Magic Quadrant for Managed Security Services, Worldwide

Magic Quadrant for Managed Security Services, Worldwide


Published: 27 February 2018 ID: G00325535




Security and risk management leaders interested in managed security services for threat detection, security technology management and compliance concerns should use this Magic Quadrant to help identify and evaluate providers with the ability to deliver services globally.

Market Definition/Description

Gartner defines managed security services (MSSs) as “the remote monitoring of security events and security-related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services from remote security operations centers (SOCs), not through personnel on-site nor remote services delivered on a one-one basis to a single customer.”

Managed security service providers’ (MSSPs’) portfolios typically include the following services:

  • Security event monitoring only, or security event monitoring along with device/agent monitoring and management, primarily in the following categories:
    • Firewalls
    • Network-based threat detection technologies, such as network intrusion detection/prevention systems (IDPS)
    • Multifunction firewalls, or unified threat management (UTM) technology
    • Security gateways for messaging or web traffic
    • Web application firewalls
    • Endpoint protection platforms (EPPs), host intrusion detection/prevention systems (HIDS/HIPS) and endpoint detection and response (EDR)
  • Security analysis and reporting of events collected from IT infrastructure and application logs
  • Reporting for service management, regulatory compliance requirements and threat detection purposes
  • Management and monitoring, or monitoring only of advanced threat defense technologies, or the provision of those capabilities as a service
  • Vulnerability scanning delivered as a service
  • Management and monitoring of customer-deployed security information and event management (SIEM) technologies
  • Incident response services (both remote and on-site)

Services, such as the ones listed below, may also be part of MSS offerings, but are not common across all providers:

  • Distributed denial of service (DDoS) protection
  • Advanced threat intelligence services (e.g., dark web monitoring)
  • Secure messaging gateways, secure web gateways and web application firewalls delivered “as a service”
  • Managed vulnerability management (e.g., end-to-end management that includes scanning, prioritization and patching on behalf of the customer)
  • Identity and access management

This Magic Quadrant evaluation primarily focuses on the services for monitored, and managed and monitored, network security devices, host-based agents, and log event analysis and reporting services for other sources required by the buyer. These functions make up the core of MSS procurements.

There are no vendors appearing in the Visionaries quadrant of this Magic Quadrant. MSS is a mature market with a core set of services that appear in most MSS engagements.

Magic Quadrant

Figure 1. Magic Quadrant for Managed Security Services, Worldwide

Research image courtesy of Gartner, Inc.

Source: Gartner (February 2018)

Vendor Strengths and Cautions


AT&T is a global telecommunications and IT services provider that offers a range of security device management and monitoring services for large enterprises, midsize businesses and governments. Headquartered in the U.S. (Dallas), and with regional offices in the U.K. (London) and Hong Kong, AT&T delivers services from five 24/7 SOCs (one Europe-based, one Asia/Pacific-based and three U.S.-based) and three SOCs operating local business hours (one in the Asia/Pacific region, one in Brazil and another in Europe). Customers served by an SOC operating local business hours and seeking after-hours support are routed to a 24/7 location with local language support. AT&T Threat Manager is its security event monitoring and management service, which is priced by events per day (EPD). Threat correlation and analysis is performed via the AT&T Threat Intellect platform, which leverages both commercial SIEM technologies and big data technologies and analytics, and is delivered to customers as part of AT&T’s Threat Management and Intelligence solutions. Device management is available through discrete managed security offerings for network security, data and application security, and mobile and endpoint security. Device management and workflow is handled through the AT&T Business Center portal, which also provides access to the Threat Manager view. The vendor offers threat intelligence via the AT&T Internet Protect service. AT&T supports in-country/customer premises data management in all regions, and can use local partners for device management to meet data residency requirements.

AT&T should be considered by organizations with a preference for services to be sourced from a single supplier, particularly managed network services and IT infrastructure security controls that need to be deployed, managed and monitored across the customer’s environment (both on-premises and cloud services) and the provider’s environment.

  • AT&T provides a wide scope of security-focused managed and monitoring services, with a strength in network-based security solutions. The security portfolio complements its managed network infrastructure and service offerings.
  • AT&T provides an integrated business portal where customers can access a variety of services, including accessing the Threat Manager portal along with portals for device management and vulnerability management services. The Threat Manager portal provides a strong user experience for both analysts and management personas, including customized dashboards, a risk trend feature and case management.
  • AT&T has moderate visibility with Gartner clients considering discrete MSSs.
  • AT&T provides support for Amazon Web Services (AWS) environment monitoring, but lacks support for Microsoft Azure and a limited set of SaaS providers (e.g., Office 365, Box and Salesforce are supported). Cloud access security broker (CASB) support is limited to SkyHigh Networks. Buyers should confirm support for their preferred SaaS vendors and other CASB vendors.
  • Customers wanting to leverage advanced threat detection technologies should confirm AT&T’s ability to monitor, and manage, preferred solutions as required, through either standard or custom delivery. AT&T has introduced a network-based forensic service that is only available to U.S. customers at this time due to data privacy restrictions. Customers outside the U.S. that are interested in this service should confirm future availability.
  • AT&T’s MSS business is most visible in the North American market, with lower visibility in Europe and little in the Asia/Pacific market. Buyers requiring a strong presence in the Asia/Pacific region should closely evaluate AT&T’s coverage there.


Atos is a global IT, digital service and software company with headquarters near Paris and regional offices in the U.S. (Purchase, New York) and Singapore. In addition to the vendor’s MSSs under the Cyber Security Services business, Atos provides a wide range of consulting, system integration, managed IT services and other offerings. Atos’ MSSs are delivered through a network of 14 24/7 SOCs (three in the U.K., six in continental Europe, two in the U.S., two in India and one in Malaysia). Atos recently acquired Anthelio Healthcare Solutions, providing capabilities in the Internet of Things (IoT)/OT space for managing privacy and compliance risks in the North American market. Atos provides threat intelligence and vulnerability notifications to customers using tools and services from partners like McAfee and Tripwire. Atos offers incident response and remediation activities as part of its core services in the form of forensic analysis and custom malware analysis, as well as offering optional threat hunting services and EDR leveraging CrowdStrike, for example. Advanced threat detection and monitoring services are available as part of Atos’ Prescriptive Security SOC offering, which leverages Atos’ proprietary big data analytics solution (Atos Codex) as well as technologies like user and entity behavior analytics (UEBA). In addition, IT/OT/IoT SOC services are developed and delivered together with Siemens.

Atos’ existing IT services customers and European-headquartered organizations with global coverage requirements that want a provider that can deliver end-to-end security management and monitoring services should consider the vendor for MSSs.

  • Customers requiring advanced analytics capabilities can opt for Atos’ flexible options leveraging Atos Codex, leading UEBA technologies or both.
  • Atos has a range of experience in securing transformational digital business projects within large enterprises, driven by its wider range of IT services engagements.
  • Atos supports customers that require end-to-end security management, monitoring and response, and offers standardized and customized solutions.
  • Atos partners with leading security technology vendors in areas such as network traffic analytics, endpoint protection, EDR, DDoS mitigation and encryption.
  • Atos Codex is currently only available to customers that opt for a dedicated McAfee SIEM platform. Atos indicates that adding Codex to the shared platform is on its roadmap. Customers that plan to leverage their shared SIEM platform and want advanced analytics capabilities should confirm availability.
  • Atos’ MSS portal is oriented toward reporting and dashboards to communicate information to customers, and provides limited support for bidirectional customer interaction.
  • Atos can monitor SaaS vendors supported within the McAfee Enterprise Security Manager (ESM) solution. Buyers should confirm support for monitoring of their preferred SaaS vendors and CASB solutions.
  • Atos is rarely mentioned by Gartner clients interested in stand-alone MSS engagements.

BAE Systems

BAE Systems, headquartered in Farnborough, U.K., offers a range of products and services in areas such as national defense, financial services and cybersecurity to industry and governments. The MSS group is headquartered in Guildford, U.K., with key offices in New York City, Dubai, Singapore and Sydney. Its offerings include Security Event Monitoring (SEM), Complete Security Monitoring (CSM), Managed Detection and Response (MDR), and Security Device Management (SDM). Services are delivered using five 24/7 SOCs — one in the U.K., three in the U.S. and one in the Philippines. Data residency requirements are typically met by retaining data locally and in geospecific cloud infrastructure. In the Asia/Pacific region, a local partner delivers services and cloud storage is not yet available. The BAE analytics platform uses a combination of commercial SIEM technologies and a big data and analytics, Hadoop-based platform. BAE supports common IaaS and security-as-a-service vendors such as Amazon CloudFront, AWS CloudTrail,, Cisco ScanSafe and Proofpoint. On-site and remote incident and breach response services are available via retainer.

BAE Systems has a customer base in EMEA of large enterprise businesses, primarily leveraging its CSM and MDR services, and a large small or midsize business (SMB) customer base in North America, primarily leveraging its NSM and SDM services. The vendor delivers its MSS offering using a combination of proprietary and commercial solutions, depending on the customer’s region and based on data privacy or residency requirements.

Companies in the financial services, legal, healthcare, media, critical infrastructure and defense markets that need a range of security monitoring, device management and advanced threat defense solutions should consider BAE Systems.

