Your MSSP is selling you blindness.

Opening Claim

Managed security providers are operating on a detection model that attackers stopped respecting a decade ago. Their business depends on correlating events across a perimeter that no longer contains the breach. The customer pays for visibility that does not extend to where identity is actually being abused. This is not a resourcing problem or a talent gap. It is a model problem.

The failure shape is consistent across engagements. An attacker obtains a valid credential through phishing, token theft, or session replay. They authenticate from an unremarkable IP, pass MFA through a prompt fatigue click or a pre-stolen OAuth token, and begin operating inside the identity boundary. The MSSP sees a successful login. The endpoint agent sees a trusted process. The SIEM sees policy-compliant activity. Nothing triggers because nothing, by the logic of the existing detections, is technically wrong.

The operator who sold the service is not negligent. They are executing the contract. The contract is the problem. It was written around an assumption set that no longer reflects how breaches occur. Buying more of the same service does not close the gap. It scales the gap.

The Original Assumption

The managed service model was built during the perimeter era. The working assumption was that the network boundary defined the trust boundary. Attacks came from outside. Defense meant watching ingress and egress, filtering known-bad, and alerting on policy deviations. Controls were enforced at chokepoints: firewalls, proxies, email gateways. The SOC correlated logs from these chokepoints and escalated when thresholds tripped. Analyst training, playbook libraries, and tooling stacks inherited this geometry.

The model assumed that an authenticated user was a trusted user. It assumed a domain-joined endpoint running approved software was operating with legitimate intent. It assumed traffic inside the perimeter did not require the same scrutiny as traffic crossing it. Each of these assumptions encoded a trust decision into the detection pipeline. Once a session cleared the boundary, it was not re-evaluated. Validation was a one-time event at the edge, not a continuous function applied to identity and execution context.

The commercial model reinforced the technical one. MSSPs compete on volume, triage speed, and alert throughput. The analyst is measured on tickets closed per shift. The customer is measured on time-to-detect and time-to-respond against alerts the vendor itself defines. These metrics reward activity inside the existing model. They do not reward questioning whether the model itself is still intact. A provider that restructures its content library to focus on identity abuse will produce fewer alerts and longer investigations. That is a harder product to sell to a procurement team scoring SOC performance on ticket throughput.

What Changed

Identity became the breach surface. Credentials, session tokens, browser cookies, OAuth grants, and refresh tokens are now the primary assets an attacker targets. Once the attacker holds a valid identity artifact, they do not need to break anything. They operate within the controls rather than against them. Phishing kits such as Evilginx and Tycoon capture session tokens post-authentication and bypass MFA because the authentication has already completed. Infostealers exfiltrate browser-stored credentials and cookies in bulk and feed marketplaces like Genesis, Russian Market, and their successors. Token replay and refresh token abuse are commodity tradecraft, not advanced capability.

The execution context shifted with it. Attackers operate from cloud control planes, SaaS admin consoles, identity providers, and federated trust relationships. These surfaces are often outside the MSSP’s collection scope. The endpoint agent the provider manages does not see a Microsoft Graph API call made from an attacker-controlled tenant against the customer tenant. The network sensors do not see an OAuth consent grant that federates an attacker app into the environment. The SIEM ingests what it is pointed at. If it is not pointed at identity provider sign-in logs, audit logs, conditional access telemetry, and workload identity activity, the attack does not exist in the data the MSSP is paid to review.

Detection logic did not keep pace. The provider’s content library is dominated by signatures, rules, and correlations tuned for on-premise and endpoint telemetry. Identity-layer detections require behavioral baselining per principal, awareness of service account abuse patterns, visibility into conditional access bypass, and recognition of consent grant escalation paths. Few MSSPs operate a dedicated detection engineering function that rebuilds coverage around identity as the boundary. Most extend legacy rule sets into cloud log sources, translate network-era signatures into KQL or SPL, and present the result as cloud coverage. The gap is structural. It is not closed by adding analysts or expanding log ingestion.

Mechanism of Failure

The failure mechanism is a contract boundary that does not map to the attack boundary. The MSSP scope of work is defined by log sources, alert categories, and response playbooks. Each is a contractual artifact. The attacker scope is defined by where valid identity can be asserted and what that identity is permitted to do. When the attack operates through an OAuth consent grant in the identity provider, and the contract does not include identity provider audit logs at the required fidelity, the activity is not missed through error. It is not inside the detection perimeter at all. The provider is fulfilling the contract. The contract is not describing the attack surface.

