Expanding cybersecurity services as a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) requires more than strong technical capabilities. Providers also need a sustainable business approach that can deliver clear and measurable value to clients while supporting growth at scale.
One approach gaining attention across the cybersecurity industry is risk-based security management. When implemented effectively, this model can strengthen trust with customers, create opportunities to offer additional services, and establish stable recurring revenue streams. However, maintaining such a strategy consistently requires structured workflows and the right supporting technologies.
To help providers adopt this approach, a new resource titled “The MSP Growth Guide: How MSPs Use AI-Powered Risk Management to Scale Their Cybersecurity Business” outlines how organizations can transition toward scalable cybersecurity services centered on risk management. The guide provides insights into the operational difficulties many MSPs encounter, offers recommendations from industry experts, and explains how AI-driven risk management platforms can help build a more scalable and profitable service model.
Why Risk-Focused Security Enables Service Expansion
Many MSPs already deliver essential cybersecurity capabilities such as endpoint protection, regulatory compliance assistance, and other defensive tools. While these services remain critical, they are often delivered as separate engagements rather than as part of a unified strategy. As a result, the long-term strategic value of these services may remain limited, and opportunities to generate consistent recurring revenue may be reduced.
Adopting a risk-centered cybersecurity framework can shift this dynamic. Instead of addressing isolated technical issues, providers evaluate the complete threat environment facing a client organization. Security risks are then prioritized according to their potential impact on business operations.
This broader perspective allows MSPs to move away from reactive fixes and instead deliver continuous, proactive security management.
Organizations that implement this risk-first model can gain several advantages:
• Security teams can detect and address threats before they escalate into damaging incidents.
• Defensive measures can be continuously updated as the cyber threat landscape evolves.
• Critical assets, daily operations, and organizational reputation can be protected even when compliance regulations do not explicitly require certain safeguards.
Another major benefit is alignment with modern cybersecurity frameworks. Many current standards require companies to conduct formal and ongoing risk evaluations. By integrating risk management into their core service offerings, MSPs can position themselves to pursue higher-value contracts and offer additional services driven by regulatory compliance requirements.
Common Obstacles That Limit Risk Management Services
Although risk-focused security delivers substantial value, MSPs often encounter operational barriers that make these services difficult to scale or demonstrate clearly to clients.
Several recurring challenges affect service delivery and growth:
Manual assessment processes
Traditional risk evaluations often rely heavily on manual work. This approach can consume a vast majority of time, introduce inconsistencies, and make it difficult to expand services efficiently.
Lack of actionable remediation plans
Risk reports sometimes underline security weaknesses but fail to outline clear steps for resolving them. Without defined guidance, clients may struggle to understand how to address the issues that have been identified.
Complex regulatory alignment
Organizations frequently need to comply with multiple cybersecurity standards and regulatory frameworks. Managing these requirements manually can create inefficiencies and inconsistencies.
Limited business context in security reports
Many security assessments are written in highly technical language. As a result, business leaders and non-technical stakeholders may find it difficult to interpret the results or understand the real impact on their organization.
Shortage of specialized cybersecurity professionals
Skilled risk management experts remain in high demand across the industry, making it difficult for service providers to recruit and retain qualified personnel.
Third-party risk visibility gaps
Many cybersecurity platforms focus only on internal infrastructure and overlook risks introduced by external vendors and service providers.
These challenges can make it difficult for MSPs to transform risk management into a scalable and profitable cybersecurity offering.
How AI-Powered Platforms Help Address These Barriers
To overcome these operational difficulties, many providers are turning to artificial intelligence-driven risk management tools.
AI-based platforms can automate large portions of the risk management process. Tasks that previously required extensive manual effort, such as risk assessment, prioritization, and reporting, can be completed more quickly and consistently.
These systems are designed to streamline the entire risk management lifecycle while incorporating advanced security expertise into service delivery.
What Modern Risk Management Platforms Should Deliver
A well-designed AI-enabled risk management solution should do more than simply detect potential threats. It should also accelerate service delivery and support business growth for service providers.
Organizations adopting these platforms can expect several operational benefits:
• Faster onboarding and service deployment through automated and easy-to-use risk assessment tools
• More efficient compliance management supported by built-in mappings to cybersecurity frameworks and continuous monitoring capabilities
• Clearer reporting that presents cybersecurity risks in language business leaders can understand
• Demonstrable return on investment by reducing manual workloads and enabling more efficient service delivery
• Additional revenue opportunities by identifying new cybersecurity services clients may require based on their risk profile
Key Capabilities to Evaluate When Selecting a Platform
Selecting the right technology platform is critical for service providers that want to scale cybersecurity operations effectively.
Several capabilities are considered essential in modern risk management tools:
Automated risk assessment systems
Automation allows providers to generate assessment results within days rather than months, while minimizing human error and ensuring consistent outcomes.
Dynamic risk registers and visual risk mapping
Visualization tools such as heatmaps help security teams quickly identify which risks pose the greatest threat and should be addressed first.
Action-oriented remediation planning
Effective platforms convert risk findings into structured and prioritized tasks aligned with both compliance obligations and business objectives.
