The deployment that left a gap 

An MSP deploys SASE for a 200-person client. ZTNA replaces the VPN. SWG filters web traffic. CASB gives visibility into cloud app usage. The client is satisfied. The MSP considers the security conversation closed. 

Three months later, an employee's credentials are harvested in a phishing campaign. The attacker logs in from an unrecognised location. ZTNA validates the identity and grants access.  

The attacker downloads a significant volume of files from SharePoint over the next four hours. Then a new process appears on a workstation connected to the same account. 

Every one of these events generated a signal. None of them were correlated. The MSP finds out when the client calls. 

The six surfaces attack model 

Modern attacks do not stay in one place. They move. And they tend to move in the direction of whatever surface is least visible to the defender. 

The six attack surfaces in a typical MSP client environment are: 

• Endpoints: Workstations, laptops, servers. The surface most MSPs monitor, though often in isolation. 

• Network: Internal traffic, lateral movement and unusual connections. True NDR sees what endpoint tools miss. 

• Cloud: IaaS infrastructure in Azure, AWS, and GCP. Misconfiguration, exfiltration and unusual API calls. 

• Identity: Entra ID, Okta, Active Directory. Credential abuse, privilege escalation, impossible travel. 

• SaaS: SharePoint, Teams, Salesforce, and other application logs beyond email. Often the least visible surface. 

• IoT/OT: Unmanaged devices, printers, building systems, operational technology. Discovery alone is a challenge. 

SASE secures access across the network and access layer. It does not monitor or generate detection signals for cloud, identity, SaaS, endpoint, or IoT/OT. 

Real breach patterns - What SASE would have logged vs. what it would have caught 

Two high-profile breach patterns illustrate where SASE ends and the gap begins. 

The MGM Resorts pattern (identity and social engineering). 

The attacker did not bypass any technical control. They called the IT helpdesk, impersonated an employee, and reset MFA. From there, they moved laterally through cloud infrastructure. 

SASE would have enforced the access policy for the newly-reset credentials. It would not have flagged the anomalous login location, the unusual identity behavior, the lateral cloud movement, or the volume of data accessed. Those are identity, cloud, and network signals. SASE logs access. It does not correlate attack chains. 

The Snowflake pattern (credential abuse and SaaS exfiltration). 

Attackers used credentials obtained through infostealer malware to access Snowflake environments. Many of the affected accounts had no MFA enabled. 

SASE's CASB component might have surfaced some cloud access activity. It would not have detected the infostealer on the endpoint that harvested the credentials. It would not have correlated the endpoint compromise with the subsequent cloud access. That required endpoint, identity, and cloud signals read together. 

These are not obscure attack patterns. They are the dominant breach models of the last two years, and they both exploit the gap between access security and full spectrum detection. 

The role of correlation - Why signals must talk to each other 

Six surfaces. Potentially six dashboards. One attacker using all of them. 

A suspicious login in Entra ID at 11pm. An unusual file download in SharePoint at midnight. A new process on a workstation connected to the same account at 1am. Each alert, on its own, might not cross the threshold for escalation. Together, they are a clear precursor to a ransomware deployment. 

The correlation engine is what makes that connection in real time, across your entire client base, without requiring a human analyst to manually join the dots across six separate platforms. 

Correlation across all surfaces simultaneously is the thing that turns individual signals into a clear attack pattern. It is what SASE cannot provide on its own. And it is what most MSPs are currently missing. 

What MSPs can do today - Three options 

If you have SASE deployed, or are about to deploy it, here are the honest options for closing the gap. 

Option 1: Build an internal security team. 

Hire a CISSP-certified security director. Find someone willing to take your calls at 2am. Build or buy a SIEM with cross-surface ingestion. Invest in training, tooling, and retention. This is a 12-to-24-month project, a significant capital commitment, and an ongoing management overhead. Some larger Tiger Tier MSPs do this successfully. Most cannot sustain it alongside running a managed services business. 

Option 2: Stack more point tools. 

Add an MDR for endpoints. A SIEM for log aggregation. A network monitoring tool. Another dashboard. Another alert queue. 

Your Technical Lead drowns faster. You still do not have correlation across all six surfaces. And you are paying for five tools that do not talk to each other. 

Option 3: Partner with a full spectrum security provider who correlates across all six surfaces. 

You bring in a partner whose platform ingests signals from endpoint, network, cloud, identity, SaaS, and IoT/OT, and correlates them in real time. Human-led SOC analysts review what the correlation engine surfaces. You get a call when it matters. 

You keep the client relationship. You keep the margin. You do not build the SOC from scratch. 

enhanced.io operates on this model: Open XDR with 400+ integrations, full spectrum coverage, human-led 24/7 SOC, and a channel-only commitment. We never sell direct to your clients.