Insights

Why We Built a Partner Programme for Cyber Security Services

MSPs and consultancies are asked for penetration testing every day. Most can't build an in-house team, and subcontracting to the cheapest provider damages their reputation when the report is generic and the client is underwhelmed. We launched a partner programme to fix that. Three tiers (Pivot, Lever, Torque) built on referral, white-label, and resell. We deliver the security work behind the scenes.

Chris Burton Updated 6 min read

We work with a lot of organisations that are not security companies. MSPs managing IT estates for clients. Consultancies that handle compliance, governance, or infrastructure projects. Technology providers whose customers are asking about penetration testing and do not know where to start.

Until now, those relationships have been informal. A conversation, a referral, a one-off engagement. That works up to a point, but it does not scale, and it does not give partners a structured way to offer offensive security services to their clients.

We built a partner programme. Three tiers, one principle: we deliver the security work.

The problem we kept seeing

Most IT and technology businesses are now expected to offer cyber security services. Clients ask for penetration testing because a framework, a regulator, or a procurement requirement demands it. The MSP or consultancy is the first port of call, because they already have the relationship.

But building an in-house offensive security team is not realistic for most of these businesses. The skills shortage is well documented. The ISC2 2025 Cybersecurity Workforce Study found that 88% of organisations experienced at least one significant cybersecurity consequence because of skills deficiencies within their team. Fortinet’s 2026 Global Cybersecurity Skills Gap Report found that 56% of IT leaders cite lack of cybersecurity skills as a top cause of security breaches, and 49% struggle to get approval to hire additional cybersecurity talent.

Clients need security testing. The businesses they trust to deliver IT services cannot build the capability internally. The options that exist, large consultancies with premium price tags or automated scanners that auditors dismiss, do not fit the middle ground most MSPs and consultancies occupy.

What happens without a partner

We have seen the same pattern play out several times.

An MSP wins a contract that includes penetration testing as a deliverable. They subcontract it to the cheapest provider they can find. The report is generic, the findings are surface-level, and the client is underwhelmed. The MSP’s reputation takes the hit, not the subcontractor’s.

Or a consultancy refers a client to a security firm they have worked with before. The security firm builds a direct relationship with the client and cuts the consultancy out of the next engagement. The referral has no protection, no structure, and no commercial arrangement.

Or a technology provider tries to build an in-house testing capability. They hire one penetration tester, who leaves after eight months. The capability disappears, and the clients who depended on it are left looking for alternatives.

None of these are unusual. They are what happens when you try to deliver offensive security without a structured partnership.

What we built

Our partner programme is built as a tier ladder: Pivot, Lever, and Torque. Each tier is a step up in commitment and reward, with a different delivery mechanism underneath. You start where it makes sense for your business and grow from there.

Pivot (referral)

Where leverage begins. You introduce a client. We handle the engagement, the delivery, the reporting, and the follow-up. You earn commission on every successful project. This is the entry tier. It suits businesses that do not want to be involved in delivery but want a trusted security partner they can refer clients to.

Lever (white-label)

Apply our force under your brand. We deliver under your name, on your report, and we stay behind the scenes. This suits MSPs and consultancies that want to offer penetration testing as part of their own service portfolio without building an internal team.

Torque (resell)

Maximum mechanical advantage. You sell our services into your client base at your own margin. You manage the commercial terms. We deliver the technical work. This suits technology providers and resellers who already have a sales motion and want to add security services to their catalogue without the delivery overhead.

What partners get

Partners also get practical support:

  • Pre-sales technical input. If a partner is scoping an engagement and is not sure what the client needs, we help. That might mean joining a call, reviewing a scope document, or advising on testing types.

  • Co-branded or white-labelled reports. Depending on the model, reports carry your branding, not ours. The technical content is the same either way.

  • Dedicated account contact. One person who knows your business, your clients, and your preferences. You are not dealing with a shared inbox.

  • Flexible commercial terms. Commission rates, reseller margins, and white-label pricing are agreed up front, not negotiated on every engagement.

  • Sales positioning training. If you are new to selling cyber security services, or just want to sharpen how you frame penetration testing for clients, we provide training on positioning our services. We cover how to scope engagements, how to articulate value to non-technical buyers, and how to handle common objections around price and scope. This is available to all partners at no cost.

Who this is for

The programme is built for three types of organisation:

  1. MSPs who are asked for penetration testing by clients but do not have an in-house offensive security team and do not want one.
  2. Consultancies working in compliance, governance, risk, or infrastructure who need a trusted security delivery partner for engagements that require it.
  3. Technology providers and resellers who want to add security services to their portfolio without building delivery capability.

It is also a strong fit if you are already working in cyber security sales. If you have relationships with clients who need penetration testing, red teaming, or security assessments but no delivery capability of your own, the Torque or Pivot tier lets you monetise those relationships without building a technical team. It works whether you are a large team, a small team, or a salesperson working on your own. We deliver the testing behind the scenes.

It is not for organisations that already have a mature in-house penetration testing team. If you can deliver offensive security at the level your clients need, you do not need this programme.

How to start

We talk through what you need, which tier fits (Pivot, Lever, or Torque), and what your client base looks like. We agree commercial terms. We give you the materials and technical briefs to start offering the service. You can begin referring or reselling as soon as you sign up.

If you want to talk about whether the programme fits your business, get in touch.

References

FAQQuestions, answered.

What are the three tiers of the LEVERAGE CYBER partner programme?

The programme has three tiers: Pivot (referral), Lever (white-label), and Torque (resell). Each tier increases in commitment and reward, with a different delivery mechanism. Partners start where it makes sense for their business and grow from there.

How does the white-label partner tier work?

Under the Lever tier, LEVERAGE CYBER delivers penetration testing under the partner's brand. Reports carry the partner's branding, and we stay behind the scenes. This suits MSPs and consultancies that want to offer security testing as part of their own service portfolio without building an internal team.

Who is the partner programme designed for?

The programme is built for MSPs, consultancies working in compliance or infrastructure, and technology providers or resellers who want to add security services without building delivery capability. It is not for organisations that already have a mature in-house penetration testing team.

What support do partners receive?

Partners get pre-sales technical input, co-branded or white-labelled reports, a dedicated account contact, flexible commercial terms agreed up front, and sales positioning training at no cost.

Written by

Chris Burton
Chris Burton

Founder · Principal Consultant

Accomplished cybersecurity leader with over 25 years of experience. OSCP-certified penetration tester, Cyber Scheme Team Leader, and founder of LEVERAGE CYBER. Former Head of Professional Services and CHECK Team Leader (Infrastructure). Published in Which? Magazine and quoted by the BBC on mobile banking security. Passionate about offensive security, team leadership, and making cybersecurity practical for businesses.

Back to insights Get a quote
· Related
announcements 16 Jun 2026

A New Site, and Where We've Been

We rebuilt the site from scratch and stopped publishing for a while. Both were deliberate. This is what happened and what comes next.

Read
announcements 16 Jun 2026

We are now Cyber Essentials Plus certified.

LEVERAGE CYBER has been awarded Cyber Essentials Plus. An independently audited baseline of security controls, and one more piece of assurance for the people who trust us with their security work.

Read

Leaving leveragecyber.io

You are about to navigate to an external site:

Continue