Liberty91
A neat row of identical branded report folders fanning out across a desk, deep navy with warm orange light, suggesting a service that scales per customer
Industry8 min read

Threat Intelligence as an MSSP Revenue Stream, Not a Cost Centre.

Most MSSPs already believe in threat intelligence. They know their customers want it, they know it would sharpen detection, and they know it would give the quarterly business review something to talk about beyond ticket counts. The problem was never belief. The problem is that when intelligence shows up on the books, it usually shows up as a cost you have to defend rather than a line you can sell.

So here is the reframe, and it is worth putting up front because it is the whole point of this piece. Threat intelligence does not have to be a cost centre you keep justifying to finance. It can be a value-added service line that grows margin as your customer base grows. What decides which of those two it becomes is not the quality of the feeds. It is whether the capability is genuinely per-customer, delivered under your brand, machine-readable into the tooling you already run, and provable when someone asks you to show the value. Get those four right and intelligence becomes sellable. Miss them and it stays a cost.

Why intelligence usually lands as a cost

The reason has very little to do with whether intelligence is valuable. It has to do with the shape of the spend. When an MSSP decides to build an intelligence capability the old way, the costs arrive in a stack. You hire analysts, who are expensive and hard to find. You license feeds and premium sources, which renew whether or not anyone reads them. You buy or build a platform to manage the workflow. And then, having paid for all of that, you face the hardest question of the lot: how do you price it for the customer?

That last question is where the economics tend to break. A general threat feed reads the same for every customer, so it is hard to charge a premium for something that looks generic. The work that would make it feel bespoke, reading each customer's sector and exposure and writing it up for them, is exactly the work that does not scale. Add one more customer and you add more analyst hours. The cost grows roughly in step with the customer base, and the margin does not. Intelligence ends up subsidised by the rest of the contract, which is precisely how a capability gets reclassified as overhead.

A cost centre is a capability whose price grows with every customer you add. A value-added service line is one whose margin does.

None of this is a failure of the teams doing the work. It is a structural problem with how the capability is delivered. The analysts are doing genuine work; there is just never enough of them to make the per-customer relevance economical at scale. So the lesson is not “try harder” or “hire more people”. It is to change the delivery model so that relevance stops being a manual cost that scales per customer.

What changes when the capability is delivered for you

The shape of the economics changes the moment per-customer relevance stops being something a person has to produce by hand for every account. That is the difference Liberty91 is built around: real intel at machine speed, with no team to build. Each customer gets their own set of Intelligence Requirements, the prioritised questions that account actually needs answered, and a dedicated AI agent stack that maintains them. Hundreds of sources are read in real time and filtered for relevance to that specific customer, not to the average of your whole customer base.

When relevance is produced per customer without a per-customer increase in headcount, the cost curve flattens. You can take on another account without taking on another stack of analyst hours to keep its intelligence current. The capability scales with the platform rather than with your payroll, which is the precondition for intelligence behaving like a margin-positive service line instead of a cost that tracks your customer count. This is the core of the MSSP model: the relevance is real and specific to each account, but the cost of producing it does not climb in step with how many accounts you serve.

It is worth being clear about what this does and does not change. It does not remove the analyst. Judgement, stakeholder relationships, and the hard calls about what a development means for a given customer still belong to people. What it removes is the part of the work that made per-customer intelligence uneconomical: the collection, filtering, structuring, and first-draft assembly that used to eat the day. That is the part that scales badly, and that is the part the platform takes over.

What actually makes intelligence sellable as a premium tier

A service line is only premium if a customer can see why it is worth paying more for. Four things make intelligence clear the bar, and they line up closely with the four costs that used to sink it.

Genuine per-customer relevance

A customer can tell the difference between a newsletter with their logo on it and intelligence that speaks to their sector, their region, their suppliers, and their exposure. Per-customer Intelligence Requirements and a dedicated agent stack mean each account's morning report is about that account, not a feed everyone received. Leaked-credential and supply-chain monitoring tied to that specific customer is the kind of relevance that justifies a premium tier, because it is hard to dismiss as something they could have read anywhere.