  • Advanced detection capabilities are supported by proprietary BAE Systems technology with its passive Network Probe Sensor and EDR agent. Customers that have not deployed commercial technologies for these functions can have these capabilities provided as a service.
  • BAE Systems’ MSS is augmented by a range of incident response services, including response and threat containment capabilities that are built into the MSS relationship, retainer-based response contracts, and incident response program development services.
  • Customer marks on BAE Systems’ threat detection capabilities are above average.
  • Most BAE Systems customers are in North America, with a small number in the Europe and Asia/Pacific regions. In the Asia/Pacific region, a partner delivers services for customers that require local data storage. Prospective customers with data residence or service delivery requirements specific to the Asia/Pacific region should validate the availability of services from BAE Systems.
  • The MSS portal offers limited reporting capabilities and management of vulnerability scans comparted to those of leading competitors. Threat intelligence is provided through a separate portal.
  • SaaS monitoring is limited to Office 365. There are no MSS integrations with CASB solutions. BAE Systems indicates that support for CASB vendors is on its roadmap.


BT is headquartered in London with key offices globally, including London, Hong Kong and Dallas. BT has six European SOCs and four Asia/Pacific region SOCs providing 24/7 service, with an additional four non-24/7 SOCs worldwide. BT provides a range of telecommunications, cloud-enabled hosting, cloud brokering and integration, and collaboration services, in addition to managed security services. BT’s MSS offerings have been under the BT Security brand name since 1Q17. BT Security’s MSS portfolio includes a range of offerings primarily within the Managed Security Services and Security Intelligence portfolios. Security Intelligence includes services such as Security Log Management (SLM), Security Threat Monitoring (STM), Cyber Security and Security Threat Intelligence. Technology management is under Managed Security Services and includes managed firewalls, DDoS, web, email, PKI and cloud security. Additional offerings include Security Vulnerability Scanning (SVS) for managed vulnerability scanning and Managed SIEM for McAfee ESM, LogRhythm and IBM QRadar customers. BT’s strategy for managed security services is evolving to emphasize its Managed SIEM and Cyber Security Platform offerings for existing BT customers and global enterprise buyers that require more one-to-one-oriented services, as opposed to delivery using a shared analytics platform that this research primarily assesses. BT has two separate portals for security technology management (Security Hub) and monitoring services (Security Threat Monitoring), which BT has been revamping over the last 12 months. Consulting services are available to meet a variety of customer demands. Incident response support, available as a retainer, is delivered in partnership with FireEye-Mandiant and other firms. BT can meet requirements for data residency with in-region/in-country service provision and citizenship requirements for SOC staff.

Global enterprises seeking global MSS capabilities to satisfy complex security requirements should consider BT.

  • BT can support customers that require integrated cloud services (hosting and/or brokering) and MSSs, especially security threat monitoring.
  • BT has many partnerships with security technology and service vendors that are leveraged to provide broad support for device management, as well as threat monitoring services. Customers requiring custom solutions will also benefit from these partnerships.
  • Customers give BT above-average marks for overall service satisfaction.
  • BT’s efforts to upgrade its portal have resulted in incremental improvements, with further enhancements planned. Customer self-service options in these portals for basic functions, like account management, ticket ownership and management, and interacting with SOC staff, are very limited compared to competitors.
  • BT’s own big data technology and advanced analytics capabilities are currently limited to buyers purchasing its Cyber Security Platform (CSP), which can be delivered as a stand-alone on-premises or hosted solution. BT indicates elements of CSP are on the roadmap to be extended to other BT Security services, such as STM.
  • BT has low visibility with Gartner clients for stand-alone MSS deals. MSSs are commonly bundled with larger networking, cloud services and cybersecurity (e.g., on-premises SOC build-outs) initiatives with BT.


Capgemini, with headquarters in Paris and regional offices located in North America, Europe and the Asia/Pacific region, provides MSS as part of its Cybersecurity Services business. Capgemini delivers services from seven 24/7 SOCs located in India (Mumbai and Bangalore), and regional SOCs in Luxembourg; Toulouse, France; Madrid; and Inverness, Scotland, for customers with data residency and sovereignty requirements. There is one non-24/7 SOC in India. Capgemini provides a variety of MSSs. Log management and security event monitoring are supported via its shared QRadar SIEM solution, with flexible options for dedicated QRadar instances. Support for five SIEM solutions (Huntsman Enterprise SIEM, Micro Focus ArcSight, McAfee ESM, RSA NetWitness and Splunk) based on customer preference or for customers wanting management of their existing SIEM tool. Customer access to services is via the MSS Portal, which provides a basic dashboard, case management and reporting-oriented interface to the services provided to customers. Capgemini provides a tiered service approach (Bronze, Silver and Gold) to MSS buyers based on level of services and support required. Additional services include management and monitoring for vulnerability scanners, firewalls, endpoint protection, NIDS/NIPS, web application firewalls (WAFs), CASB, and data loss prevention. Additional services are available that cover consulting and advisory, identity and access management, and DDoS, among others.

MSS buyers looking for flexible options for SIEM tools and a wide portfolio of device management and security monitoring services, as well as existing Capgemini customers, should consider Capgemini for MSS.

  • Capgemini offers support for a wide variety of SIEM solutions, as well as other security technologies.
  • Capgemini leverages its own threat intelligence network for gathering intelligence to complement third-party commercial sources, which is utilized by its SOC and visible to customers.
  • There is local and regional data residency and sovereignty support for European customers via dedicated local SOCs and data centers.
  • Capgemini offers specific consulting and security monitoring services tailored to customers with ICS/SCADA and IoT environments.
  • Capgemini’s portal lags competitors as its focus is on service visibility, management and reporting. Features like log searching and compliance reporting are not yet supported. Capgemini is actively adding enhancements to the portal, and has recently introduced support for multifactor authentication, a chat function with SOC staff and the ability to import vulnerability scanner data.
  • North American and Australian customers requiring that services be delivered domestically should confirm plans for future expansion of SOCs in those regions.
  • Capgemini has limited visibility with Gartner clients for MSS-specific deals. Capgemini’s MSS deals are often included as part of end-to-end cybersecurity outsourcing or digital transformation initiatives.


CenturyLink is based in Monroe, Louisiana, and has regional offices in Singapore and London. On 1 November 2017, CenturyLink completed the acquisition of Level 3 Communications, expanding its global presence and security service portfolio. CenturyLink provides telecommunications and public and private cloud services, in addition to MSSs. MSS can be acquired as a stand-alone service or as an add-on to other CenturyLink services. With the acquisition of Level 3, CenturyLink now has more than five 24/7 SOCs operating on four continents, including North America, Europe (London), Asia/Pacific (Singapore) and Latin America (Buenos Aires, Argentina, and Sao Paulo, Brazil). There are dedicated North American and U.K. SOCs to support national government contracts. CenturyLink provides a full scope of monitoring and management activities across a broad spectrum of security platforms, including next-gen firewalls, UTM systems, network and host IPS, WAF, VPN, EPP, email and web security, vulnerability scanning, threat intelligence services (from both legacy CenturyLink and Level 3), and advanced threat-oriented capabilities (e.g., network customer traffic analyzed against threat intelligence and advanced analytics for behavioral anomalies). CenturyLink uses a combination of proprietary implementations of big data platforms and other tools (such as from its previous acquisition of Cognilytics) and commercial products to collect, store and analyze customer log data and manage workflow. There are several service tiers available, from basic endpoint security management to advanced threat-oriented capabilities. Incident response, including on-site breach response services, is available with a retainer fee. Some data residency and staff citizenship requirements can be met with in-region SOCs and data storage. The pricing model for MSS depends on the services taken and includes set monthly recurring or usage-based fees; for example, threat monitoring is based on GB-per-day data.

Existing network services, infrastructure as a service (IaaS) and cloud service customers, as well as organizations with global service requirements, should consider CenturyLink for MSSs.

  • The MSS portal, which continues to see ongoing enhancements, provides fine-grained role mapping and access for users, and provides easy-to-use report creation and customization features.
  • CenturyLink offers several options for storing customer log data ranging from customer premises to regional CenturyLink data centers to commercial or CenturyLink cloud infrastructure.
  • CenturyLink’s expansion of its global SOC presence, which also increased with the acquisition of Level 3, now offers customers a local presence in four continents.
  • Customers give CenturyLink good marks for the ability to detect threats, and would generally recommend the service to other buyers.
  • All managed services are available across the globe, except for services leveraging EDR and endpoint forensic tools, which may be limited to specific tools depending on the customer’s geography. Advanced threat detection and forensics capability based on packet capture and analysis is not yet available, but is planned for 2018. Organizations seeking support for these tools, particularly use of EDR tools outside of the U.S., should validate timing and support availability with CenturyLink.
  • CenturyLink has made enhancements to its portal over the last 12 months, but the portal still has limited features for capturing and using assets and their business value, and does not currently support integrations to enable managing vulnerability scans or viewing scan results.
  • CenturyLink has low visibility with Gartner clients for stand-alone MSS deals. CenturyLink’s current focus is selling MSSs to existing enterprise customers, although it does sell discrete MSSs to non-CenturyLink customers.

DXC Technology

DXC Technology, a newly formed entity as the result of the merger of CSC and Hewlett Packard Enterprise’s (HPE’s) Enterprise Services business, is headquartered in Tysons, Virginia. The merger formally concluded in March 2017. The vendor has 16 SOCs across the Americas, EMEA and the Asia/Pacific region. DXC offers a range of security implementation and consulting services other than MSSs for enterprise and government customers. In addition to security monitoring and device management, DXC does offer additional standard managed services like managed SIEM, managed EDR, vulnerability assessment and DDoS protection, among others. The vendor differs from many other MSSPs in that it offers a range of managed services around identity and access management, such as Identity Management as a Service and Privileged Account Management. As an MSS provider, DXC is currently in a state of consolidation and change, in terms of both the technology platforms used for MSS delivery and new services that the provider is planning to introduce.

