Skip to main content

Stop Bundling Security Into the MSP Stack: Lessons from Dura Cyber's Fortify Program

Nick Ross4 min read

TL;DR

  • Burying security inside a generic MSP bundle creates mismatched client expectations and forces the MSP to silently absorb rising security costs.
  • Dura Cyber's Fortify program moves clients through four stages: identity protection, device management, data exfiltration safeguards, and sensitive data protection.
  • Many MSPs already carry $30 to $35 per user in stack costs; modern AI-era security programs commonly land around $60 to $65 per user.
  • Two plain-language questions about AI data exposure open more security deals than any fear pitch.
  • Partners running packaged security programs commonly report an additional $30 to $50 per seat across their base.

Adding another product to the all-in bundle has never made an MSP more profitable. Margins shrink, clients stay unaware of their actual risk, and the MSP stays stuck in reactive mode.

We sat down with Mike Hughes (opens in new tab), CEO of Dura Cyber (opens in new tab), to unpack how their Fortify program takes a different path. Four threads run through the conversation: restarting the security dialogue through AI and data risk, packaging security as its own managed service, standardizing on Microsoft 365 where it counts, and proving measurable risk reduction clients can see.

The client experience beats the tool list

Mike's framing of the core mistake:

"MSPs aren't really selling products—they're selling experience. And the experience gets better when you engage the business about risk."

The unlock is leading with the business problem, data exposure, AI misuse, identity and device gaps, rather than the product lineup.

And there is no better business problem to open with than AI, because employees are pasting company data into AI tools right now. That fact alone creates a non-technical entry point. Two starter questions for the CEO or CFO:

  • "Are you okay with company data being uploaded to public AI systems?"
  • "Do you want any employee device to be able to sync company data without controls?"

Most leaders say no. That "no" opens the door to a structured security path, not a fear pitch.

Inside Fortify: the F1 to F4 journey

Dura Cyber's Fortify flow meets clients where they are and moves them forward with low friction:

  1. F1: Identity, email, and credential protection. MFA and Conditional Access baselines, privileged access, user hygiene. Immediate wins against the number one attack vector: people.
  2. F2: Device management and security. See which devices connect, tame BYOD, apply basic protections. Low impact, rapid deployment, and clients feel the progress.
  3. F3: Data exfiltration safeguards. Show leaders what employees actually do with data: sharing, links, oversharing. The conversation shifts from abstract risk to visible behavior.
  4. F4: Sensitive data protection. Locate sensitive data, reduce oversharing, establish protected zones, and build the confidence needed for responsible AI adoption.

Why it works: it is measurable. Secure Score movement, progress against CIS Controls implementation groups (IG1 and IG2), and platform reports make the improvement obvious even when the controls themselves live under the hood.

Why security needs its own line on the invoice

When security hides inside the generic MSP bundle, two bad things happen at once. Clients assume "it's all included," which creates dangerous mismatched expectations. And the MSP silently absorbs growing security costs as the threat landscape evolves.

The fix is structural. Split the offering into:

  • MSP Core: operations and support
  • Security: identity, devices, data governance, monitoring
  • Data/AI Governance: controls, enablement, adoption

When clients see distinct lines, the question becomes "Why aren't we on the security package?" and the contract gets cleaner and more defensible.

On pricing, Mike is direct. Many MSPs with basic or standard stacks already sit near $30 to $35 per user in input costs. For modern protections that address AI-era risks, he commonly sees total programs land around $60 to $65 per user, varying by size and scope. If a client cannot jump there today, phase it: start with F1 and F2, add the rest over time.

Standardize the stack where it matters

Dura Cyber is Microsoft-centric by design:

  • Microsoft 365 Business Premium as the baseline
  • Defender for Endpoint as standard
  • Intune as "the new Group Policy" for consistent enforcement

Does Microsoft cover everything? No. You will still fill MDR and backup gaps and add specialty tools. But consolidation shrinks swivel-chair overhead, gives you one incident pane of glass when it counts, and makes the story simpler for clients.

The three objections, answered

  • "We didn't budget for this." Meet them where they are. Start with no-regrets moves on existing licenses (F1/F2), then phase in.
  • "We thought this was included." Clear packaging eliminates the assumption. Show the difference between MSP Core and Security.
  • "We'll wait until later." Visibility changes minds. When leaders see the oversharing and identity gaps in their own data, velocity increases.

What the numbers look like

Dura Cyber's partners commonly report:

  • An additional $30 to $50 per seat of revenue across the client base
  • Fewer reactive tickets as baselines harden
  • Faster executive buy-in, driven by data-backed visibility and a clear roadmap

A five-step start for this week

  1. Email five clients with the two AI data exposure questions above.
  2. Offer a 60-minute "AI & Data Risk Check-In" that ends with an F1/F2 quick action plan.
  3. Package the program into MSP Core, Security, and Data/AI Governance, each with clear outcomes and metrics.
  4. Standardize your baseline: Microsoft 365 Business Premium, Defender, Intune. Close the remaining gaps with a short, opinionated list.
  5. Measure and show progress with Secure Score, CIS IG1/IG2 movement, and platform reports.

Interested in the Fortify program itself? Mike takes notes at mike.hughes@duracyber.tech.

For the measurement layer, platforms like CloudCapsule visualize controls, movement against frameworks, and executive-friendly summaries, built for the recurring security QBR and gap analysis against CIS and NIST.

CloudCapsule security report showing control status and framework progress for client reporting

Frequently asked questions

How should an MSP respond when a client says security was supposed to be included?

With clearer packaging. Split the offering into MSP Core, Security, and Data/AI Governance lines so clients see exactly what each covers. Once the lines are distinct, the question flips to why they are not on the security package yet.

What if a client has no budget for a full security program?

Phase it. Start with no-regrets moves on licenses the client already owns, the F1 and F2 stages, then add data exfiltration and sensitive data protection over time as visibility builds the case.

Make the progress visible

Fortify works because clients can see risk reduction quarter over quarter. CloudCapsule turns 250+ Microsoft 365 controls into client-ready reports and framework gap analyses against CIS and NIST, built for the recurring security QBR.

Book a demo
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading