Guide

SASE for MSPs: Multi-Tenant Guide

January 21, 20267 min readUpdated Feb 2026

TL;DR

Build a managed SASE practice around multi-tenant architecture with strict per-tenant isolation. Cisco Security Cloud Control leads on MSP tooling (sub-30-minute tenant onboarding). Target $15-35/user/month pricing for managed SSE, $25-50 for full SASE. You need 20+ tenants for operational efficiency. Start with SSE-only services, add SD-WAN management as a premium tier.

Managed Security Service Providers (MSPs) delivering SASE require multi-tenant platforms that isolate customer environments while enabling centralized management, templated deployment, and scalable operations across hundreds of tenants. Unlike enterprise SASE deployments where a single organization configures a single tenant, MSP SASE demands purpose-built multi-tenancy with strict data isolation, delegated administration, per-tenant policy customization, consolidated billing, and API-driven automation for every operational workflow. Not every SASE vendor is ready for this — most platforms were designed for single-tenant enterprise use and bolt on multi-tenancy as an afterthought. This guide covers what to evaluate, which vendors lead, and how to build a profitable managed SASE practice.

Multi-tenant architecture requirements

The foundation of an MSP SASE practice is tenant isolation. Each customer's traffic, logs, policies, and configurations must be completely separated from every other customer. This is not just a security requirement — it is a regulatory and contractual requirement. Your healthcare customer's traffic cannot be visible to your retail customer's administrator, even accidentally. When evaluating vendors, ask specifically: how is tenant isolation implemented? Is it logical separation within a shared instance (weaker) or dedicated policy engines and data stores per tenant (stronger)? Can a platform bug or misconfiguration in one tenant affect another tenant's traffic or data?

Beyond isolation, MSPs need hierarchical administration. The MSP's NOC team needs a super-admin view across all tenants for monitoring, alerting, and incident response. Each customer's IT team needs a delegated admin view limited to their own tenant. Some customers want full self-service policy management, others want the MSP to manage everything, and most want something in between. The platform must support flexible RBAC that accommodates all these models without per-tenant customization of the admin experience.

Templated deployment is the third pillar. When you onboard tenant number 150, the process must be identical to tenant number 5: provision a new tenant from a template, customize the policy for the customer's specific requirements, deploy agents or configure tunnel onramps, and validate connectivity — all in under a day. If onboarding a new tenant requires manual configuration across multiple consoles with vendor-specific tribal knowledge, your practice will not scale past 20 customers profitably.

Vendor MSP readiness comparison

Capability	Cisco	Fortinet	Palo Alto	Zscaler
Multi-tenant management console	Security Cloud Control — purpose-built for MSPs. Best in class.	FortiManager with ADOMs. Functional but less polished.	Strata Cloud Manager with tenant views. Improving rapidly.	Partner admin portal with delegated tenants. Mature for SSE-only.
Tenant isolation model	Dedicated policy engines per tenant. Strong isolation.	VDOM-based partitioning. Logical isolation within shared FortiOS.	Cloud-native tenant separation. Strong isolation.	Cloud-native tenant separation. Very strong isolation.
Templated onboarding	Tenant templates in SCC. Sub-30-minute onboarding.	Configuration templates in FortiManager. 1-2 hour onboarding.	Template stacks in SCM. 30-60 minute onboarding.	Tenant blueprints with auto-provisioning. Sub-30-minute onboarding.
API coverage for automation	Extensive: Security Cloud API covers provisioning, policy, and reporting.	FortiManager JSON-RPC API. Comprehensive but complex.	Prisma SASE API. Comprehensive with Terraform provider.	ZPA and ZIA APIs. Mature with Terraform and Ansible modules.
Per-tenant billing integration	Separate SSE and SD-WAN SKUs. MSP billing requires manual aggregation.	FortiCloud usage-based reporting. Better billing visibility.	Credit-based licensing with Prisma SASE. Flexible allocation.	Flexible licensing with pooled credits across tenants.
Delegated admin RBAC	Granular RBAC with customer-facing and MSP-facing roles.	ADOM-based roles. Functional but fewer granularity levels.	RBAC with tenant-scoped roles. Good granularity.	Granular RBAC with read/write/admin tiers per tenant.
White-label capability	Limited portal customization. MSP branding not fully supported.	OEM licensing available for large MSPs. Custom branding possible.	Limited white-labeling. Palo Alto branding visible.	White-label agent and portal available for qualifying partners.
MSP partner program	Managed Security Service Provider specialization in partner program.	Engage MSP program with dedicated support and licensing.	NextWave MSP track with technical enablement.	Partner program with MSP-specific commercial models.