Customers requiring globally delivered MSS, especially those looking for a partner that also offers additional IT and security services, should consider DXC for MSSs.

  • DXC has a large revenue and incumbent base of security service customers, and has the ability to support large enterprise engagements across geographies.
  • DXC has a large partner network for security technologies and a strong portfolio of supported technologies, in addition to an extensive set of security-related service offerings.
  • DXC can support customers with hybrid cloud environments that require security monitoring and management services.
  • Postmerger of HPE’s Enterprise Services business and CSC, DXC still continues to support two separate portals for its MSS customers. Several key portal elements are in a basic stage or still in the process of being introduced to the customer portals (asset management, multilanguage support, reporting, etc.). A focus on log storage and search capabilities using big data technologies is currently being deployed globally.
  • Due to the merger, DXC has 16 SOCs across the world today, with a stated intention to consolidate the number of SOCs with the same local areas. Customers and prospects should carefully investigate the impact of this planned consolidation on the delivery of their service.
  • DXC, particularly as a new brand, rarely shows up on Gartner client shortlists for pure-play MSS deals.


Fujitsu is headquartered in Tokyo, with key offices in London; Munich; Lisbon; Richardson, Texas; and Sunnyvale, California. Fujitsu has a large operational presence in Europe and Japan, with 24/7 SOCs in Japan (nine total), Australia, Singapore, India, Germany, the U.K., Finland and the U.S. Fujitsu’s security portal is primarily based on its underlying delivery platform based on LogRhythm’s SIEM solution. Fujitsu has an in-house Cyber Threat Intelligence (CTI) capability, which leverages a range of commercial and open-source feeds and partnerships with third parties, that underpins the threat analytics and detection capabilities within its MSSs. The CTI capability is also delivered as a stand-alone offering. Incident response support and consultancy is available as a retainer. Advanced threat detection capabilities for endpoint and networks, as well as sandboxing, leverage technology from partners such as FireEye, Check Point Software Technologies, McAfee, Symantec and others. Malware analysis is available on a range of commercial and open-source toolsets, and forensic analysis is delivered via Fujitsu consulting and partners as needed.

Buyers, including existing Fujitsu IT services customers, should consider Fujitsu for MSSs if they are looking for a provider that offers flexibility for service delivery, or if they already have IT services that can be easily integrated and would benefit from security enhancements.

  • Fujitsu provides managed services across a wide portfolio of technologies, including firewalls, UTM, endpoint protection and encryption, IDS/IPS, WAFs, VPN and remote access services, email security, data loss prevention, and identity and access management, in addition to its CTI, threat analytics and advanced threat detection offerings.
  • Fujitsu’s reach in the Asia/Pacific region and Europe is strong.
  • Fujitsu leverages leading SIEM technologies to deliver its security event monitoring and threat analytics and detection capabilities.
  • Fujitsu’s technology integrations, partnerships and service delivery methodology for MSS are less mature compared to competing vendors.
  • Fujitsu’s security portal is based purely on access to its LogRhythm platform. Service management functionality, including ticket management, customer communications and management dashboards, lags behind competitors.
  • Fujitsu has very low visibility with Gartner clients looking for discrete MSSs.

HCL Technologies

HCL Technologies is a global IT services provider that offers a range of IT and security services aimed at buyers, primarily through broad-scope IT outsourcing engagements. HCL is headquartered in Noida, India (with regional headquarters in London and Sunnyvale, California). MSS is a part of HCL’s Cybersecurity and GRC services provided via six 24/7 MSS SOCs worldwide (four in India, and one each in Europe and the U.S.). MSS is delivered using commercially available SIEM technologies (IBM QRadar, Micro Focus ArcSight, RSA NetWitness and Splunk), chosen in consultation with the customer. SIEM solutions are leveraged for log collection and management, and real-time security event monitoring and analysis. HCL also offers dedicated managed SIEM options. The vendor provides managed EDR, with multiple technology options available to customers, in addition to threat hunting services. SecIntAl is HCL’s branding for its big-data-based security analytics and threat intelligence capability that underpins the analytics for its threat monitoring services.

HCL’s portal provides a single dashboard-oriented interface across all supported SIEM tools, vulnerability management, endpoint management and CMDB services. Dedicated views in the portal support both analysts and leader personas. HCL supports a variety of third-party security technologies. In addition to firewalls, IDPSs and secure web gateways (SWGs), it also supports a variety of solutions like EDR, CASB, network traffic analysis (NTA) and vulnerability management. Related services, like incident and breach response, are provided by select partners.

Organizations engaged in IT outsourcing and technology transformation projects, buyers looking for providers to use their preferred SIEM tool and broad-based support for security technologies, and existing HCL Technologies customers should consider HCL for MSSs.

  • MSS customers can leverage HCL’s support for security technologies across a wide range of markets for product procurement, implementation and management. HCL’s MSS delivery approach is customizable to customers’ requirements and existing security technology solutions.
  • HCL offers a lot of flexibility for buyers with broad and complex security monitoring and management requirements across on-premises, SaaS, IaaS and PaaS environments.
  • Customers generally give HCL above-average marks across acquisition, implementation and overall services.
  • HCL Technologies’ portal is mainly focused only on service visibility through predefined dashboards and reports. Search functionality has been enhanced in the last 12 months, but is limited to 30 days of online data by default.
  • Customers looking for a turnkey security event monitoring service leveraging a shared delivery platform (e.g., no preference for an SIEM solution or bringing their own SIEM tool) should confirm with the vendor which SIEM solution will be used for the service and whether it meets buyers’ requirements and supports existing technologies (security and IT log event sources).
  • HCL Technologies is rarely mentioned in Gartner client inquiries for discrete MSSs as most HCL customers procure MSSs in conjunction with other outsourcing initiatives.


IBM is headquartered in Armonk, New York, with MSS offices in the U.S. (Atlanta and Cambridge, Massachusetts); London; Brussels; and Hortolandia, Brazil. IBM offers a broad range of MSSs, security consulting and incident response, either as stand-alone offerings or as part of larger IT services and outsourcing engagements. MSSs are delivered from five 24/7 SOCs, called X-Force Command Centers: one in the U.S.; one in San Jose, Costa Rica; one in Hortolandia, Brazil; one in Tokyo and one in Wroclaw, Poland. IBM has three additional non-24/7 SOCs in India, Belgium and the U.S. IBM uses its QRadar SIEM solution to deliver unified monitoring across MSS, regardless of the location of the QRadar platform — shared multitenant, on-premises or as a service. There are four MSS tiers available, ranging from basic endpoint security to highly customized services. IBM’s advanced analytics and targeted attack detection capabilities for the network and hosts include support for customer-deployed products, IBM products (e.g., QRadar modules) and strategic partner solutions (e.g., Carbon Black for IBM Security’s Managed Detection and Response service). Threat intelligence and incident response services, as well as security consulting services, are available. Support for data residency requirements is available through European Commission Model Clauses contract language, local data centers in the customer’s region supported by EU staff out of the Poland SOC, and use of on-premises QRadar SIEM or using SIEM as a service hosted within IBM Cloud within region.

Large enterprises with global service delivery requirements looking for flexible security event monitoring technology options, and those with strategic relationships with IBM, should consider IBM for MSSs.

  • IBM’s “QRadar Anywhere” approach provides flexible options for IBM QRadar SIEM customers that require managed SIEM options. Customers can migrate from the shared MSS platform to co-managed on-premises or QRadar on Cloud, or vice versa, as strategies evolve.
  • IBM MSS delivery is supported by a range of strong threat intelligence partners, including IBM’s X-Force Security Research, third-party commercial sources and data collected via the vendor’s in-house incident response services.
  • IBM has moderate visibility with Gartner clients considering MSSs. IBM’s visibility for co-managed SIEM opportunities, however, is growing in favor of discrete MSSs.
  • Customers report the IBM sales process is uneven in its ability to engage with them effectively, such as the lack of responses to RFPs. Customers also report mixed satisfaction with IBM’s delivery of MSS services. Marks are lower than competitors in areas like overall service capabilities and overall experience.
  • Buyers should carefully analyze the technology approach recommended to deliver MSSs (e.g., shared or dedicated QRadar, whether on-premises or hosted) to ensure that the approach is compatible with their IT environments, architectures and requirements.
  • IBM offers a managed EDR service that is used for real-time threat detection and threat hunting purposes, but it has little visibility with buyers.


NTT brings together the MSS-specific resources and delivery platforms of NTT Com Security, Solutionary, Dimension Data, NTT Communications, NTT DATA and technology from the NTT Innovation Institute. NTT Security has been established as the specialized security company of the NTT Group. NTT is headquartered in Tokyo, with regional headquarters for North America, Europe and the Asia/Pacific region. NTT offers a broad range of security professional services and integration and incident response services. NTT Security has 17 24/7 MSS SOCs globally: six in the Asia/Pacific region, five in Europe and six in North America. In 2017, NTT progressed toward integrating its three separate platforms used for delivering MSS. Its new operating model is similar in nature to a channel-based approach in that NTT Security doesn’t directly sell services, instead relying on its group companies, which have varying levels of coverage and support in the different geographies. NTT is actively migrating North American and Japan customers to its new Global Managed Security Services Platform (GMSSP), while EMEA and remaining Asia/Pacific region customers continue to use the existing WideAngle and ArcSight ESM-based platforms. NTT Security MSSs are sold via the NTT Group companies of Dimension Data, NTT Communications and NTT DATA.

Customers of NTT operating companies, and enterprises seeking a large global provider, should consider NTT for MSSs.