Customizable risk tolerance frameworks
Organizations can adapt risk scoring models to match each client’s specific operational priorities and appetite for risk.
The MSP Growth Guide provides additional details on the features providers should consider when evaluating potential solutions.
Building Long-Term Strategic Value with AI-Driven Risk Management
For MSPs and MSSPs seeking to expand their cybersecurity practices, AI-powered risk management offers a way to deliver consistent value while improving operational efficiency.
By automating risk assessments, prioritizing security issues based on business impact, and standardizing reporting processes, these platforms enable providers to deliver reliable cybersecurity services to a growing client base.
The guide “The MSP Growth Guide: How MSPs Use AI-Powered Risk Management to Scale Their Cybersecurity Business” explains how service providers can integrate AI-driven risk management into their offerings to support long-term growth.
Organizations interested in strengthening customer relationships, expanding cybersecurity services, and building a competitive advantage may benefit from adopting risk-focused security strategies supported by AI-enabled platforms.
Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.
According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.
The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).
TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).
The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.
Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.
PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.
Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.
Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.
The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.
Cisco Systems has confirmed that attackers are actively exploiting two security flaws affecting its Catalyst SD-WAN Manager platform, previously known as SD-WAN vManage. The company disclosed that both weaknesses are currently being abused in real-world attacks.
The vulnerabilities are tracked as CVE-2026-20122 and CVE-2026-20128, each presenting different security risks for organizations operating Cisco’s software-defined networking infrastructure.
The first flaw, CVE-2026-20122, carries a CVSS score of 7.1 and is described as an arbitrary file overwrite vulnerability. If successfully exploited, a remote attacker with authenticated access could overwrite files stored on the system’s local file structure. Exploitation requires the attacker to already possess valid read-only credentials with API access on the affected device.
The second vulnerability, CVE-2026-20128, has a CVSS score of 5.5 and involves an information disclosure issue. This flaw could allow an authenticated local user to escalate privileges and obtain Data Collection Agent (DCA) user permissions on a targeted system. To exploit the vulnerability, the attacker must already have legitimate vManage credentials.
Cisco released fixes for these issues late last month. The patches also addressed additional vulnerabilities identified as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.
The company provided updates across multiple software releases. Systems running versions earlier than 20.9.1 should migrate to a patched release. Fixes are available in the following versions:
According to Cisco’s Product Security Incident Response Team, the company became aware in March 2026 that CVE-2026-20122 and CVE-2026-20128 were being actively exploited. Cisco did not disclose how widespread the attacks are or who may be responsible.
Additional insights were shared by researchers at watchTowr. Ryan Dewhurst, the firm’s head of proactive threat intelligence, reported that the company observed exploitation attempts originating from numerous unique IP addresses. Investigators also identified attackers deploying web shells, malicious scripts that allow remote command execution on compromised systems.
Dewhurst noted that the most significant surge in attack activity occurred on March 4, with attempts recorded across multiple global regions. Systems located in the United States experienced slightly higher levels of activity than other areas.
He also warned that exploitation attempts are likely to continue as additional threat actors begin targeting the vulnerabilities. Because both opportunistic and coordinated attacks appear to be occurring, Dewhurst said any exposed system should be treated as potentially compromised until proven otherwise.
Security experts emphasize that SD-WAN management platforms function as centralized control hubs for enterprise networks. As a result, vulnerabilities affecting these systems can carry heightened risk because they may allow attackers to manipulate network configurations or maintain persistent access across multiple connected sites.
In response to the ongoing attacks, Cisco advises organizations to update affected systems immediately and implement additional security precautions. Recommended actions include restricting administrative access from untrusted networks, placing devices behind properly configured firewalls, disabling the HTTP interface for the Catalyst SD-WAN Manager administrator portal, turning off unused services such as HTTP or FTP, changing default administrator passwords, and monitoring system logs for suspicious activity.
The disclosure follows a separate advisory issued a week earlier in which Cisco reported that another flaw affecting Catalyst SD-WAN Controller and SD-WAN Manager — CVE-2026-20127, rated 10.0 on the CVSS scale had been exploited by a sophisticated threat actor identified as UAT-8616 to establish persistent access within high-value organizations.
This week the company also released updates addressing two additional maximum-severity vulnerabilities in Secure Firewall Management Center. The flaws, tracked as CVE-2026-20079 and CVE-2026-20131, could allow an unauthenticated remote attacker to bypass authentication protections and execute arbitrary Java code with root-level privileges on affected systems.
The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.
Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file.
The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background.
Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts.
If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file.
Only nine antivirus engines could spot the payload at the time of study.
After activation within a particular parameter, BadPaw links to a C2 server.
The following process happens:
Getting a numeric result from the /getcalendar endpoint.
Gaining access to a landing page called "Telemetry UP!” through /eventmanager.
Downloading the ASCII-encoded payload information installed within HTML.
In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access.
Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.
Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.
According to a report published by Radware, 149 separate DDoS attack claims were documented between February 28 and March 2, 2026. These incidents targeted 110 distinct organizations spanning 16 countries. Twelve different groups participated in the activity. Three of them, Keymous+, DieNet, and NoName057(16), were responsible for 74.6 percent of the total claims. Radware further noted that Keymous+ and DieNet alone accounted for nearly 70 percent of activity during that period.
