ConnectWise's 2026 MSP Threat Report and a year of incident headlines tell the same story: MSP tooling is a high-value target. RMM platforms, remote-access agents, and PSA systems run with elevated privileges across many client environments. Compromise one MSP toolset and you compromise dozens of downstream tenants.
The defensive obligation cuts both ways. The MSP needs to harden its own posture: dedicated admin accounts with MFA and JIT, locked-down jump hosts, audit logging on all client actions, segmented credential stores. The client needs to ask different questions in the procurement conversation: where do your engineers log in from? What audit trail do you produce? Who has standing admin in our tenant? Do you use a privileged-access workstation?
None of these questions are unreasonable. A serious MSP welcomes them — because they're the same questions a serious MSP asks of itself every quarter.