  • NTT can bundle MSS with a wide range of security service offerings and delivery options, including broader telecommunications and IT infrastructure service offerings.
  • NTT has the ability to serve a wide range of industries/verticals across geographies due to the NTT Group companies’ global presence.
  • The new NTT Security portal (GMSSP) has a good range of roles available, with some customization and self-service capabilities available to customers. Integrations with NTT Group companies and customers to the GMSSP are supported via a RESTful API.
  • NTT has moderate visibility with Gartner clients looking for discrete MSSs.
  • NTT Security has moved its security sales team to the NTT Group companies while the delivery of the service happens through NTT Security, which is a separate group. This may create misalignment between the sales/marketing and product management/engineering functions, and may create confusion for customers that wish to purchase MSS from NTT Security.
  • Many of NTT’s EMEA and Asia/Pacific region customers are still on their older portals and delivery platforms. MSS customers should get clarity from their NTT Group company provider regarding plans to migrate to the new portal without affecting service continuity and while maintaining service features.
  • While there is a managed EDR offering with Carbon Black, FireEye and CounterTack, NTT is behind some of its competitors in introducing advanced threat-detection-oriented services relative to threat hunting and network monitoring.

Orange Business Services

Orange Business Services (Orange), headquartered in Paris and with regional offices in a wide variety of locations across the Asia/Pacific region, North America and Europe, offers a broad range of telecommunications and cloud-based IT infrastructure services, security consulting services, and MSSs. Orange’s MSSs are delivered using commercial and proprietary technologies for log management, event correlation and advanced threat detection, as well as some wider integrations with open-source big data technologies. Security Event Intelligence is the service offering for 24/7 threat detection and response. Threat intelligence is centered around malicious IP/URL/domain names curated by Orange collected from a large number of public and private feeds and sources, discoveries made on the Orange Internet backbone, and intelligence from Orange’s in-house CERT team. Services are delivered from seven SOCs (three located in Europe, one in India, one in Malaysia, and one each in Mauritius and Egypt). All SOCs are 24/7 except for the European and Malaysia SOCs, which use a “follow the sun” model. Data residency requirements are addressed on a case-by-case basis, with a majority of non-European clients being serviced from the India and Egypt SOCs.

Orange’s network and infrastructure service customers and multinational organizations, especially those with a European and Asia/Pacific business focus, seeking network-security-focused MSSs should consider Orange Business Services.

  • Orange is experienced in integrating and operating global networking and IT services with MSS.
  • Security device management services are a strong focus for the vendor.
  • Orange has a good understanding of regulatory frameworks around data privacy and residency, and caters to many different standards, especially in the European region, with a focus on France.
  • Orange customers give above-average marks for vendor and service capability satisfaction.
  • The Orange MSS portal has less self-service functionality and usability than many of its competitors, and lags behind in granular user access and control, and reporting abilities. Orange has added enhanced portal functionality over the past 12 months, focusing on search and visualization capabilities.
  • Orange has less mature capabilities in providing advanced attack analytics as part of its MSS, with a focus on sandboxing and malware analysis rather than network or endpoint-based detection approaches.
  • Orange has limited market visibility with Gartner clients for discrete MSSs.


Secureworks offers a range of MSSs and other security-specific services to customers globally. Corporate headquarters are located in Atlanta, with offices in London, Edinburgh, Sydney and Tokyo. Services are delivered from three 24/7 SOCs in the U.S. (Atlanta; Chicago; and Providence, Rhode Island); one 24/7 SOC in Edinburgh, Scotland; and one 24/7 SOC in Kawasaki, Japan. The SOCs are supported by a center of excellence in Romania that is focused on customer device management and new service innovation. MSS delivery is through Secureworks’ proprietary Counter Threat Appliance (CTA) and Counter Threat Platform (CTP), which leverages a shared big data platform and advanced analytics capabilities. Customer access to services is via the Secureworks Client Portal. A range of commercial log sources from customer-deployed technologies are supported, in addition to leveraging commercial and proprietary tools for managed network and host-based threat monitoring. Host and network-based advanced threat detection are provided through Secureworks’ Advanced Endpoint Threat Detection (AETD) service (via its proprietary Red Cloak agent or Carbon Black) and its Advanced Malware Protection and Detection (AMPD; in partnership with Lastline) service. The Secureworks Counter Threat Unit research team provides threat research and threat intelligence, malware analysis, and analytics support to the provider’s SOCs. Additional services, such as vulnerability scanning (both customer- or Secureworks-managed) and advanced threat intelligence services are also available to buyers.

Midsize, enterprise and government organizations seeking an established MSS that leverages a consistent, shared delivery approach with a global presence, and a security-focused set of offerings, should, consider Secureworks.

  • Advanced threat detection services are available for endpoint, whether leveraging the proprietary Red Cloak agent or Carbon Black, via the AETD service, which includes the ability to isolate hosts (either by the customer or by Secureworks’ SOC). Customers leveraging Secureworks iSensor in IPS mode, or via Secureworks managed firewalls, can self-initiate blocking for threats detected by the SOC.
  • Native support for IaaS monitoring in AWS and Azure is available, and includes capabilities for network and web app vulnerability management, which supports buyers requiring visibility and security monitoring in public cloud environments.
  • Secureworks offers an incident response retainer that is popular with buyers, which provides proactive as well as remote and on-site reactive response services.
  • Secureworks is highly visible with Gartner clients, and is frequently included in competitive MSS deals by North America-based midsize and enterprise buyers. It also has good visibility with U.K. buyers.
  • Gartner customers give positive feedback for Secureworks’ MSS offerings.
  • Secureworks lacks visibility with buyers in continental Europe and the Asia/Pacific region for MSSs.
  • Customers requiring raw event log retention (e.g., for compliance reporting and incident investigation purposes beyond 90 days) can opt for Secureworks’ on-premises log management offering (LogVault).
  • Monitoring for Office 365 and Salesforce is supported, but support for other popular SaaS solutions like Box, Dropbox and Workday are not yet available. There is no CASB option available.
  • Basic response services are available to AETD and device management customers, but other response services like forensics support, including malware analysis and threat hunting, require adding premium services.


Symantec is headquartered in Mountain View, California, and has six SOCs: one each in the U.S., the U.K. and Japan, and three in the Asia/Pacific region (India, Australia and Singapore). The SOCs operate on a follow-the-sun model to provide 24/7 support. Customers are assigned to a primary SOC in their region along with a global team of analysts aligned to their specific industry vertical. Symantec’s Cyber Security Services offerings include security monitoring and management, including hosted log retention, security intelligence, incident response services and security skills development services. Symantec has a broad portfolio of security technology solutions. Recent acquisitions include Outlier Security (EDR), Skycure (mobile device protection), and Fireglass (isolation technology). Symantec’s MSS SOC technology platform is based on self-developed technology. Customer event and log data are analyzed by Symantec’s global SOCs and retained in the North American data center. Symantec meets data residency requirements through contractual arrangements and the EU Standard Model Clause. Symantec MSS supports advanced threat detection via integrations with its own solutions as well as third-party products for network monitoring and forensics capabilities, and for payload analysis. MSS monitoring of EDR and forensics tools is offered for Symantec and third-party products. Incident and breach response services are available on retainer or on an ad hoc basis to buyers looking for a single provider for MSSs and response services. Monitoring capabilities are available for popular SaaS, IaaS and public cloud services. Pricing for MSS is offered in two models: based on a per-device/event source cost or on an enterprisewide license that provides unlimited monitoring up to a set limit of event sources (aka nodes).

Enterprises seeking an established MSSP with a global presence should consider Symantec.

  • Symantec has a well-established threat intelligence capability via its DeepSight services.
  • Symantec’s MSS portal offers granular role definitions and strong support for tracking and managing incident workflow.
  • The enterprisewide pricing model offers larger customers flexibility in bringing security event sources into scope for monitoring, and avoids change orders to add event sources beneath the agreed-on total for monitoring.
  • MSS customers indicate that Symantec is effective in detecting and helping to respond to advanced threats and targeted attacks.
  • Symantec has good visibility for MSS among Gartner customers.
  • Symantec primarily focuses on security monitoring now and directly offers limited device management services, primarily for IDPS, and not for other security controls. Prospective customers seeking device management services in addition to monitoring must anticipate working with Symantec partners.
  • Current integrations with vulnerability scanning products do not enable MSS customers to schedule or run scans via Symantec’s MSS portal. Customers can view scan results in the portal.
  • Symantec’s MDR-type advanced threat detection offerings, one network-based and the other host-based, are in the limited pilot/early adopter phase. Buyers interested in using one of these services will need to validate when they are available in their geography.


Trustwave, a stand-alone business within Singtel Group Enterprise, is based in Chicago, with regional headquarters in London, Sao Paulo and Sydney. Trustwave has several partnerships with regional telecommunications and service providers (e.g., Rogers Communications in Canada, Optus in Australia, Globe Telecom in the Philippines and TIS in Japan) around the globe to provide MSSs to those partners’ customer bases. Trustwave has nine 24/7 SOCs around the globe — three in North America, two in Europe (Warsaw and London), and four in the Asia/Pacific region (Manila, Philippines; Singapore; Sydney; and Tokyo). In the case of its telecom partners, the 24/7 SOCs are operated by Trustwave, some of which are in colocated facilities with the partners. Trustwave has a large portfolio of security technologies — including SIEM, UTM, network access control, application security, WAF and anti-malware — and builds MSSs around those, as well as support for a variety of third-party security products. Threat intelligence and incident response services are provided in-house from the Trustwave SpiderLabs team. Trustwave offers a managed EDR service leveraging Carbon Black and CounterTack as partners. Midmarket and small enterprise organizations, especially those with PCI DSS compliance requirements, make up the majority of Trustwave customers; however, the vendor has increased its focus on large enterprise buyers.

