Deploy in minutes, scale without limits: How LimaCharlie transforms MSSP operations

The vendor most service providers depend on is also the one most likely to put them out of business. That is the tension Maxime Lamothe-Brassard, LimaCharlie's founder and CEO, keeps circling in this session. A managed provider wins a customer through incident response, nurtures it into recurring MDR revenue, and the whole time the EDR underneath that work belongs to a giant whose actual belief, in his words, is that "they are the end all be all of cyber security." The day that giant decides it does MDR better than you, it does not negotiate. It poaches. Lamothe-Brassard's argument is that this is not a procurement mistake to be fixed with a better contract. It is a structural flaw in where service providers get capabilities, and the fix is to stop renting them from a competitor.

The squeeze is structural, not bad luck

Two pressures define the session's diagnosis, and they compound. The first is that vendor conflict. "The idea that you're competing with your own vendor is not normal," he says, and yet it is the standard arrangement, because the large vendors were never built to work through partners and have no incentive to start. The second is operational drag that scales the wrong way. He cites a number he has heard repeatedly: around 30 percent of the average service provider's staff exists just to keep infrastructure running, not to deliver security or bring revenue in the door. Worse, the stitched-together stack tends to fail all at once. It runs fine across ten tenants, then the eleventh customer needs a separate console, a bigger data lake, or one more integration, and the provider is suddenly paying down technical debt before it can onboard anyone. His framing of the root cause is precise: multi-tenancy treated as an afterthought. Enterprise vendors sell service providers the same tooling they sell their biggest single logo and do not even register that running one SMB's security is a different problem from running that SMB across 500 customers.

This is why he is careful about what LimaCharlie is and is not. He describes the SecOps Cloud Platform as "a capability for service providers," not a product the company is trying to sell around you to your customers. The distinction matters because it is the thing the incumbents cannot credibly claim.

Build like a cloud provider, not a bundle

The alternative he describes is to treat security capabilities the way a cloud provider treats compute: cohesive primitives you assemble, rather than a hundred acquired products slapped under one web portal. He returns to a Lego metaphor throughout, and it is doing real work. Because incident response, storage, and EDR all speak the same language, an analyst learns one platform instead of fifty. The foundation is a data lake and pipeline, because telemetry is "the blood of your operations." On top sit the blocks: a native EDR that is your capability rather than a vendor's ("if you don't deploy us, we won't stay there"), third-party EDR ingestion for the customer who is mid-contract on Defender, cloud platform logs, and SaaS audit logs. Multi-tenancy is not one of the blocks; it is the property every block inherits, running through billing, configuration, permissions, and infrastructure-as-code from day zero.

The most concrete evidence is the demo he set up minutes before speaking. He clicked one button to create a tenant, applied a template he had built in a previous webinar through infrastructure-as-code, and spun up virtual machines in Google Cloud to populate it, all live within roughly ten minutes, with a sensor appearing about five seconds after the installer ran instead of the thirty-minute wait he attributes to some vendors. The point lands against the alternative he names: calling your vendor and waiting two days for them to provision a tenant while an active incident response burns. The mechanism that makes this repeatable is Git sync, a free extension that pushes a known-good tenant into a Git repository and pulls it into others on demand or on a schedule. It brings GitOps, borrowed from the DevOps world, to security operations without the weeks or months of internal engineering it normally demands. The first engagement takes setup work. The next one is a pull that completes in a minute or two, with detection rules and secrets all living as structured files in version control.

Composability is the moat, and the new revenue

Where the argument gets sharpest is automation, because it shows what "Lego blocks" buys that a bundle cannot. Beyond simple if-this-then-that automation rules, the platform runs Python playbooks managed through infrastructure-as-code, each handed an authenticated SDK instance so it can act on LimaCharlie directly, and each triggerable by anything on the platform. Lamothe-Brassard builds a deliberately small example live: an AI agent he describes in plain language, told to summarize an alert, suggest next steps, and pull endpoint history and related alerts for context. A playbook takes that summary, renders it to a PDF, and emails it to a customer whose address is stored as an infrastructure-as-code secret. He is blunt that the agent is not a magic box ("we respect you more than that") and equally blunt that it does not require three months of professional services to use. The capability is there, fully formed. For a provider being squeezed, that small example is the whole thesis in miniature: the repetitive, value-demonstrating touch points with a customer become things you assemble yourself rather than delegate to a vendor and pray.

That same composability is where new revenue comes from without new vendors or retraining. When a customer asks whether you can monitor their Office 365, the answer on whether the data can be onboarded "is always yes." The gap is usually detection content, and the marketplace closes it: subscribe to a managed Office 365 rule set, and you can quote the customer a price on the spot because the pricing is transparent. He points to free extensions like binlib, which keeps an indexed per-tenant copy of every executable it has seen for retroactive Yara hunting, and managed integrations like Strelka for file analysis, as offerings a provider can stand up immediately. The billing matches the same logic. No minimum, no maximum, billed per second and per tenant, with an invoice per customer and a rolled-up organization invoice. A week-and-a-half incident response costs a week and a half, not the overpayment he describes when a 500-endpoint minimum gets forced onto a 200-endpoint customer, and not a three-year bundle a salesperson talked you into. Need a new tenant with five endpoints for a tiny IR, or 20,000 endpoints right now? Both are available on demand.

Strip away the demo and the position is consistent. The incumbents ask service providers to build their business on infrastructure owned by their most dangerous competitor, priced to discourage them, and structured for a single enterprise rather than hundreds of tenants. Lamothe-Brassard's counter is to own the layer instead: capabilities you deploy per tenant, configure as code, automate yourself, and scale without hitting an eleventh-customer wall. For an MSSP or MDR, that is not a feature comparison. It decides whether the company you are building is yours or your vendor's to take back.