The earliest attack in this wave was attributed to Hider Nex, also known as the Tunisian Maskers Cyber Force, on February 28. Information shared by Orange Cyberdefense describes Hider Nex as a Tunisian hacktivist collective aligned with pro-Palestinian causes. The group reportedly employs a dual strategy that combines service disruption with data theft and public leaks to amplify political messaging. Researchers trace its emergence to mid-2025.
Geographically, 107 of the 149 DDoS claims were directed at organizations in the Middle East, where government bodies and public infrastructure entities were disproportionately affected. Europe accounted for 22.8 percent of the global targeting during the same timeframe. By sector, government institutions represented 47.8 percent of all affected entities worldwide. Financial services followed at 11.9 percent, while telecommunications organizations accounted for 6.7 percent.
Within the Middle East, three countries experienced the highest concentration of reported activity. Kuwait accounted for 28 percent of regional attack claims, Israel represented 27.1 percent, and Jordan comprised 21.5 percent, according to Radware’s analysis.
Threat intelligence from Flashpoint, Palo Alto Networks Unit 42, and Radware identified additional groups engaged in disruptive campaigns, including Nation of Saviors, Conquerors Electronic Army, Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro.
The cyber activity extended beyond DDoS operations. Pro-Russian hacktivist collectives Cardinal and Russian Legion publicly claimed breaches of Israeli military networks, including the Iron Dome missile defense system. These assertions have not been independently verified.
Separate threat reporting identified an active SMS-based phishing operation distributing a counterfeit version of Israel’s Home Front Command RedAlert mobile application. Victims were reportedly persuaded to install a malicious Android package disguised as a wartime update. Once installed, the application displayed a functional alert interface while covertly deploying surveillance and data-exfiltration capabilities.
Flashpoint also reported that Iran’s Islamic Revolutionary Guard Corps targeted energy and digital infrastructure sectors in the Middle East, including Saudi Aramco and an Amazon Web Services data center in the United Arab Emirates. Analysts assessed that the intent was to impose broader economic pressure in response to military losses.
Researchers at Check Point observed that Cotton Sandstorm, also known as Haywire Kitten, revived a previous online identity called Altoufan Team and claimed responsibility for website compromises in Bahrain. The firm described the activity as reactive and warned of the likelihood of further involvement across the region.
Data from Nozomi Networks shows that the Iranian state-linked group UNC1549, also tracked as GalaxyGato, Nimbus Manticore, and Subtle Snail, ranked as the fourth most active threat actor in the second half of 2025. Its campaigns focused on defense, aerospace, telecommunications, and government entities in support of national strategic objectives.
Economic signals have also reflected the instability. Major Iranian cryptocurrency exchanges remain operational but have introduced adjustments such as batching or temporarily suspending withdrawals and issuing advisories about potential connectivity disruptions. Ari Redbord, Global Head of Policy at TRM Labs, stated that the situation does not yet indicate large-scale capital flight, but rather market volatility managed under connectivity constraints and regulatory intervention. He noted that Iran has long relied in part on cryptocurrency infrastructure to circumvent sanctions, and current conditions represent a real-time stress test of that system.
Despite heightened online activity, Sophos reported observing an increase in hacktivist operations without a corresponding escalation in confirmed impact. The firm cited DDoS attacks, website defacements, and unverified compromise claims attributed largely to pro-Iran personas, including Handala Hack and APT Iran.
The National Cyber Security Centre has warned organizations of elevated Iranian cyber risk and advised strengthening defenses against DDoS campaigns, phishing activity, and threats targeting industrial control systems.
Cynthia Kaiser of Halcyon, formerly Deputy Assistant Director of the Federal Bureau of Investigation’s Cyber Division, stated that Iran has historically used cyber operations to retaliate against perceived political provocations and has increasingly incorporated ransomware into its playbook. She added that Tehran’s tolerance of private cybercriminal actors provides strategic options when responding to geopolitical events.
SentinelOne assessed with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, particularly across government, critical infrastructure, defense, financial services, academic, and media sectors.
Nozomi Networks further emphasized that Iranian threat actors have a history of blending espionage, disruption, and psychological operations to achieve strategic objectives. During periods of instability, such campaigns often intensify and extend beyond immediate conflict zones.
To mitigate risk amid the ongoing conflict, security experts recommend continuous monitoring aligned with elevated threat conditions, updating threat intelligence signatures, minimizing external exposure, conducting comprehensive reviews of connected assets, enforcing strict segmentation between information technology and operational technology networks, and isolating Internet-of-Things devices.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, noted that Iranian cyber actors have historically synchronized digital campaigns with broader strategic goals. He added that these adversaries have evolved beyond traditional network intrusions, expanding into cloud and identity-focused operations capable of operating rapidly across hybrid enterprise environments with greater scale and impact.
As tensions persist, analysts caution that cyberspace is likely to remain an active parallel arena of confrontation, requiring sustained vigilance from organizations across affected and allied regions.