Telecommunications customers that have formed strategic partnerships with Trustwave, as well as companies in the retail, hospitality, healthcare and banking vertical industries, should consider Trustwave for MSSs. Trustwave is a good option for customers that need both products and services from a single provider, as the vendor has several competitive security software- and hardware-based platforms.

  • Trustwave supports a large client base that spans small and midsize enterprises, as well as larger global organizations.
  • Trustwave has expanded its global footprint through strategic partnerships with communications service providers across the Asia/Pacific region and North America, implementing a customer- and vertical-centric delivery model across the newly established SOCs.
  • The vendor’s SpiderLabs’ security research, penetration testing activities and incident response teams provide threat intelligence that enhances the value of the MSSs both through integration of the threat intelligence data directly into monitoring workflow and the SpiderLabs’ analysts serving as a higher tier of skills for advanced triage.
  • Trustwave has moderate visibility with Gartner clients looking to purchase MSSs.
  • Trustwave is planning to release an update to its MSS portal. Customers coming on board should ensure that they are getting the new portal, and that they review the rollout plan and features for that portal to ensure that it does not affect their service continuity.
  • As Trustwave continues to add support for third-party security technologies, customers should validate when and to what extent the security products they have deployed will be fully supported by Trustwave MSSs.
  • Direct support for Office 365 and Salesforce is supported via APIs; however, support for other popular SaaS vendors requires the use of a CASB solution. Trustwave claims that support for other SaaS vendors is available via API integrations, but it requires sufficient lead time (up to 45 days) for development and implementation.


Verizon is a telecommunications company headquartered in Basking Ridge, New Jersey, with regional offices in Reading, U.K., and Singapore, which offers MSSs and security consulting services. Verizon uses a global network of SOCs, with three SOCs in the U.S., four in the Asia/Pacific region (India and Australia), and two in Europe (Luxembourg and Germany). Verizon’s Unified Security Portal (USP) provides single portal access across all services and capabilities for customers. Verizon’s MSS platform includes log management capabilities allowing clients to search, index and store logs using technology based on Elasticsearch. A mix of proprietary and commercial technology including Splunk is used to analyze security data, which is ingested via Verizon’s proprietary Log Event Collector (LEC). Verizon uses regional SOCs and data retention to meet requirements for local data storage and analysis. Network Threat Advanced Analytics, which was added as a service in 2017, is available to both customers on the Verizon backbone network and also through NetFlow analysis capabilities deployed on a customer’s site. Malware analysis and network and endpoint forensics are available to buyers. Remote and on-site support for incident and breach response is provided via the Threat Intel and Response Service.

Enterprises, including existing Verizon network customers, should consider Verizon if they require well-established global or region-specific MSSs.

  • Verizon’s investment in reporting, communications features and data visualization enables clients to fully manage, interpret and investigate their security incidents within Verizon’s Unified Security Portal.
  • Netskope and Cisco Cloudlock, two leading CASB solutions, are currently supported by Verizon. Buyers with SaaS monitoring requirements should confirm support for their preferred CASB vendor.
  • Verizon has moderate visibility with Gartner clients for MSSs.
  • Verizon’s pricing model, specifically for the MSS Analytics service, is based on the data volume of log event and other data sources sent per day, measured in GB per day (management of security devices is still priced on a per-device basis). Buyers considering Verizon services should carefully analyze how much event and data volume they currently generate, and may generate, over time, to properly scope the service costs.
  • Vulnerability management in Verizon’s Unified Security Portal lags behind many competing MSSPs. Buyers should validate how Verizon integrates and leverages the data from their preferred vulnerability management solution.
  • Verizon lags behind competitors in its managed EDR service offerings. Leading EPP vendors are supported, but EDR-specific technologies are not yet supported.


Wipro provides a variety of MSSs, including security threat monitoring, infrastructure security operations and technology management, vulnerability management, incident response, identity and access management, and security consulting services. Wipro is headquartered in Bangalore, India, with offices in London, New York, New Jersey and elsewhere around the globe. MSSs are delivered from 14 24/7 SOCs, with eight in India (Bangalore, Pune, Chennai, Mysore, Bhubaneswar, Kochi, Noida and Gurgaon), two in Europe (Amsterdam and Meerbush, Germany), and four in North America (Houston, Dallas, Phoenix and Edmonton, Canada). Wipro offers security event monitoring via its multitenant ServiceNXT platform, or Wipro can support customers that bring their own SIEM solution or require a specific, dedicated SIEM tool. Wipro currently supports six SIEM platforms. Customers access the Wipro MSSs through the Cyber Defense Center (CDC) portal, which provides a single landing page for accessing services used by customers. Wipro has a broad portfolio of technology partnerships available to buyers. Flexible options are also available to meet local or regional data residency requirements and regulations.

Buyers across Europe, the Americas and the Asia/Pacific region considering MSS as part of broader IT outsourcing activities, and enterprises seeking flexible options for managing a range of security controls, including SIEM tools, across a variety of IT environments, should consider Wipro.

  • Wipro makes newer technologies such as EDR, NTA and SOAR available to buyers and customers (as well as for use internally for service delivery where applicable). Wipro made additional strategic investments in 2017 (Demisto) to complement existing investments (Vectra and IntSights). Wipro plans to introduce services leveraging breach and attack simulation, as well as deception solutions, in the future.
  • Wipro has extensive partnerships across a range of security technologies that it can implement, and manage, and can use those tools on behalf of buyers to meet their specific or customized requirements.
  • Wipro’s MSS delivery approach is highly customizable to customers’ requirements and existing technology solutions.
  • Wipro customers report positive feedback for the vendor’s overall services and experience, but the feedback for the onboarding process is less positive.
  • Wipro is in the process of moving its primary delivery model to a shared, multitenant platform, instead of leveraging customer-specific SIEM tools as its default delivery model. That transition to the shared model is still a work in progress and delivery models still lean toward per-customer-specified SIEM solutions. Buyers preferring to leverage a shared delivery platform should evaluate the architecture and implementation to ensure that it is fit for their purposes and requirements.
  • Wipro has made many improvements to its CDC portal over the past 12 months toward usability and centralization of access to services, but it still lacks the features available in many competing MSS portals.
  • Wipro has low visibility with Gartner clients’ shortlists for stand-alone MSS deals.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


Capgemini, DXC Technology and Fujitsu were added.


CSC and HPE Enterprise Services were dropped, as they merged under DXC Technology.

Inclusion and Exclusion Criteria

As a remote service, MSS can be delivered to and from any location with sufficient connectivity. MSSPs that have operations in one geographic region can support customers in other regions. Gartner sees a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their country or region (e.g., North America, Europe and the Asia/Pacific region). For global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more local support. Local presence enables the MSSP’s ability to keep some data in specific regions, as well as to provide local business hours and access to advanced support, staffing requirements (such as specific citizenship) and local language support, among other capabilities. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers.

This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue.

The criteria include a threshold for the number of firewalls or network-based IDPS devices under monitoring or management, and a threshold for the number of MSS customers — both distributed across multiple regions. We note that many providers, in addition to MSSs, offer other service delivery options (such as local staff augmentation) and related services, like building SOCs at a customer’s premises, which may be supported remotely by the MSSP’s SOC. However, these are not evaluated within this research. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies.

Inclusion Criteria

Vendors must:

  • Have services to remotely monitor and/or manage firewalls and UTM systems, IDPS devices from multiple vendors via discrete service offerings, and shared-service delivery resources.
  • Have firewalls/IDPS devices under remote management or monitoring for external customers that meet a minimum threshold described below.
  • Have customers, as well as monitored firewalls and IDPS devices, across multiple geographies that meet a minimum threshold described below. The thresholds for customers and devices have increased from the prior Magic Quadrant to reflect market growth.
  • Have MSS revenue of $50 million or more in 2016. The threshold for revenue has increased from the prior Magic Quadrant.
  • Have a SOC presence in multiple geographic regions.
  • Have reference accounts that are relevant to Gartner clients in the appropriate geographic regions.
  • Be service providers that Gartner determines to be significant vendors in the market because of their market presence or service innovation.

Inclusion thresholds for firewalls/IDPS devices under MSSs are 389 in the Asia/Pacific region, 2,473 in Europe, 3,709 in North America and 45 in the rest of the world (ROW). MSSPs must meet the thresholds in one of the following combinations:

  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Inclusion thresholds for MSS clients are 75 in the Asia/Pacific region, 118 in Europe, 355 in North America and 19 in the ROW. MSSPs must meet the thresholds in one of the following combinations:

  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Exclusion Criteria

Vendors that have:

  • Service offerings that are available only to end users that buy other non-MSSs
  • Services that monitor or manage only the service provider’s own technology
  • Services delivered by service provider resources dedicated to a single customer
  • Services that fail to meet the inclusion criteria

Evaluation Criteria

Ability to Execute

Product/Service refers to the service capabilities in areas such as information and log management; security event management; threat detection, monitoring and alerting; incident management and response; workflow; reporting; and service levels.

Overall Viability (Business Unit, Financial, Strategy, Organization) includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. Includes the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.

Sales Execution/Pricing evaluates the service provider’s success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.

Market Responsiveness/Record evaluates the match of the MSS offering to the functional requirements stated by buyers at time of acquisition. It also evaluates the MSSP’s track record in delivering new functions when the market needs them.