Branded delivery

If intelligence arrives wearing a vendor's name, it builds the vendor's brand and not yours. White-label delivery flips that. The sender and reply-to are yours, the email templates are yours, and the report PDFs carry your logo and typography. From the customer's side it is your team that arrived in their inbox with something useful. That is what lets you sell it as your service rather than reselling someone else's. Our white-label threat intelligence is built precisely so the value accrues to your brand.

Machine-readable outputs into the tooling

Intelligence that a customer has to copy and paste by hand is hard to price as premium, because the customer is still doing the integration work. Intelligence that lands as written reports plus IOC lists, Sigma rules, and STIX 2.1 bundles, with IOC enrichment attached, is doing something a customer could not easily do themselves. Delivery straight into a SIEM, SOAR, firewall, TIP, or an automated or AI security agent turns the intelligence from a document into detection. That is a concrete capability you are providing, and concrete capability is what supports a premium line.

An audit trail you can show

This is the one that gets overlooked and it is often the one that closes renewals. If you cannot prove what you delivered, the value is invisible when the contract comes up for review. Mailroom gives you multi-tenant dispatch with an auditable, per-customer Sent log. It routes the Morning Report and Alerts to the right account and records that they went out. When you sit down at a QBR or a renewal you are not asserting that intelligence was delivered, you are showing it: this account, these reports, these alerts, on these dates. You can read more about how that works on the Mailroom page.

How the margin actually grows

Put those four together and the economics invert. The relevance that used to require analyst hours per customer is produced by a per-customer agent stack, so the marginal cost of serving one more account is far flatter than it used to be. The delivery is branded, so the premium you charge builds your service rather than someone else's. The outputs land in tooling, so the customer experiences the intelligence as capability rather than reading. And the audit trail means you can prove the value at the exact moments, the QBR and the renewal, when proof is what protects and grows the contract.

The shape of it is straightforward. Intelligence moves from a cost that scales with your customer base to a premium tier whose margin scales with it instead. Every new account you sign can take the intelligence tier without dragging a proportional chunk of cost behind it. That is what turns intelligence from the thing finance questions into one of the services that makes the wider contract more defensible and more valuable. We go deeper into the delivery model on our threat intelligence as a service page.

A grounded note before you reprice anything

None of this happens automatically, though. Selling a premium intelligence tier still asks something of you. Your account teams need to be able to explain what the customer is getting, the per-customer relevance has to be real and not a relabelled generic feed, and the integration into the customer's tooling has to be done properly the first time. The platform removes the structural cost problem; it does not remove the need to sell well or onboard well.

What it does change is the thing that made the whole idea hard to commit to. You are no longer asked to build a team, license a stack of sources, and then hope you can price the result above what it cost you. The capability is delivered for you, per customer, under your brand, with a record you can show. That is the difference between a service you are nervous to put on the price list and one you are comfortable building a tier around.

Where to start

If intelligence has been sitting on your roadmap as a someday capability because the economics never quite worked, the question worth asking is not whether your customers would value it. They would. The question is whether you can deliver it in a way that grows margin instead of eroding it. That comes down to per-customer relevance, branded delivery, machine-readable outputs, and a provable audit trail.

Liberty91 is built to give an MSSP all four without standing up a CTI team from scratch. If you want to see how the per-customer model and the white-label delivery would map onto your accounts, take a look at our MSSP solution or get in touch. It is worth a conversation before intelligence sits on the roadmap another quarter.

Related Blog.

A tailor's tape measure, a spool of orange thread and fabric shears resting on dark cloth, deep navy tones with warm orange light, suggesting bespoke tailoring
Industry

Per-Customer Threat Intelligence vs Generic IOC Reports

Why a context-free IOC report underdelivers at a customer's desk, and what per-customer threat intelligence means: relevance, context, and detection content assessed per organisation.

A wooden rubber stamp pressing a clean brand mark onto a crisp report cover, deep navy with warm orange light
Industry

White-Label Threat Intelligence: What to Look For

A practical buyer's guide for MSSPs and resellers evaluating a white-label threat intelligence platform: the five questions to ask before you put your brand on someone else's intelligence.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.