Building a managed SASE practice

Defining service tiers

Successful MSP SASE practices offer tiered services that map to customer maturity and budget. A common three-tier model works well. Tier 1 (Essentials) includes SWG with URL filtering and malware protection, plus basic ZTNA for remote access — this replaces the customer's VPN and on-prem proxy at an entry price point. Tier 2 (Advanced) adds CASB for SaaS visibility and control, DLP for data protection, and enhanced ZTNA with posture-based policies — this targets customers with compliance requirements or SaaS sprawl concerns. Tier 3 (Premium) adds SD-WAN, FWaaS, DEM, and 24/7 SOC monitoring — this is full managed SASE for customers who want to outsource their entire network and security operation.

Price each tier per user per month. Industry benchmarks for managed SASE pricing in 2026 range from $8 to $15 per user per month for Tier 1, $15 to $25 for Tier 2, and $25 to $45 for Tier 3, depending on geography and competitive dynamics. Your vendor licensing cost will consume 30 to 50% of this revenue, with the remainder covering your NOC operations, engineering, and margin. The economics improve as you scale past 50 tenants because operational automation amortizes your NOC cost across more customers.

Onboarding workflow

Standardize your onboarding workflow into a repeatable process. Week 1: tenant provisioning (create tenant from template, configure identity provider integration, deploy ZTNA connectors to customer's on-premises environment). Week 2: policy baseline (apply your standard security policy template, customize URL filtering categories and DLP rules for the customer's industry, deploy agents to a pilot group). Week 3: monitor-mode validation (run all policies in monitor-only mode, review logs for false positives, tune bypass lists). Week 4: enforcement and handoff (switch to enforcement mode, train the customer's IT team on the delegated admin portal, transition to day-two operations). This four-week onboarding should be the maximum for Tier 1 and Tier 2 customers. Tier 3 with SD-WAN adds 4 to 8 weeks for branch site deployment.

Day-two operations

Day-two operations are where MSP profitability is made or lost. Automate everything possible: agent deployment and updates through your RMM platform, policy changes through API-driven runbooks, certificate deployment through MDM profiles, and alerting through your PSA/ticketing system. The operational metrics that matter are mean time to onboard a new tenant, mean time to resolve a policy change request, false positive rate (which drives ticket volume), and agent deployment success rate across your customer fleet. Track these monthly and invest in automation for the metrics that are not improving.

Build SOC runbooks for the most common SASE alerts: malware blocked by SWG (informational, log and close), ZTNA posture failure (investigate device compliance, contact customer IT), DLP policy violation (assess severity, escalate per customer's data handling policy), and shadow IT discovery (aggregate into monthly SaaS risk report for customer review). Each runbook should specify triage steps, escalation criteria, customer communication templates, and resolution procedures. Without runbooks, your L1 analysts will escalate everything, overwhelming your L2/L3 team and destroying your margins.

Licensing models for MSPs

SASE vendor licensing for MSPs has evolved significantly in the past two years. The old model — annual commit per customer — created cash flow risk when customer counts fluctuated. Modern MSP licensing models include pooled credits (buy a pool of user-months and allocate across tenants flexibly), usage-based billing (pay monthly based on actual active users per tenant), and committed tiers (commit to a total user count across all tenants with flexibility to redistribute). Evaluate which model aligns with your sales motion: if you sign annual contracts with customers, annual commit works. If you sell monthly services, you need a vendor whose licensing matches your billing cadence.