Marketing Execution is an evaluation of the service provider’s ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.

Customer Experience evaluates the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by surveys of vendor-provided reference customers, Gartner’s Peer Insights solution as well as by feedback from Gartner clients that are using an MSSP’s services, or have completed competitive evaluations of the MSSP’s offerings.

Operations covers the MSSP’s service delivery resources, such as infrastructure, staffing and operations reviews, or certifications.

Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria


Product or Service


Overall Viability


Sales Execution/Pricing


Market Responsiveness/Record


Marketing Execution


Customer Experience




Source: Gartner (February 2018)

Completeness of Vision

Market Understanding involves the MSSP’s ability to understand buyers’ needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options. MSSPs with market-leading vision are investing in expertise and technology to monitor and analyze the external threat environment to better understand the sources, motives, targets and methods of attackers.

They are using that insight to improve the effectiveness of their MSS. They are also developing and introducing services that support large-scale data collection; advanced analytics, including statistical and behavioral functions; and monitoring of new data sources, such as endpoint, network and user to include in analysis. The goal of these capabilities is to more effectively find and respond to attacks, both broad-based and advanced targeted-type attacks.

Marketing Strategy evaluates clear, differentiated messaging consistently communicated internally, and externalized through social media, advertising, customer programs and positioning statements, and is tailored to the specific client drivers and market conditions in the MSS market.

Sales Strategy evaluates the strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service, and communication, as well as partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.

Offering (Product) Strategy evaluates the provider’s approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.

Vertical/Industry Strategy evaluates the strategy to direct resources (sales, product and development), skills and products to meet the specific needs of individual market segments, including verticals.

Innovation refers to the service provider’s strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements. Examples include the capabilities described in Market Understanding.

Geographic Strategy addresses the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria


Market Understanding


Marketing Strategy


Sales Strategy


Offering (Product) Strategy


Business Model

Not Rated

Vertical/Industry Strategy




Geographic Strategy


Source: Gartner (February 2018)

Quadrant Descriptions


Each of the service providers in the Leaders quadrant has significant mind share among organizations looking to buy MSSs as a discrete offering. These providers typically receive positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring comprehensive portal-based access for interfacing with the service (e.g., responding to alerts, incident management, workflow, reporting, asset and access management, and managing other procured services, like vulnerability management) along with interaction with the MSSP for analyst expertise and advice.


In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider’s (NSP’s) other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, MSSs in these markets tend to have a strong Ability to Execute and offer buyers capabilities when procuring services from a single provider aligns with the organizations’ IT strategy.


Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require access to and support for “cutting edge” technology, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant.

Niche Players

Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve. This quadrant is also characterized by providers that are newer, or have expanded beyond local and regional markets, to the global MSS market, and are maturing their delivery capabilities and offerings.


Prospective MSS buyers with threat management use cases should highly weight MSSPs’ threat research, security intelligence and threat detection capabilities.

Prospective MSS users should require a proof of concept (POC), or a demonstration of MSS offerings, to validate ease of use, effectiveness and value. Current MSS customers should leverage POCs for new offerings from their existing MSSP before purchasing.

Current and prospective MSS users should validate MSSPs’ services to address advanced attacks via network behavior, network forensics, payload analysis, endpoint behavior and endpoint forensics, or consider MDR providers that specialize in such attack detection capabilities.

Global coverage matters to global enterprises. The MSS market includes a wide range of providers available only in a single region or country. If your organization is not global and wants good local support and presence, then carefully evaluate a global MSSPs ability to “look local.”

Market Overview

The MSS market is a mature one, offering buyers a variety of options from a diverse set of providers that generally align to a core focus. MSS is provided by pure-play security providers, IT system integrators and outsourcers, and network services providers. Buyers leverage MSSPs to address requirements that include 24/7 monitoring and threat detection, security technology management, and meeting a variety of compliance requirements. The preferred approach is to leverage a shared-service model where resources and support are remotely delivered by the provider. These may be complemented by related drivers, such as access to deeper or broader security expertise than is available in-house given the industry concern about the lack of available security resources and expertise, and the ability to retain those resources, or the need to redirect existing internal resources to other higher-value security functions inside the organization. Gartner clients interested in MSSs are increasingly looking for providers with effective threat detection capabilities that can detect both broad-based as well as advanced threats, and offer incident response services that may extend all the way through to the containment and remediation of a threat, either remotely or through physical on-site support.

This Magic Quadrant reflects the requirements of customers with service needs in multiple geographic regions. MSSPs included in the evaluation meet the minimum thresholds for MSS delivery in two or more regions via in-region SOCs. MSSPs with a multiregional presence typically have a sufficient understanding of region-specific customer requirements, as well as sufficient service delivery capabilities that can scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services.

MSSPs that do not meet the criteria for inclusion in this Magic Quadrant may still deliver high-quality services within a continental or geographic region or regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their specific requirements, and take geography (language, local resources, etc.) into account, where applicable.

Market trends, which are discussed in more detail below, include:

  • Moving beyond monitoring of only network-based security technologies, particularly the network perimeter, with increasing focus on the endpoint (e.g., managed EDR services)
  • Increasing movement toward more customized outcomes for buyers
  • Buyer demand for capabilities to monitoring popular SaaS applications, and public cloud services providers and IaaS

The MSS market is growing at a healthy double-digit rate — in 2016, the market grew 10% to reach $9.4 billion in revenue (see“Market Share Analysis: Managed Security Services, Worldwide, 2016” ), and Gartner expects this growth rate to be in the 15% to 17% range for 2017. The MSS market constitutes approximately 60% of the overall security outsourcing market that will generate $18.7 billion revenue in 2017, growing at a CAGR of 11% through 2021. It is important to view MSS in the context of broader security outsourcing, because large enterprises are increasingly looking for hybrid engagements that include a mix of shared and dedicated service delivery components.

Demand for MSSs, from enterprises and midsize organizations, is driven primarily by a variety of factors:

  • Security staffing challenges and budget shortages: Gartner sees organizations of all sizes and geographies continuing to be challenged to attract and afford the appropriate security and risk management staff (see “Adapt Your Traditional Staffing Practices for Cybersecurity” ). Also, in an increasingly hostile external threat environment (see “How to Respond to the 2018 Threat Landscape” ), Gartner security and risk management leaders continue to report a lack of sufficient funding and increasing budget pressures that affect their security monitoring and operations capabilities.
  • Midsize enterprise adoption of detection and response capabilities: Midsize organizations are embracing detection and response capabilities to complement their investments in preventive security controls. These organizations are also impacted by the increasing scarcity (or affordability) of security operations talent. These organizations are looking for MSSPs to act as extensions of their security staff, instead of adding security head count. MSSPs can provide these services on a 24/7 basis, allowing customers to devote their often scarce internal security resources to higher-value activities.
  • Customized requirements: There is an increasing segmentation of the MSS market between providers that focus on a shared-service approach where offerings are homogenously applied across customers with minimal, if any, room for customization. These are generally the purview of the pure-play MSSPs. The IT outsourcers (ITOs) and NSPs that have MSS offerings are increasingly focused on providing customized solutions to larger enterprises in order to meet very specific requirements. These typically revolve around support for a wide range of security technologies, especially more “learn forward” technologies that the organization has already, or plans to, deploy, but lacks the expertise and skills to run and use those tools. The increasing demand for SOC build-outs in specific regions (e.g., Middle East and India) is also fueling the demand for customized services where MSS capabilities may be leveraged, like providing remote, out-of-business-hours support to complement the on-site provider’s staff manning the provider-run, customer-specific SOC.
  • First-time/early-cycle MSS customers: The MSS market is still attracting buyers. In both mature and emerging regions, there are organizations that are in their first cycle of building out threat detection and response capabilities. MSS forms a critical part of this because these organizations typically have low organizational competency in security and operate using lean security teams, and are therefore looking for opportunities to outsource security event monitoring, alerting and response. These “first cycle” MSS adopters are driving significant growth for the market.
  • Evolving compliance reporting requirements: Requirements such as GDPR (see “GDPR Clarity: 19 Frequently Asked Questions Answered” ) as well as corporate governance policies, are directly driving stronger requirements for threat monitoring, identification and incident response capabilities. As formal compliance regimes become more stringent or more pervasive, organizations are turning to external service providers to address the need to meet compliance requirements.
  • Expansion of security event monitoring into new domains: As organizations adopt cloud services (e.g., SaaS and IaaS predominantly), concerns about the lack of visibility into these environments from a security and risk management perspective are increasing. Customers considering MSS for security services are asking about MSSP capabilities for monitoring these environments.

MSS customers and buyers continue to express dissatisfaction with MSS providers, although they represent the minority. Some of the common reasons for customers switching MSSPs or opting for another delivery model include a lack of perceived value versus the costs for MSSs, providers that fail to detect threats or generate a high-level of false positives, and poor quality of service delivery and support during critical incidents. In particular, security and risk management leaders have increasing expectations that their MSSP will act as extensions of their security capabilities or teams to provide incident investigation and response support. These organizations are not resourced to consume just Tier 1 security operations capabilities where they only receive notifications of an incident and are expected to perform their own incident triage and investigation. That may be appropriate for large enterprises with adequately resourced security teams that want, and can, maintain responsibilities for incident triage, investigation and response.

