Back to Blog
·18 min read·By Aerie Team

The Essential Security Stack for UK MSPs in 2026

A practical guide to building a defensible security programme for UK MSPs: EDR, SIEM, BDR, MFA, email security, DNS filtering, with real pricing examples.

securitymspuk-mspscyber-essentialsrmm

Cybersecurity has moved from a nice-to-have to a business-critical expectation. Your clients ask about it. Insurance companies require it. Regulators (FCA, ICO) increasingly mandate it. Yet many UK MSPs still struggle to justify the cost or complexity of a comprehensive security stack.

This guide breaks down the essential tools every MSP should offer or understand in 2026. We'll cover:

  1. What each tool does and why it matters
  2. What to look for when evaluating options
  3. How they fit together (and how Aerie fits into this picture)
  4. Real-world budget examples for small and growing MSPs

By the end, you'll know what you need, where to start, and how to build a defensible security programme without breaking the budget.

The Security Stack Essentials

1. EDR (Endpoint Detection & Response)

What it is: Endpoint Detection & Response (EDR) is a technology that monitors devices in real-time for signs of compromise, malware, unusual behaviour, or active attacks. Unlike traditional antivirus (which focuses on known malware signatures), EDR watches what software is doing on a device—even if it's never been seen before.

Why MSPs need it:

  • Insurance requirement: Most cyber insurance policies now require EDR or equivalent monitoring
  • Breach response: When a device is compromised, EDR provides detailed forensic data (what happened, where it went, what it touched)
  • Compliance: Clients in regulated sectors (finance, healthcare, law) often require EDR as a control
  • Ransomware detection: EDR catches file encryption and suspicious encryption tools before they spread

What to look for:

  • Real-time monitoring (not batch processing overnight)
  • Behaviour analysis (catches unknown threats, not just known malware)
  • Incident response support (vendor provides forensics and guidance)
  • Integration with your RMM (so alerts appear alongside device health)
  • Affordable for small deployments (not enterprise-only pricing)
  • Cloud-hosted console (minimal on-premises infrastructure)

Popular options for UK MSPs:

  • Microsoft Defender for Endpoint (integrated with Microsoft 365; good for Windows-heavy MSPs)
  • CrowdStrike Falcon (industry standard; excellent detection; premium pricing)
  • Sophos Intercept X (good all-rounder; strong on ransomware)
  • SentinelOne (strong behavioural AI; growing UK MSP partner programme)
  • Bitdefender GravityZone (flexible licensing; strong SMB focus)

Budget range: £3–15 per device per month (enterprise) to £0.50–5 per device (SMB-focused tools)

Real-world impact: EDR detects 70–80% of intrusions in their early stages. Without it, a breach often goes undetected for weeks or months, multiplying damage and incident response costs.

2. SIEM (Security Information and Event Management)

What it is: A SIEM collects and analyses security logs from all your infrastructure—devices, servers, firewalls, cloud applications, etc. It looks for patterns, correlations, and indicators of compromise across your entire environment.

Why MSPs need it:

  • Visibility across the stack: EDR sees endpoints, but SIEM sees everything (servers, databases, cloud access, network traffic)
  • Breach investigation: When an incident occurs, SIEM provides a complete timeline of what happened across all systems
  • Compliance logging: Regulations like GDPR, PCI-DSS, and ISO 27001 require audit trails; SIEM centralises this
  • Threat hunting: Your security team (or your vendor) can proactively search for suspicious patterns

What to look for:

  • Easy log ingestion (supports your tech stack without custom scripting)
  • Intelligent correlation (detects multi-step attack patterns, not just individual anomalies)
  • Pre-built use cases (looks for common attack patterns out-of-the-box)
  • Long retention (60–90 days minimum; 1 year for compliance)
  • Reasonable cost for SMB deployments (not just enterprise-scale pricing)
  • Integration with EDR and your RMM
  • Cloud-hosted option (reduces operational burden)

Popular options for UK MSPs:

  • Microsoft Sentinel (cost-effective if you're on Microsoft 365; integrates tightly with Azure, Defender)
  • Splunk (gold standard; very expensive but powerful)
  • Elastic (open-source core; cost-effective if you can manage infrastructure)
  • Datadog (SaaS-friendly; good for cloud-heavy MSPs)
  • Wazuh (open-source, lower cost; good for budget-conscious MSPs)

Budget range: £1,000–5,000 per month (small MSP managing 5–10 customers) to £10,000+ (larger deployments)

Real-world impact: SIEM provides evidence for breach investigations, reduces mean-time-to-detect (MTTD) from weeks to hours, and demonstrates security hygiene to regulators and auditors.

