Becoming a Layer 7 Partner: A Guide for MSPs
Your clients are being asked to prove their security. Their insurers want a penetration test. Their tenders and public-sector buyers want Cyber Essentials or Cyber Essentials Plus. Their enterprise customers want ongoing evidence that risks are being managed. And because you are the people who look after their IT, they turn to you.
The problem is that credible cyber security is a set of specialisms, not a feature you can switch on. Testing needs CREST-qualified people kept current. Certifying to Cyber Essentials properly means being a licensed Certification Body, not sub-brokering it and hoping. Managing exposure across a client estate means running a platform and knowing how to read it. Building all three in-house rarely stacks up against the volume a single MSP generates.
That is the decision this guide is about: build it yourself, or partner. And if you partner, what to look for, and how partnering with Layer 7 works. We deliver testing, certification and managed security to MSPs across the UK, co-delivered alongside your team or white-labelled where a client needs it, and you keep the client relationship throughout.
Why your clients are asking for this now
The demand is not a passing trend. Four drivers have made provable security a condition of doing business:
- Cyber insurance. Insurers increasingly ask for a recent penetration test and Cyber Essentials before they will quote, and better evidence lowers the premium.
- Tenders and public-sector procurement. Government contracts commonly require Cyber Essentials or Cyber Essentials Plus. Many private tenders now copy that requirement.
- Supply-chain pressure. Enterprise customers push security requirements down to their suppliers, so your smaller clients inherit big-company expectations.
- Regulation and standards. ISO 27001, the NHS and defence supply chains, and frameworks like the CAF all lean on testing, certification and ongoing management.
The net effect: your clients need answers they cannot produce themselves, and they would rather get them from you than go looking elsewhere.
The real question: build in-house, or partner?
Most MSPs work through the same reasoning. The demand is real, but the fixed cost and the specialist risk of building each capability in-house is high, and the volume from any one MSP’s client base rarely justifies it.
| Capability | Build in-house | Partner |
|---|---|---|
| Penetration testing | Recruit, vet and retain CREST and Cyber Scheme qualified testers, plus tooling, methodology and indemnity | Qualified testers and methodology, included from day one |
| Cyber Essentials and CE Plus | Become and maintain an IASME-licensed Certification Body, or sub-broker and mark up | Certified directly by a licensed body, both levels in-house |
| Managed security | Licence, configure and run an exposure-management platform, and learn to interpret it | The platform run and interpreted for you, as a specialist layer |
| Utilisation risk | You carry the bench and the licences between jobs | The partner carries it |
| Time to offer | Months, across three separate disciplines | Live as soon as the partnership is signed |
| Your client relationship | Yours | Stays yours, when the partner is the right kind |
The takeaway: for most MSPs the honest answer is to partner for the specialist work and keep owning the client. Building testing, certification and a managed platform in-house is a large, ongoing fixed cost that the volume rarely repays, while partnering turns all three into service lines you can switch on now.
The catch is that not every partner is safe to bring near your clients, which is what the rest of this guide is about.
What you can offer as a Layer 7 partner
Three capabilities, offered individually or together, each delivered by our own specialists and each with its own detail page for MSPs.
Penetration testing
CREST and Cyber Scheme qualified, in-house testing your clients can put in front of auditors, insurers and customers. Co-delivered so both names are on the report, or white-labelled as yours, with a free retest as standard. See penetration testing for MSPs.
Cyber Essentials and Cyber Essentials Plus
We have been an IASME-licensed Cyber Essentials Certification Body since the scheme launched in 2014. Your clients are certified directly by a real, licensed body, not sub-brokered through a third party, at both levels and in-house. See Cyber Essentials for MSPs.
Managed security
The specialist exposure-management layer most MSPs do not run in-house: continuous vulnerability management, attack surface management, managed patching and Microsoft 365 monitoring. It sits alongside your stack, co-managed, and produces audit-grade evidence. We complement what you do; we do not replace it. See managed security for MSPs.
Because we do all three, an MSP can bring us a client and we can run their penetration test, certify them to Cyber Essentials Plus off the back of it, and keep the risks closed with managed exposure management afterwards. Test, certify, manage, under one agreement and one partner. That is the Layer 7 Partner Programme.
How partnering actually works: co-delivered or white-label
The word “partner” means different things to different suppliers, so here is exactly what it means with us. You choose the model per engagement, and you can mix both across your client base.
- Co-delivered, our preferred model. We work jointly, with both names visible. Your client gets a named, independent specialist on the engagement, and your team stays close to the work and the relationship.