Alternatives to using an MSSP include:

  • Managed detection and response services: Organizations have been increasingly looking for threat-detection-oriented service providers that offer more turnkey monitoring services coupled with higher-touch services. MDR service providers (see “Market Guide for Managed Detection and Response Services” ) are gaining increasing attention with buyers, particularly in the midsize and smaller enterprises. However, adoption by larger enterprises to augment existing capabilities, especially for advanced threat detection, is also occurring. Many MSSPs have introduced MDR-like services that are turnkey offerings using dedicated technology providers as premium services, but these are primarily focused on advanced threat detection use cases, usually via managed EDR or threat hunting. The use of network technologies for MDR-type services is starting to emerge. Gartner anticipates this trend to continue as MSSPs race to compete with the MDR providers.
  • Remote co-management of a customers’ SIEM solution: Increasingly, buyers across the midsize and larger enterprises are purchasing SIEM solutions, but looking for specific service providers to assist. Services available to the buyer range from engineering, tuning and performance monitoring of the customer’s SIEM tool, whether it’s on-premises, hosted by a provider or SaaS SIEM (see “Selecting and Deploying SaaS SIEM for Security Monitoring” ), all the way to complete management and 24/7 monitoring and alerting (in effect being an MSS to the customer, just using the customer’s technology). Buyers purchase their own SIEM tools for a variety of reasons (see “How and When to Use Co-managed Security Information and Event Management” ). In response to this trend, MSSPs are increasingly adding co-managed SIEM support for two to three SIEM solutions.
  • Organizations building their own, dedicated SOCs: Organizations decide to build and operate their own SOCs because they:
    • Desire more control over their detection and response technologies (either driven internally or due to regulatory requirements)
    • Require better access to their own data (for threat investigations or compliance purposes)
    • Have unique or specialized use cases or environments where more customized correlation/analytics is required (e.g., OT security monitoring requirements).
    • May be unaware of the concept of shared MSS, particularly because providers do not offer it to them. This is particularly true in emerging markets.
  • To adapt to these requirements, MSSPs are adding or expanding customized services to customers for SOC build-outs (see“How to Plan, Design, Operate and Evolve a SOC” ).

Challenges to using an MSSP include:

  • Ability to deliver “integrated” incident response: MSS buyers should be aware when considering these services as most MSSPs still have limitations and barriers between the basic triage and customer notification of a potential incident, and specific incident response activities, such as collecting suspect binaries and performing analysis, which is then used to ascertain the type of threat, sophistication, attribution and scope of distribution inside an organization. Many MSSPs have incident response retainers that are required to be purchased by a customer in order to have access to these types of technical incident response functions and experts.
  • Data residency and other privacy requirements: Regulatory requirements regarding movement of and access to specific types of data may limit the scope of monitoring enterprises entrusted to MSSPs. For example, GDPR may drive more stringent requirements for MSSPs depending on the geography in which the MSS buyer operates.
  • Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy (sometimes driven by changes in leadership) regarding the use of external services can mean that MSSs are not considered effective options.
  • Lack of customization: By definition, MSSs are meant to be standardized in terms of device management, analytics/correlation rules, and reporting and notifications. Customers that want more customization of their security operations may find that some MSSPs may be less than ideal for them if they focus on delivering shared services with little to no customization.

MSSP Landscape

The basic makeup of the MSSP vendor space has not changed fundamentally as the market is mature. There are three major types of MSSPs. Overlap between these types occurs in the market, but MSSPs tends to fall into one of the categories.

  • Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. Most of these MSSPs tend to serve a local market or region, but not all regions around the world. New pure-play security service providers often focus on specific vertical markets (e.g., legal, healthcare providers, energy and utilities) or regulatory requirements, or advanced threat detection technologies (e.g., managed EDR services). Gartner expects existing MSSPs and other IT services firms to acquire pure-play service providers that offer threat-detection-oriented services and advanced threat detection capabilities, especially those in the MDR space.
  • NSPs: These are network bandwidth and connectivity providers that manage and monitor network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their internet connections. Buyers that consume managed telecommunications services tend to include MSS when available as firewalls and other network-based security technologies can be a core component of the outsourcing deals.
  • ITOs/system integrators/business process outsourcers: These are IT services providers that typically manage security devices as part of large outsourcing or system integrations initiatives, where it makes sense for buyers to consume MSS as part of broad infrastructure management and monitoring deals.

In addition to the above common types of MSSPs, security consulting providers and some product vendors are emerging entrants offering MSSs. Security consulting has realized that MSS and ongoing security operations contracts are more of a profitable, predictable and faster-growing revenue stream than one-off consulting projects. Many of these consultants are more active in dedicated SOC staffing services than MSS, but this is still a category of providers to watch. Also worth noting is that many IT outsourcers with security consulting businesses are also becoming more active as MSSPs, through either acquisitions or the organic build-out of capabilities.

Some product vendors such as Cisco, CrowdStrike, F-Secure, FireEye and Rapid7 (among others) also offer MSS and/or MDR services. The primary motivation for these technology vendors in entering this market has been to increase their recurring revenue by attaching more annuity-based services to one-time product sales. Also, for new product areas in security (like EDR), offering managed services allows customers to better utilize the underlying technology product (because it can be more complex and time-consuming than anticipated once fully deployed) and helps them overcome skills shortages associated with newer security technology areas. However, product vendors are still very much a niche play in the broader MSS market.

MSS Portfolio

The services that are core to MSS offerings involve vendor-agnostic monitoring and management of core security technologies, with a focus on:

  • Firewalls and next-generation firewalls (NGFs)
  • Network IDPSs and next-generation IDPS
  • Multifunction firewalls/UTMs
  • SWGs and URL filters
  • EPPs

MSSPs also tend to support a broad scope of security and non-security-type data sources for security event monitoring. The event sources may include network devices (e.g., VPN devices, routers and switches), logs from user directory services (e.g., Active Directory), and host OS logs and application-specific logs. In the past couple of years, MSSPs have introduced services to manage and monitor both proprietary and commercial technologies designed to detect and protect against advanced threats. These services analyze payloads to detect malicious software and monitor activity and behavior of network traffic (e.g., network traffic analysis [NTA] tools) and endpoints (e.g., EDR agents). In addition to monitoring, many MSSPs have management services for those technologies (usually under their “MDR services”).

MSSPs may also provide cloud or SaaS-based services, including:

  • Vulnerability scanning
  • Network-based firewall/IDP
  • Web filtering/SWG
  • CASB
  • Email security
  • DDoS mitigation

Among organizations that have deployed a SIEM solution, Gartner sees increasing interest in services to monitor or run the SIEM. MSSPs continue to add offerings to support customer-deployed SIEM to accommodate these customers, either in a more customized model or until the customer can be transitioned off their SIEM tool and onto the MSSP’s delivery platform.

Incident Response Services

Most MSSPs offer incident response capabilities to assist customers with investigation and remediation activities. Gartner clients, in light of significant breaches in the news over the last 12 months, are interested in adding retainers for digital forensics and incident response (DFIR) services. MSS customers generally look to their provider for these services in many cases. These activities are available as proactive- and reactive-oriented services, delivered primarily remotely, but on-site as needed. These services are typically available on a consulting basis, and can be purchased as needed, or via a retainer for a set number of hours, with service-level commitments for response time for both remote and on-site support. Prospective customers should confirm with MSSP candidates how much response support is available within the context of the standard monitoring services, and when engaging the incident response retainer is required (for example, does the customer have to authorize use of the hours, or is it preagreed how the MSSP can use those hours?). SLAs are also commonly provided for both remote and on-site support. Customers should confirm the SLAs provided and penalties if SLAs are missed. If the MSSP offers packaged or prepaid retainer hours for incident response activities, then customers should confirm if those hours are available for other security services if they are not needed for incident response (e.g., through proactive services).

Threat Intelligence Capabilities and Services

Requirements for how MSSs leverage threat intelligence, and what premium threat intelligence services are available, appear on Gartner clients’ RFPs with increasing frequency. Buyers are specifically interested in how MSSPs are leveraging threat intelligence (e.g., to improve the prioritization and context around detected incidents). Additionally, rather than procuring advanced or customer-specific threat intelligences services from a third party, MSS buyers are looking first at the capabilities of the MSSP, through subscription-based services. Several MSSPs have dedicated security and threat-oriented research teams to improve their visibility of the threat landscape — that is, the identities, motives, targets, and tactics, techniques, and procedures of external attackers. These services feed their MSS capabilities, but also tend to be resold as advanced threat intelligence offerings, such as customer-specific dark web monitoring services. Those that do not have their own threat research groups often use a mix of one or more third-party threat intelligence providers along with open-source threat intelligence. MSSPs are increasing their support for common threat intelligence description and sharing formats, such as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). In the last 12 months, a few MSSPs have also introduced threat intelligence platforms as part of their overall delivery platforms (see “Market Guide for Security Threat Intelligence Products and Services” ). As their use and the maturity of these tools increase, Gartner expects to see improved capabilities for customers to securely share and allow the MSS to consume provided threat intelligence. Buyers with requirements for this level of sharing should confirm with prospective MSSPs if they already have this capability, and if not, where it is in their roadmap.

MSS Delivery

Managed Service Portal Functionality

Buyers should apply significant focus to methods of communication with their provider, as this enables measurable recognition of value received. A key way to orchestrate efficient two-way recorded dialogue between outsourced security professionals and internal teams is through a fully featured portal. Any portal should provide multirole and granular access control, and dashboards with information preconfigured and adaptable to fit many different roles and functions within your organization, including those within senior risk management. Fully interactive incident ticketing with features for handover and resolution tracking provide buyers with a method not only to improve the service that the provider is operating through enrichment and semantic learning, but also to track and manage ROI in an area visible to both parties. Important features of provider portals also include the ability to search through security data and carry out threat hunting through fast and intuitive interfaces as well as seamless cross-service and function integrations with other security services and information, such as vulnerability scanning outputs and threat intelligence indicators.