3. Backup and Disaster Recovery (BDR)

What it is: A BDR solution creates recoverable copies of your clients' critical data and systems. It covers both planned recovery (migration, upgrades) and unplanned recovery (ransomware, hardware failure, accidental deletion).

Why MSPs need it:

  • Ransomware recovery: Most ransomware attacks are recovered from backups, not paid ransom (which is illegal in many jurisdictions anyway)
  • Business continuity: When a system fails, BDR enables recovery in minutes or hours, not days
  • Client contracts: Clients expect "backup included" in managed services; it's table stakes now
  • Revenue driver: Backup is a low-cost, high-value add-on service

What to look for:

  • Ransomware detection (identifies encrypted backups before they're stored)
  • 3-2-1 backup rule (3 copies, 2 media types, 1 offsite)
  • Point-in-time recovery (restore to any minute, not just daily snapshots)
  • Immutable backups (backups can't be deleted or encrypted, even if attacker has credentials)
  • Granular recovery (recover a single file, a VM, a database, or everything)
  • Fast recovery time (measured in hours, not days)
  • Affordable for SMB scale (should cost £5–20 per device per month, not enterprise-only)

Popular options for UK MSPs:

  • Veeam (industry standard; excellent for VM-heavy environments)
  • Datto (strong on appliances and ransomware detection; good SMB support)
  • Barracuda (cost-effective; strong ransomware features)
  • Nakivo (budget-friendly; reliable)
  • Commvault (enterprise-grade; premium pricing)

Budget range: £5–30 per device per month (depends on retention, frequency, and recovery speed)

Real-world impact: Without BDR, a ransomware attack can cost £10,000–£100,000+ in recovery labour and downtime. BDR typically costs £200–500 per year per device; the ROI is obvious.

4. MFA (Multi-Factor Authentication)

What it is: MFA requires users to prove their identity with two or more factors (something you know—a password, something you have—a phone, something you are—biometric). Without MFA, compromising a password is enough to gain full account access.

Why MSPs need it:

  • 90% of breaches start with compromised credentials (stolen password, credential reuse, phishing)
  • Insurance requirement: Cyber insurers increasingly demand MFA for all remote access accounts
  • Compliance mandate: Regulators (FCA, ICO) require MFA for financial and regulated systems
  • Cyber Essentials: MFA is a supporting control under the Access Control requirement — clients pursuing Cyber Essentials certification will need this in place
  • Easy win: MFA is relatively cheap and reduces breach risk dramatically

What to look for:

  • Support for multiple factors (authenticator apps, hardware keys, SMS as fallback only)
  • Self-service account recovery (users can regain access if they lose their MFA device)
  • Integration with your cloud and on-premises systems (Microsoft Entra ID, SSO, etc.)
  • Fallback options (for security keys loss, etc.)
  • User experience (shouldn't make access painfully slow)
  • Conditional access policies (MFA triggered only when high-risk, not every login)

Popular options for UK MSPs:

  • Microsoft Entra ID (Azure AD) with conditional access (free if clients are Microsoft 365 subscribers)
  • Okta (enterprise SSO and MFA; premium pricing)
  • Duo (Cisco's MFA; strong UX)
  • Authelia (open-source, self-hosted; budget option)
  • Ping Identity (enterprise SSO; premium)

Budget range: Often free (if using Microsoft Entra ID with existing subscriptions) to £2–5 per user per month for premium solutions

Real-world impact: MFA reduces account compromise risk by 99.9%. It's the single best investment an MSP can recommend to clients.

5. Email Security

What it is: Email security tools inspect, filter, and protect email at the gateway (before it reaches clients' mailboxes). They block phishing, malware, spam, and enforce authentication standards (SPF, DKIM, DMARC).

