Delivering Vulnerability Management-as-a-Service (V-MaaS) is a straight-forward exercise. Set up your internal and external vulnerability scanner to run at a desired frequency; review the alert reports as they come in and determine which issues that need to be immediately addressed, which should be investigated, and which should be ignored; then update your scanner settings as needed to further refine and optimize your false positive reporting.
So, the only real variables in the “level” of service you offer clients should be the frequency of the scans, the CVSS level threshold you set for immediate remediation, and your SLA for regular maintenance and updates of the network security posture. The fee you charge for your V-MaaS should reflect these variables, and the vulnerability management platform you select should be licensed to allow you to charge less for smaller clients without eating into your profit margins.
Consider offering four different levels of service for four different types of clients MSPs typically have: Smaller “micro” businesses; traditional SMB clients; mature organizations; and larger “elite” clients. In this example, we’ve set up four levels of V-MaaS with placeholder names for each: Bronze, Silver, Gold and Platinum.