Buyers should consider the quality and functionality of the provider portal to be a high-priority element in their decision to procure any MSS, as this becomes the outlet and store for all content that the service produces and is measured by.

Security Operations Centers

All MSSPs leverage SOCs as the physical locations to deliver 24/7 services. MSSPs use different patterns for service delivery, usually either from a SOC operating round-the-clock, using a follow-the-sun approach with operation during local business hours seven days per week, or for resiliency as needed, or a hybrid of these two models. Each has its strengths and weaknesses. For example, technically a SOC in one region can support a customer in another; however, there are potentially significant roadblocks in the form of language, time zones and regulations that need to be considered. On the other hand, better service may be achieved when the MSSP uses a follow-the-sun model which can alleviate SOC analyst quality issues that arise when analysts have to work nights and weekends (see “How to Plan, Design, Operate and Evolve a SOC” ). MSS buyers need to carefully evaluate the SOC locations and operating models used by MSSPs to ensure they will meet their requirements.

Threat Detection and Advanced Analytics Capabilities

Many MSSPs claim capabilities to assist their customers in addressing advanced attacks, in addition to their abilities to detect common, broad-based threats. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example:

  • Correlation of events with threat intelligence that can provide attribution (e.g., to a broad-based malware family versus known hacking group)
  • Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines in security events, network traffic, or the activity of users or entities on the network
  • Analysis of user behavior to identify anomalies from normal behavior across environments (on-premises, cloud) — this is an emerging area that is currently supported by very few MSSPs

The adoption of big data technologies like Hadoop, Elasticsearch and NoSQL is permeating MSS. This makes sense as MSSPs have historically had to deal with “big data problems” — a large volume, velocity and variety of log event and other data. These technologies are being used to help MSSPs better manage and analyze the large amounts and various types of data acquired from their customers, and to make it more accessible (e.g., via real-time search as opposed to scheduled search jobs) and for longer periods of time than what has been previously available. However, the time horizon to search over those logs continues to stay relatively stable, with 90 days of online data being the norm and data older than that being relegated to warm or offline storage. The adoption of big data technologies is also fueling a drive to improve threat detection capabilities through advanced analytics; however, it’s still early days.

As big data technologies are being adopted, advanced analytics are being used in back-end systems to complement traditional real-time security event correlation and monitoring capabilities. Batch-oriented analytics that can be run over much larger datasets covering weeks or months of data, commonly using machine-learning-based approaches, are being employed. Gartner recommends that customers ask for specific information and evidence where advanced analytics is being used as a means of differentiating and comparing service offerings across providers. Most MSSPs claim that the customer won’t be able to determine, based on the alerts they are notified with, whether the event was detected using standard methods, such as correlation or threat intelligence matches, or if it was via a more advanced method (e.g., anomalous activity detected using a supervised machine learning approach). Buyers should also ask about how a provider leverages advanced analytics methods. For example, is the capability through a commercially available technology that is managed by the provider, or has the provider actually invested in R&D to customize and tune a commercial (or proprietary) analytics technology?

Monitoring Beyond On-Premises Customer Environments

SaaS visibility is top of mind with Gartner clients interested in MSS, with IaaS second. Use of popular SaaS like Office 365, Salesforce, Box and Workday are driving the demand. MSSPs are slowly adding support, via partnerships, for CASBs to provide SaaS security monitoring, but few Gartner clients report interest in this approach. Most clients are expecting native API-based approaches to be used as part of the core security event monitoring capabilities. The approach is mixed across MSSPs. Some claim support for APIs, others rely on the use of a CASB solution and a few offer both, depending on the level of event monitoring required by the buyer.

Most MSSPs have focused on the monitoring of assets located in public cloud services, such as AWS and Azure, by leveraging a mix of external security controls deployed in the public cloud and native API-based security integrations (e.g., AWS CloudTrail). Support for Azure has increased over the past 12 months, but AWS is still the most supported environment. Few MSSPs have support for IaaS security products like cloud workload protection platforms (see “Market Guide for Cloud Workload Protection Platforms” ).

There is another dimension to cloud security, and that is security services delivered from the cloud (e.g., security as a service). Some MSSPs support established security-as-a-service technologies (e.g., SWGs and secure email gateways [SEGs]). For example, many of the pure-play providers with their own technology portfolios, and NSPs through partnerships with cloud-based SWG providers, offer management and monitoring services for those deployment modes.

Pricing Models

There are several pricing models used by MSSPs, leading to confusion among buyers as to which approach is most appropriate and making it difficult to compare pricing across competing providers. A majority of MSSPs offer a pricing model based on the type and size of the security technology to be monitored and/or managed for customer-owned security technologies, devices and other log sources. Log collection is typically priced by the number and types of sources, or by the number of events per time period (device count pricing includes implicit expectations of event volumes). There is often a clear distinction between technology that is monitored in real time and subject to alerting SLAs, and technology that is not — that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and analyst review.

Alternative models are also being seen in the market. Gartner expects to see new pricing models introduced as a competitive advantage, and to reduce the complexity and friction with selling MSSs:

  • Data volume or velocity: Providers, especially those using a commercial SIEM solution as part of their delivery platform, are pricing MSSs based on the average volume of data collected over a time period (such as gigabytes per day) or the velocity of data sent to the MSS for analysis (usually measured as log events sent per second or daily). This model allows customers to pay based on the actual amount of data provided to the service provider for analysis, rather than the number or type of data sources. This is not a dominant model in the market. Issues with this model include a lack of control over the amount of data being generated (e.g., during a DDoS attack) and that not all data provides equal benefits, but customers pay the same rate for data collected and analyzed (e.g., web proxy versus DNS events).
  • Per log event source pricing: This pricing model is based on the total number of sources sending data to the MSSP. In this model, all data sources, regardless of how much log and event data they generate, are treated equally. This is sometimes provided as an enterprisewide license model too.
  • Per incident: In this approach, customers are charged based on the number of incidents that are detected and number of alerts notified.
  • Per user or asset: This approach is based on the number of users or assets inside an organization, and based on analytics activities (such as running specific algorithms against a volume of data).

Device management pricing is typically based on the number of configuration changes to be performed within a period of time. This model offers a fairly straightforward means for potential customers to determine the cost of a service and allows comparison across potential providers. A potential issue with this model is that, where customers have high-capacity event sources that are underutilized, they pay for the potential capacity, rather than actual usage of those devices.

Service-Level Agreements

Gartner clients need to be aware of the SLAs offered by MSSPs, as they are a continuing source of misunderstanding by buyers and differences exist across providers. SLAs are commonly offered for monitoring and managed services. Usually, a vendor segregates the SLAs into three to five response levels measured against a specific severity (e.g., urgent, high, medium, low). In many cases, the monitoring and response severities are aligned to managed device SLAs too.

MSS buyers need to confirm the tiers and associated SLAs for the services they plan to buy. Many MSSPs offer various tiers of service at different price points with varying SLAs (e.g., more expensive service will have shorter response times). MSS buyers should confirm the options available with the providers and evaluate which tier they are being quoted, and whether fewer tiers of service might be acceptable given the trade-offs between risks and costs. SLA rightsizing is a critical part of getting the most value from an MSSP. It is also important to confirm how the SLA is measured and calculated. For example, does the clock on an SLA start when the incident is detected by an automated system, when the incident is picked up from a queue of unassigned events by an analyst, or from the time an analyst has established that there is an incident worth notifying the customer about?

Most MSSPs offer standard SLAs; however, some negotiate SLAs on a customer-by-customer basis, while a few others still negotiate custom SLAs for each customer. MSS buyers consuming these services as part of broader IT outsourcing contracts need to be doubly cautious about defining the right SLAs. Gartner has observed several risk areas in such engagements — from providers carrying forward generic SLAs to weak service definitions to poor reimbursements and remediation. Finally, MSS buyers need to confirm whether a provider offers any reimbursements for missed SLAs. Some MSSPs offer credits against future payments for missed SLAs, but this is not common practice across the industry. These can scale to become more severe for multiple occasions of SLA noncompliance. However, there is usually a limit for how many credits can be provided, such as not exceeding a certain percentage of the total monthly or annual charges. Also, sometimes there are earn-back provisions that forgive remedies based on improved performance by the MSSP. It is important to note that, in most cases, it is the customer’s responsibility to notify the service provider of any proposed SLA violation within a set time period of the date on which the proposed violation occurred. At a minimum, the provider should have capabilities for performing a root cause analysis and offering root cause elimination as part of its SLA conformance.

MSSP Market Activity in 2017

The global MSSP market in 2017 was stable. CSC and HPE Enterprise Services formally merged as DXC Technology in April 2017.

MSSPs Not Evaluated in the Magic Quadrant

Not included in this Magic Quadrant analysis are smaller, region-, country-level and local-area MSS providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria (although they may be a good choice for buyers that don’t require a global footprint and would prefer a more “local” provider). Also excluded from this analysis are service providers that provide MSSs only for their own technologies, and that do not deliver services for third-party commercial technology (for example, MDR service providers). Providers with security services that are sold and delivered primarily with infrastructure outsourcing, staff augmentation or account-dedicated resources are also not included in this Magic Quadrant.


  • Gartner customer inquiries and information sharing related to MSSPs
  • Analyst interactions with Gartner customers via inquiries and meetings
  • Survey of MSSPs
  • Survey of MSS reference customers
  • Gartner Peer Insights

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s