Why MSPs need it:

  • Email is the attack vector: 85% of breaches start with email (phishing, malware attachment, compromised account)
  • Client expectation: Clients expect spam and phishing blocked automatically
  • Compliance: Email audit trails and retention are regulatory requirements
  • User safety: Email security education tools (sandboxing, detonation) train users to avoid malicious emails

What to look for:

  • Real-time URL and attachment inspection (sandboxing)
  • Phishing detection (including advanced attacks, not just known phishing)
  • Impersonation protection (prevents fake-from attacks, lookalike domains)
  • User reporting tools (easy buttons to report phishing and suspicious emails)
  • DLP (Data Loss Prevention) (prevents sensitive data being emailed to external addresses)
  • Integration with your email platform (Microsoft 365, Google Workspace, etc.)
  • Post-breach email retrieval (delete phishing emails from all mailboxes at once)

Popular options for UK MSPs:

  • Microsoft Defender for Office 365 (integrated if clients use Microsoft 365; good value)
  • Proofpoint (industry standard; premium pricing; strong detection)
  • Mimecast (good for Microsoft environments; strong archival)
  • Sophos Email (cost-effective all-rounder)
  • Abnormal Security (AI-driven detection; premium)

Budget range: £1–10 per user per month depending on features

Real-world impact: Email security stops 99% of phishing and malware attachments before they reach users, dramatically reducing breach risk and support overhead.

6. DNS Filtering

What it is: DNS filtering intercepts domain name lookups and blocks requests to known malicious, adult, or unwanted sites. It's a first-line defence against malware, ransomware, phishing, and inappropriate content.

Why MSPs need it:

  • Blocks malware at the source: Malware communicates with command-and-control (C2) servers; DNS filtering stops these connections
  • Blocks ransomware families: Known ransomware domains are blocked before encryption begins
  • Cost-effective: DNS filtering is cheaper than EDR or backup, but catches many attacks early
  • Compliance: Some regulations require content filtering and malware prevention
  • No client visibility: DNS filtering works silently (users don't notice, unlike web proxies)

What to look for:

  • Cloud-hosted DNS service (no on-premises infrastructure needed)
  • Real-time threat intelligence (new malware and phishing sites blocked rapidly)
  • Phishing detection (not just known malware)
  • Ransomware family detection (blocks C2 communication)
  • Category-based filtering (blocks adult, gambling, etc. without blocking legitimate sites)
  • Logging (shows what sites were blocked, useful for incident response)
  • Low false positive rate (shouldn't block legitimate sites)
  • Easy deployment (DHCP, GPO, or agent-based)

Popular options for UK MSPs:

  • Cloudflare (excellent, fast, cost-effective)
  • Quad9 (non-profit, excellent, free or low-cost)
  • Cisco Umbrella (integration with Cisco tools; premium)
  • OpenDNS (Cisco acquisition; good feature set)
  • NextDNS (privacy-focused; cost-effective)

Budget range: £0 (Quad9 is free) to £3–5 per user per month for premium solutions

Real-world impact: DNS filtering is the first step in a layered security strategy. It catches malware and ransomware C2 connections before they get far, often at the cost of a single licensing line per client.

Cyber Essentials: Your Baseline Foundation

Before building the full security stack, UK MSPs should understand Cyber Essentials — the UK government's baseline cybersecurity certification scheme run by the NCSC.

Cyber Essentials covers five technical controls:

  1. Firewalls — boundary firewalls and internet gateways
  2. Secure configuration — hardening devices and software
  3. User access control — limiting who can access what
  4. Malware protection — preventing malicious code from running
  5. Patch management — keeping software up to date

Why it matters for MSPs:

  • UK public sector contracts increasingly require Cyber Essentials Plus certification
  • Many enterprise clients mandate it for their supply chain
  • It maps directly to your stack: EDR covers malware protection, MFA supports access control, patch management is a core RMM function

Your MSP should hold Cyber Essentials Plus certification itself — and offer it as a managed service to clients. It's a natural upsell from your existing RMM and security stack.

How These Tools Fit Together

A modern MSP security stack isn't about buying six disconnected tools. It's about layered defence:

┌─────────────────────────────────────────────┐
│      Email Security (first touch)           │
│      Block phishing before mailbox          │
└────────────────┬────────────────────────────┘
                 ↓
┌─────────────────────────────────────────────┐
│      DNS Filtering (first line of defence)  │
│      Block malware C2 at the DNS level      │
└────────────────┬────────────────────────────┘
                 ↓
┌─────────────────────────────────────────────┐
│      EDR (endpoint protection)              │
│      Catch malware that got through         │
└────────────────┬────────────────────────────┘
                 ↓
┌─────────────────────────────────────────────┐
│      SIEM (threat detection)                │
│      Correlate events across systems        │
└────────────────┬────────────────────────────┘
                 ↓
┌─────────────────────────────────────────────┐
│      BDR (recovery capability)              │
│      Recover from ransomware, data loss     │
└────────────────┬────────────────────────────┘
                 ↓
┌─────────────────────────────────────────────┐
│      MFA (identity protection)              │
│      Prevent account compromise             │
└─────────────────────────────────────────────┘