- White-label, where a client needs it. We deliver in the background and hand you work you present as your own. Your branding, your relationship, our specialists.
Either way, you own the commercial relationship and the renewal, you decide the branding, and we integrate with your existing delivery processes so nothing slows down.
What to look for in a cyber security partner
If you are weighing up partners, these are the questions that separate a safe one from a risky one. They are worth asking whoever you talk to, not just us.
| What to check | Why it matters | Where Layer 7 stands |
|---|---|---|
| Will they sell to your client directly? | The biggest risk in partnering is training up a competitor with access to your accounts | No. We never approach or sell to your client without your say-so, and it is in our agreement |
| Are the testers actually qualified, and in-house? | Subcontracted or offshored testing is a hidden hand-off you cannot vouch for | CREST and Cyber Scheme qualified, delivered in-house, never subcontracted |
| Can they certify, or only advise? | A firm that cannot award Cyber Essentials has to sub-broker it, adding cost and a hand-off | A licensed Certification Body since 2014, both levels in-house |
| Is the evidence audit-grade? | Your client’s auditors and insurers have to accept it, or it is worthless | CB and CREST heritage; outputs built to stand up to auditors |
| One partner or several? | Stitching two or three suppliers together multiplies contracts and account risk | Test, certify and manage from a single partner and agreement |
The takeaway: the single most important question is whether the partner will compete with you for the client. Everything else, qualifications, certification, audit-grade evidence, being able to cover all three needs, follows from finding a specialist whose business is partnering, not poaching.
Why MSPs partner with Layer 7
- You keep the client, always. We deliver the work with you or behind you, and we never approach your client without your agreement. Your relationship, renewal and branding stay yours, in writing.
- In-house and qualified. CREST and Cyber Scheme qualified testers, delivered in-house, never offshored or subcontracted.
- A real Certification Body since 2014. IASME-licensed for Cyber Essentials and Cyber Essentials Plus since the scheme launched, so your clients are certified directly, not sub-brokered.
- Defence and central-government grade. We deliver security to defence, public-sector and regulated clients, including work for a major UK central government department and MOD-accredited cloud, through G-Cloud 14, DOS 7 and CCS frameworks. The same rigour goes into every partner engagement.
- One partner for all three needs. Test, certify and manage under a single agreement, so you are not stitching suppliers together.
- North East based, working UK-wide. You deal with our own specialists directly, not a broker desk or a portal.
How to become a Layer 7 partner
It is a short path. Tell us about your clients and what they are being asked for. We agree how we will work, co-delivered or white-label, and sign a standardised partner agreement and NDA that puts the “you keep the client” pledge in writing. From there you can bring us your first engagement, whether that is a test, a certification or ongoing management, and we map to your existing delivery process so it runs inside your workflow.
There are no forms. You talk to a specialist, not a portal.
Become a partner: partner@layer7.uk or read more about the Layer 7 Partner Programme.
Becoming a partner: FAQs
What does it cost to become a Layer 7 partner? There is no joining fee. Pricing is per engagement, clear and transparent, and tailored to how you work and the volume you bring. Once scope is agreed we quote a fixed price with no hidden extras, so you can quote your client with confidence.
Will you sell to my client directly? No. You keep the client relationship, the renewal and the branding. We deliver the work with you or behind you and never approach or sell to your client without your agreement. It is written into our partner agreement.
Can I start with one service and add others later? Yes. Most partners start with the service their clients are asking for most, often penetration testing or Cyber Essentials, and add the others as demand grows. It is one agreement and one partner either way.
Do I have to white-label everything? No. Co-delivered, with both names visible, is our preferred model. We white-label only where a client needs everything to come from you. You choose per engagement.
Are your testers actually qualified and in-house? Yes. Our testers hold individual CREST and Cyber Scheme qualifications, both recognised by the NCSC, and all testing is delivered in-house, never offshored or subcontracted.
Are you really a Cyber Essentials Certification Body? Yes. We have been an IASME-licensed Cyber Essentials Certification Body since the scheme launched in 2014, for both Cyber Essentials and Cyber Essentials Plus, so your clients are certified directly by a licensed body.
How does the managed security side avoid competing with my managed IT? It sits alongside what you do. We add the specialist exposure-management layer, continuous vulnerability management, patching, attack surface management and Microsoft 365 monitoring, that most MSPs do not run in-house. We complement your stack; we do not replace it or take it over.
Where are you based, and who will I deal with? We are based in the North East and work with partners across the UK. You deal with our own specialists directly, not a broker desk or a portal.