This produces a specific drift pattern across long engagements. The customer environment changes faster than the contract. SaaS adoption, new identity federations, workload identities created for CI/CD pipelines, service principals granted privileged scopes, and cross-tenant trust relationships are added continuously. Each addition extends the identity surface. The MSSP content library and log ingestion scope update on a slower cadence, gated by change control, statement-of-work amendments, and tuning cycles. The gap between actual identity surface and monitored identity surface widens with every quarter of normal operations. The widening is not visible on the customer dashboard because the dashboard reports against the monitored subset, not the total surface.

The analyst workflow compounds the drift. An analyst reviewing an alert from an onboarded source applies the runbook for that source. Alerts that indicate identity abuse in unmonitored systems do not appear in the queue. They do not exist in the dataset the analyst sees. When a partial signal does surface, a successful login from a new geography, a consent grant, a token issued to an unusual client, the runbook guidance is to validate against the user, check for known-good activity, and close when benign conditions are met. The runbook does not require the analyst to investigate whether the session was established by token replay, whether the consent grant was attacker-initiated, or whether the token is being used from an attacker-controlled endpoint. The procedural control is optimised for noise reduction against the defined alert taxonomy. The attack class in question is not in the taxonomy.

Parallel Pattern

The same mechanism produces predictable failure in adjacent outsourced security functions. Managed detection and response on endpoint follows the identical shape. The EDR vendor collects from the agent. The agent runs on the managed endpoint. The attacker operates from an unmanaged endpoint against cloud control planes using stolen tokens. No endpoint telemetry is generated for the attacker action because the attacker does not need the customer endpoint. The MDR service is not failing to detect. It is being asked to detect something it is not positioned to see. The contract describes coverage. The coverage does not include the execution context where the attack runs.

Managed vulnerability services repeat the pattern. The scanner is pointed at infrastructure defined in scope. The scan produces findings against CVEs in known assets. The attacker uses valid credentials and API-level access granted to a legitimate application identity. No exploit is required. No CVE is involved. The vulnerability management report remains clean while the environment is being operated on by an external principal using authorised paths. The deliverable is produced on schedule. The deliverable is decoupled from the actual risk state of the environment.

Managed identity services invert the pattern and deserve separate treatment. These providers hold privileged access to the customer identity infrastructure. They are the assumed remediation path when identity is compromised. They are also a trust relationship that extends the customer identity boundary into a vendor tenant. Compromise of the provider, compromise of an engineer account at the provider, or compromise of the federation itself yields direct administrative access to the customer environment. The provider internal posture, their endpoint hygiene, their session token handling, their third-party access, their subcontractor chain, is now part of the customer attack surface. The customer has not reduced identity risk by outsourcing. They have extended the identity perimeter to include a vendor whose own perimeter is not confirmed.

Operator Position

Identity is the boundary. If the provider does not monitor the identity boundary at the resolution at which attackers operate on it, the service does not defend against the dominant attack class. Adding analysts, adding log volume, or adding response automation against the wrong telemetry produces the same outcome at higher cost. The operative question is not whether the MSSP is competent. The operative question is whether the engagement scope includes the surface on which breaches now occur. Where it does not, the provider is delivering a service against a threat model that no longer reflects the environment.

Controls that are not enforced at the identity layer are not enforcing the boundary that matters. A conditional access policy that is not re-evaluated on every token use is not a control. A privileged access review that runs quarterly against a surface that changes daily is not a control. An alert rule that fires on impossible travel but not on token reuse from a new device fingerprint is not a control. If the behaviour the attacker uses does not produce a signal the provider is contractually obligated to investigate, the control does not exist as a defensive instrument. The tool, the runbook, and the SLA do not alter this. They document the scope of the non-control.

The position is unambiguous. The MSSP model as sold today is a continuation of the perimeter era priced against volume metrics that do not correlate with identity risk. A customer relying on this model without independently owning identity-layer detection, conditional access enforcement, token lifetime policy, consent grant governance, and continuous validation of every trust relationship has outsourced a function that is not the function under attack. The provider is fulfilling the product as contracted. The contract is not aligned to the threat. Ticket throughput, response time, and analyst tier are measurements of the wrong system.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.