Ideal deployment for a typical UK MSP:

  1. Email security (gateway-level)
  2. DNS filtering (network-level)
  3. MFA (identity-level; deploy first, cheapest impact)
  4. EDR (endpoint-level; most important post-compromise tool)
  5. BDR (data-level; mandatory for ransomware recovery)
  6. SIEM (correlation-level; last to deploy, most operational overhead)

Real-World Budget Examples

Example 1: Solo Tech or Small MSP (1–5 Clients, 10–20 Devices)

Goal: Offer basic security, cover insurance requirements

Tool Approach Cost/Month
Email Security Microsoft Defender for Office 365 (if 365 clients) £2–5 per user
DNS Filtering Quad9 (free) or Cloudflare (£2/user) £0–20
MFA Entra ID (free with 365) £0
EDR Microsoft Defender for Endpoint £2–4 per device
BDR Datto or Veeam (budget tier) £10–15 per device
SIEM Skip for now (use Defender logs) £0
Total (10 devices) £200–250/month
Margin per client (assuming £300/month/client security) £200–300/month

Recommendation for this tier:

  • Start with email + DNS + MFA (cheapest, highest impact)
  • Add EDR and BDR once you have 20+ devices under management
  • Skip SIEM until you have 50+ devices and dedicated security staff

Example 2: Growing MSP (10–20 Clients, 100+ Devices)

Goal: Offer comprehensive security, meet insurance and compliance requirements

Tool Approach Cost/Month
Email Security Proofpoint or Sophos £3–7 per user
DNS Filtering Cloudflare or Cisco Umbrella £2–5 per user
MFA Entra ID (free) + hardware keys £0–30
EDR CrowdStrike or Sophos Intercept X £5–12 per device
BDR Veeam or Datto £10–20 per device
SIEM Microsoft Sentinel (50 GB/day) £500–2000
Total (100 devices, 300 users) £2,500–4,000/month
Margin per client (assuming £500–800/month/client) £2,000–3,000/month

Recommendation for this tier:

  • Implement all six tools
  • Focus on integration (SIEM should correlate EDR, email, and DNS logs)
  • Build playbooks for common incidents (ransomware alert → isolate device, notify client)
  • Offer tiered security packages (baseline = EDR + BDR + MFA; premium = add SIEM)

Example 3: Established MSP (30+ Clients, 500+ Devices)

Goal: Offer advanced security services, incident response, threat hunting

Tool Approach Cost/Month
Email Security Proofpoint + user training £5–10 per user
DNS Filtering Cisco Umbrella + advanced analytics £3–8 per user
MFA Entra ID + Okta (multi-cloud) £50–100
EDR CrowdStrike or Palo Alto Cortex £8–15 per device
BDR Veeam Enterprise or Datto enterprise £15–30 per device
SIEM Splunk or Elastic (1 TB/day) £5,000–15,000
Total (500 devices, 1500 users) £15,000–25,000/month
Margin per client (assuming £1,500–2,500/month/client) £10,000–15,000/month

Recommendation for this tier:

  • Offer managed security services (MSS) as premium service tier
  • Hire or partner with security operations centre (SOC) for SIEM monitoring
  • Offer threat hunting and incident response services
  • Use SIEM data to guide security recommendations (e.g., "your top 10 risks")

How Aerie Fits Into Your Security Stack

Aerie OS is not a security tool, but it orchestrates your security programme:

1. RMM as the Hub

Aerie's RMM agent collects security events (EDR alerts, patching status, MFA configuration) and routes them to your ticketing system automatically. Instead of monitoring six separate vendor dashboards, alerts appear in one place.

2. Security Workflows Automated

Example: "If EDR detects suspicious activity AND it's a VIP client, automatically:

  • Create urgent ticket
  • Notify security team via Slack
  • Isolate device (with user approval)
  • Notify client of incident
  • Schedule callback within 30 minutes"

Aerie's ReactFlow automation handles this. Without it, you're manually clicking through six vendor portals.

3. Ticketing as the Audit Trail

All security incidents, detections, and responses are logged in Aerie's ticketing system. This creates a complete audit trail for compliance (GDPR, ISO 27001, Cyber Essentials) without requiring additional SIEM infrastructure.

