A small services business with one niche, one workflow, and unit economics that survive a slow quarter.
A 12-person MSSP usually has one founder doing sales between client calls. Hiring an SDR runs $65K+/year before they book a meeting. Generic agencies pitch "cybersecurity" the same way they pitch dental SaaS, and the copy reads like it. So these firms keep living on referrals, partner channels, and the occasional inbound. That works until it stops working, which is usually right before they need it most.
Cybersecurity service firms in the US: MSSPs, vCISO consultancies, managed security providers, MDR firms.
5 to 50 person firms with no dedicated sales team. The size where outbound matters but full-time hires don't pencil out yet.
$3-5K/mo per client gets you $25-40K/mo revenue. That is the solo operator ceiling, and we are honest that this caps out as a lifestyle-tier services business unless we hire.
Adding one VA gets us $75-150K/mo. The infrastructure cost is the same; the limit is how many client conversations one operator can hold without quality dropping.
AI-written copy plus dedicated sending infrastructure, aimed at booking qualified meetings. Every email references a real signal the prospect's company has done or said: a CMMC deadline they need to hit, a cyber insurance renewal coming up, a breach disclosure, a new compliance hire. The work that goes into one email is closer to a short researched note than a mail merge. That is why security buyers reply to it and ignore the templated stuff from generalist agencies.
Apollo plus a stack of compliance signals pulls a buyer list: company stage, security stack, recent hires, regulatory exposure.
Claude drafts openers from real prospect data: job posts, funding rounds, breach disclosures. A human (us) approves before send.
30 pre-warmed inboxes on domains we own, with DMARC and DKIM set up correctly. The client's main domain is never touched.
AI triage handles auto-replies and obvious noise. Real responses get a human eyeball, then the meeting lands on the client's calendar.
We pick up vocabulary and signals every campaign: which compliance deadlines actually buy meetings, which job titles open, what an MSSP buyer ignores. A generalist agency starts at zero on each client and bills the same rate.
Each campaign produces reply data we feed back into the prompt library. Over time we write less from scratch and more from variants that already converted. It is not a flywheel; it is just compounding domain experience.
30 warmed inboxes with clean DMARC alignment take 21+ days to stand up properly. Anyone can replicate it, but they have to actually wait the three weeks. Buyers usually don't want to.
Used for the first 2-3 pilots so the client is paying for outcomes, not promises. Lower margin for us; lower friction to close.
Where most clients land. The retainer covers infrastructure and ongoing work; the per-meeting fee aligns incentives on quality.
For clients where we have proof of conversion. Simpler invoice, fewer arguments about meeting quality, more predictable revenue.
Use our own system to prospect MSSPs and vCISO firms. Target 2-3 pilot clients on performance pricing. If we can't book meetings for ourselves, the whole thing is wrong and we should know early.
Move pilots onto retainer pricing once we have booked meetings for them. Use real campaign data to tune sequences. This is the slowest part; pilot-to-retainer is where most agencies stall.
At 8-10 clients the operator is the bottleneck on reply quality and campaign tuning. First hire is a VA for reply triage. Target 15+ clients.
| Option | Cost | Ramp Time | Cybersecurity Knowledge | AI Personalization | Dedicated Infrastructure |
|---|---|---|---|---|---|
| In-house SDR | $65K+/yr | 3-6 months | Trainable | No | No |
| Generic agency | $3-5K/mo | 2-4 weeks | No | No | Shared |
| DIY tools | $200-500/mo | Ongoing | Self-taught | No | Self-managed |
| SEC/OUTBOUND | $3-5K/mo | 21 days | Native | Yes | Dedicated |
8-10 client ceiling. The only goal is proving the unit economics hold up in practice and producing two or three real case studies.
VA for reply triage. 15-25 clients. $50-100K/mo revenue if conversion holds. Standardized onboarding and reporting so the operator stops being a single point of failure.
Self-serve onboarding for smaller firms that can't afford the full retainer. The agency stays; the lower tier captures buyers we currently turn away.
Adjacent verticals like compliance consulting or IT staffing use the same engine. We will only move if the cybersecurity niche is fully saturated and the data says expansion improves margin. Forced expansion kills positioning.
~$5K to cover the first 60 days: domains, the tool stack, and the 21-day warmup window before any revenue lands.
10 registered domains, 30 warmed inboxes, 6 months of tool stack, and the cost of running outbound for the first 3 pilot clients.
Revenue by month 2-3 if we hit pilot conversion. One retainer client covers all fixed costs from that point on.
~95% gross margins from day one, no inventory, no hardware. The honest framing: this is a profitable services business with a defensible niche, not a venture-scale rocket ship. Cash returns come from distributions, not exits.