Negotiate licensing before selecting your SASE vendor. MSP licensing terms, discount tiers, credit flexibility, and support SLAs vary dramatically between vendors and are often more negotiable than enterprise licensing. Engage the vendor's MSP partner team directly — the standard enterprise sales team may not have authority over MSP-specific commercial models.

Common MSP pitfalls

Choosing a vendor based on enterprise features without validating multi-tenant management: the best SSE stack is useless if you cannot manage 100 tenants efficiently
Underpricing Tier 1 to win deals: the operational cost of managing even a basic SWG+ZTNA deployment is real. Price below $8/user/month at your own risk.
Skipping monitor-mode during onboarding to accelerate go-live: false positives in the first week destroy customer confidence and generate ticket volume that erases your margin
Not building SOC runbooks before scaling: every alert your L1 team escalates unnecessarily costs $15-30 in L2 time. Runbooks keep L1 resolution rates above 70%.
Allowing per-tenant policy customization without guardrails: some customers will request 200 custom URL exceptions. Define what is included in your service tier and what is a change request billed at hourly rates.

Sources & further reading

Gartner, "Market Guide for Managed Security Services" — gartner.com/reviews/market/managed-security-services
Cisco, "Security Cloud Control for Managed Service Providers" — cisco.com/c/en/us/products/security/security-cloud-control
Fortinet, "Engage MSP Partner Program" — fortinet.com/partners/engage-partner-program
Palo Alto Networks, "NextWave MSP Partner Guide" — paloaltonetworks.com/partners/nextwave
CSO Online, "Building a Managed SASE Practice" — csoonline.com/article/managed-sase-services

Frequently asked questions

Cisco leads in multi-tenant management maturity with Security Cloud Control. Zscaler has the most mature API automation and white-label capability for SSE-only MSP services. Fortinet offers the best economics for MSPs with price-sensitive customer bases. Palo Alto provides the deepest SSE security depth but at premium pricing that compresses MSP margins. Evaluate based on your customer mix: enterprise-focused MSPs lean Cisco or Palo Alto, SMB-focused MSPs lean Fortinet or Zscaler.

All major vendors support hundreds of tenants on a single management instance. The limit is not platform capacity but operational capacity: how many tenants can your NOC team manage effectively? With strong automation (API-driven onboarding, templated policies, automated agent deployment, SOC runbooks), a 5-person NOC team can manage 50-80 tenants. Without automation, that same team maxes out at 15-20 tenants before quality degrades.

Start single-vendor for operational simplicity. Managing one vendor's multi-tenant platform is hard enough — managing two or three multiplies complexity. As your practice matures, you may add a second vendor to address specific customer requirements (e.g., Fortinet for customers with existing FortiGate infrastructure, Cisco for customers in the Cisco ecosystem). But avoid offering four or five vendor options — the engineering training, operational tooling, and licensing management overhead will erode your margins.

Target 40-55% gross margin on managed SASE services. Vendor licensing consumes 30-50% of revenue (depending on volume discounts and user counts), NOC operations consume 10-20%, and engineering/overhead consumes 5-10%, leaving 40-55% gross margin on healthy practices. Margin improves with scale as NOC costs are amortized across more tenants. Below 30% gross margin indicates either underpricing or operational inefficiency that needs to be addressed before scaling.

Related on sase.cloud

Cisco Secure Access Review →Fortinet FortiSASE Review →Vendor Decision Matrix →

More guides

MPLS to SD-WAN Migration Guide

Phase-by-phase guide to migrating from MPLS to SD-WAN: circuit planning, overlay deployment, application-aware routing, ...

SASE Proof of Concept (PoC) Guide

Structured framework for a SASE proof of concept: success criteria, test scenarios, evaluation scorecard, common PoC tra...

TLS Inspection in SASE Explained

How TLS inspection works in SASE: decryption mechanics, why certificate-pinned apps break, bypass list strategies, and p...

Get the next guide in your inbox

One email per publish. Unsubscribe anytime.

ShareLinkedIn X

Was this helpful?

← Previous