4. Client Visibility

Aerie's client portal lets clients see their security posture: EDR detection count, patch compliance, MFA status. This transparency improves client satisfaction and drives upselling.

5. Revenue Integration

Aerie's CRM lets you tie security services to client contracts and revenue. You can see:

  • Which clients have EDR active (expansion opportunity)
  • Which are at risk due to missing MFA (at-risk client)
  • Revenue generated per security service

The Starting Point: Phased Implementation

Month 1–2: Foundation

  • Email security (critical)
  • DNS filtering (quick win)
  • MFA (high impact, low cost)

Month 3–4: Detection

  • EDR (essential post-compromise)

Month 5–6: Recovery

  • BDR (mandatory for ransomware)

Month 7–12: Visibility

  • SIEM (if you have 50+ devices and dedicated security resource)

Cost to start: £200–500/month for a small MSP Time to first security breach prevention: Weeks (email + DNS catches most attacks) ROI: First breach prevented pays for security stack 10x over

FAQ: Building Your Security Stack

Q: Which tool should we start with?

A: Email security first. 85% of breaches start with email. Email security is cheap (£2–5 per user), easy to deploy, and has immediate impact.

Order: Email > MFA > DNS > EDR > BDR > SIEM

Q: Should we pursue Cyber Essentials certification?

A: Yes — for your MSP itself, and as a managed service for clients.

Cyber Essentials Plus is the benchmark for UK public sector procurement. Many enterprise clients now mandate it for their supply chain. Your security stack already delivers most of what Cyber Essentials requires — certification turns that into a marketable credential.

See our Cyber Essentials guide for the full certification process.

Q: Can we use free tools to reduce cost?

A: Yes, with caveats.

Good free options:

  • Quad9 (DNS filtering; excellent)
  • Entra ID MFA (if clients use Microsoft 365)
  • Wazuh (SIEM; requires infrastructure management)

Not recommended as free:

  • EDR (paid tools are significantly better)
  • BDR (backups are too critical for budget options)
  • Email security (too many evasion techniques)

Recommendation: Use free tools for network and identity layers (DNS, MFA), invest in EDR and BDR.

Q: How do we sell security to cost-conscious clients?

A: Frame it as insurance, not expense.

Talking points:

  • "A ransomware incident costs £20,000–£100,000 to recover from. Our security stack costs £200–500/month. That's insurance."
  • "Your cyber insurance likely requires EDR and MFA. We can cover this for £X/month."
  • "Your competitors probably have security; your clients expect it."
  • "Security is table stakes now, like backup and antivirus."

Packaging: Offer tiered packages:

  • Basic security: Email + DNS + MFA (£200–300/month)
  • Advanced security: Basic + EDR + BDR (£500–700/month)
  • Premium security: Advanced + SIEM + threat hunting (£1,500–2,500/month)

Most clients pick Advanced; it's the best value.

Q: How do we monitor and manage all these tools?

A: That's where a unified RMM platform like Aerie becomes essential.

Instead of:

  • Logging into EDR vendor dashboard for alerts
  • Checking email security logs
  • Reviewing SIEM correlations
  • Tracking backup completion

You have one ticketing system where all security events appear, all automated workflows run, and all audit trails live.

Conclusion

A modern UK MSP security stack isn't optional anymore—it's essential. Your insurance, your clients, and the regulators all expect it.

Starting is simple:

  1. Email security (this month)
  2. MFA (this month)
  3. DNS filtering (this month)
  4. EDR (next month)
  5. BDR (following month)

Total cost to start: £200–500/month. Total revenue potential: £1,500–5,000+/month.

The only bad decision is not starting. Cyber threats are accelerating. Every month you delay is a month your clients are exposed.

Next Steps

  1. Audit your current security posture – What do you have? What are you missing?
  2. Evaluate email security options – Start here (highest impact, lowest cost)
  3. Plan your 6-month rollout – What tools in what order?
  4. Calculate ROI – How much will security services add to your MRR?
  5. Train your team – Make sure technicians understand why each tool matters

Ready to build a comprehensive security programme? We can help with planning, implementation, and ongoing management. Talk to our team.

Get Weekly MSP Insights

Subscribe to our newsletter for the latest tips, industry trends, and Aerie updates delivered to your inbox.

We send MSP insights weekly. Unsubscribe anytime. Check our Privacy Policy.