MSSPs that struggle with VM margin from those that run it efficiently at scale: multi-tenant architecture, client isolation, workflow automation, commercial packaging, and regulatory reporting.
The multi-tenant architecture imperative
The foundational requirement for any MSSP delivering VM is true multi-tenancy: each client's data, assets, findings, and reports must be fully isolated at the data layer, not just in the UI. This is not just good practice โ it is a contractual and regulatory requirement for most MSSP clients, especially those in financial services or healthcare.
The practical implication is that running per-client instances of a single-tenant tool (separate Tenable.io accounts, separate Qualys subscriptions) creates a management overhead that destroys margin. True multi-tenant VM platforms allow one analyst team to operate across all client environments from a single pane, with zero risk of cross-client data leakage.
Key architectural decisions for MSSP VM
Scanner deployment model
Structuring the analyst team for scale
The most common MSSP VM scaling failure is linear headcount growth: as the client base doubles, analyst headcount doubles. Sustainable MSSP VM operations use a tiered model that separates tooling from analysis from client engagement.
Tier 1 โ Automation layer
Covers unlimited clientsScanner scheduling, finding ingestion, deduplication, contextual risk re-scoring as CTI evolves, and SLA alerting are fully automated. No analyst time required for routine operations.
Tier 2 โ Triage analyst
1 analyst per 15โ20 clientsReviews exceptions, validates risk-accepted items, handles edge cases that automation flags. Shared across clients, not per-client.
Tier 3 โ Client engagement
1 vCSO per 8โ12 clientsDelivers monthly or quarterly vulnerability briefings, interprets risk posture trends, handles escalations, and produces board-level reports.
Commercial packaging: how to price MSSP VM profitably
MSSP VM services typically fail commercially for one of two reasons: under-pricing (treating scanning as a commodity add-on) or over-delivering on non-billable work (creating custom reports for every client every month). A sustainable packaging model anchors on client asset count and reporting tier, not hours.
Foundation
Up to 250 assets- Monthly scanning
- Risk-prioritised dashboard
- SLA tracking
- Compliance evidence pack (NIS2 / ISO 27001)
Per asset/month
Professional
250โ1,000 assets- Continuous scanning
- Everything in Foundation
- Monthly risk briefing (1 hr)
- Remediation workflow integration
- Custom SLA tiers
Per asset/month
Enterprise
1,000+ assets- Everything in Professional
- Quarterly vCSO engagement
- Board-level risk reporting
- Threat intelligence integration
- Multi-site / segmented networks
Custom contract
NIS2 and DORA as MSSP sales drivers
NIS2 and DORA have created a demand surge for MSSP VM services among mid-market clients who lack the internal capability to build compliant programmes themselves. MSSPs that can credibly offer a "NIS2-ready vulnerability management service" โ with documented SLAs, automated evidence collection, and the audit trail supervisors expect โ command a material price premium over commodity scanning providers.
The Centraleyezer MSSP platform is purpose-built for this model: true multi-tenancy, per-client vulnerability reports (Executive, CISO, Technical), white-label dashboard capability, and the regulatory evidence mapping to NIS2, DORA, ISO 27001, and PCI-DSS that clients hand to their auditors. The platform supports the compliance work; the framework reports themselves remain owned by the client.
Common questions
How does Centraleyezer handle client data isolation?
Each client tenant has fully isolated data at the database level. Analysts access client environments through role-based permission sets โ there is no way for a query or report to include data from another tenant.
Can we white-label the Centraleyezer platform?
Yes. MSSP partners can deploy a white-labelled version with custom branding, custom domain, and client-facing portals that carry the MSSP's identity rather than Centraleyezer branding.
What scanner integrations are supported for multi-tenant deployments?
Centraleyezer ingests from Tenable.io, Tenable.sc, Qualys VMDR, Rapid7 InsightVM, OpenVAS/Greenbone, Wiz, and others via API. Per-client scanner credentials are managed securely within the platform.
How do we handle clients with no existing scanner?
Centraleyezer can deploy its own lightweight scanning capability to client environments, or recommend and provision an appropriate scanner as part of the onboarding. No existing scanner is required.