Forty-two per cent of UK small businesses identified a cyber breach or attack in the past year, according to the government's Cyber Security Breaches Survey 2025. That figure drives demand for managed security services — and small IT resellers are the ones closest to those businesses. The problem is that resellers with fewer than ten staff cannot build a security operations centre. They do not have the headcount, the budget, or the round-the-clock coverage that a credible SOC requires. The good news is that they do not need one. Three platforms — Huntress, SentinelOne, and CrowdStrike Falcon Go — each offer a different route to delivering managed endpoint detection and response with a vendor-backed SOC behind it. Huntress wraps a human-led 24/7 SOC into every licence at no extra cost and prices per agent with volume discounts. SentinelOne delivers AI-driven autonomous detection with a tiered partner programme launched in April 2025, and suits resellers who want deeper technical control. CrowdStrike Falcon Go targets the SMB market directly at $59.99 per device per year and caps at 100 devices, with a UK-specific channel through its BT partnership. None of these is perfect. Each has trade-offs in pricing transparency, onboarding effort, and margin structure. This guide walks through what each platform actually delivers for a small UK reseller and where the gaps are.
Why the SOC Question Matters for Small Resellers
UK Cyber Threat Environment: Why Managed Security Demand Is Growing
Key statistics from the UK government Cyber Security Breaches Survey 2025 and NCSC Annual Review 2025 showing the scale of the threat facing UK businesses.
Source: DSIT Cyber Security Breaches Survey 2025 and NCSC Annual Review 2025
The traditional model for offering managed security required an MSP to build or buy SOC capability. That meant hiring security analysts, running a SIEM platform, maintaining 24/7 shift coverage, and investing in threat intelligence feeds. For a reseller with five to ten staff already stretched across helpdesk, project work, and sales, this was never realistic. The minimum viable SOC — two analysts covering extended hours with a SIEM licence — costs upward of £150,000 per year before you add tooling, training, and recruitment.
The vendor-backed SOC model changes this equation. Instead of building detection and response capability in-house, the reseller deploys a platform that includes SOC coverage as part of the licence. The vendor's analysts monitor, triage, and escalate threats. The reseller handles the client relationship, first-line support, and remediation actions that require local knowledge — like understanding that the accounts manager always logs in from two locations and that is not a compromise.
This model is not outsourcing your entire security practice. It is using the vendor's scale to cover the part you cannot economically deliver — round-the-clock human monitoring — while you retain the parts that make you valuable to the client: context, trust, and local knowledge.
The NCSC handled 1,727 cyber incident tips in its 2025 annual review period, with 429 requiring formal support and 204 classified as nationally serious — the highest number ever recorded and a 130 per cent increase on the previous year. That threat environment is not going to get simpler. Small resellers who cannot offer credible security services will lose clients to those who can.
Huntress: The Channel-First Option
Huntress was built for the MSP channel from day one in 2015. Its core proposition is simple: every licence includes a 24/7 human-led SOC staffed by Huntress analysts who monitor, investigate, and provide remediation guidance for every alert. There is no premium tier that unlocks SOC access — it is included with every agent.
The platform covers endpoint detection and response (EDR), identity threat detection and response (ITDR), a managed SIEM, and security awareness training. For a small reseller, the appeal is that you deploy agents to client endpoints and Huntress handles the monitoring. When their analysts find something, they send you a report with specific remediation steps. You execute those steps or, in a good share of cases, Huntress can auto-remediate with your approval.
Pricing is per agent with tiered volume discounts based on your total committed agents across all clients. Huntress does not publish pricing — you request it through their partner portal — but community sources consistently report it as competitive with other managed EDR platforms. Billing is monthly in arrears, which matters for cash flow if you are a small operation.
The onboarding process is straightforward. Deploy the agent via your RMM tool, configure your notification preferences, and the SOC starts monitoring. Resellers typically report being operational within a day. There is no minimum commit, no annual lock-in requirement, and no feature gating — every partner gets the same platform.
Where Huntress falls short for some resellers is in advanced customisation. The platform is designed to be simple, which means fewer knobs to turn. If you want granular policy control, custom detection rules, or deep forensic investigation tools, you will find the platform more limited than SentinelOne or CrowdStrike. That is a deliberate design choice — Huntress optimises for MSPs who want effective security without complexity, not for resellers building a specialist security practice.
SentinelOne: AI-Driven Autonomy with a Steeper Ramp
SentinelOne takes a different approach. Its Singularity platform uses AI-driven autonomous detection and response — meaning the agent on the endpoint can identify and contain threats without waiting for a human analyst to review the alert. This reduces response time to seconds rather than minutes, which matters when ransomware is encrypting files.
The PartnerOne programme, launched in April 2025 and effective from February 2026, structures the channel relationship across three tiers: Elite, Advanced, and Associate. Each tier has four tracks — Manage, Sell, Build, and Deliver — allowing resellers to position themselves based on how much of the security service they want to own versus pass through to SentinelOne.
For a small UK reseller, the Manage track is the closest fit. It lets you resell SentinelOne's managed detection and response (MDR) service, where SentinelOne's own Vigilance team acts as the SOC. This is functionally similar to the Huntress model — you deploy, SentinelOne monitors — but the platform underneath is more technically complex.
That complexity is a double-edged sword. SentinelOne gives you more granular control over policies, exclusions, and detection sensitivity. If you have technically confident staff, this is an advantage — you can tune the platform for specific client environments. If your team is primarily helpdesk engineers who are adding security to their responsibilities, the learning curve is steeper than Huntress and the risk of misconfiguration is higher.
Pricing is not published for MSP partners. You negotiate through distribution or directly with SentinelOne's channel team. Community feedback suggests per-endpoint pricing is higher than Huntress, particularly for the managed (Vigilance) tier, but the platform includes features like rollback capability and deep visibility tools that Huntress does not match.
Onboarding is more involved. Expect a structured enablement process, partner portal configuration, and a learning period of two to four weeks before your team is confident managing the console. For a five-person reseller, that time investment matters — it is time not spent on billable work.
CrowdStrike Falcon Go: The Brand Name with Boundaries
CrowdStrike Falcon Go is the SMB-specific tier of the CrowdStrike platform. It is priced at $59.99 per device per year with an annual commitment required, and it caps at 100 devices per organisation. For UK resellers, the biggest channel development is the October 2025 partnership with BT, which launched BT Business Antivirus Detect and Respond powered by Falcon Go — combining CrowdStrike's detection with BT's support services for UK SMBs.
The Falcon Go platform delivers advanced antivirus (NGAV) and basic EDR capabilities. It uses the same Falcon sensor as the enterprise tiers, which means detection quality is high. CrowdStrike's threat intelligence — built on data from millions of enterprise endpoints — feeds directly into the SMB product.
The limitations are real. The 100-device cap means this is not a platform for MSPs managing multiple clients through a single console — each client organisation needs its own Falcon Go subscription. There is no multi-tenant management portal in the way that Huntress or SentinelOne provides for MSP partners. If you manage twenty clients with ten devices each, that is twenty separate Falcon Go subscriptions to administer.
SOC coverage is not included in Falcon Go. If you want CrowdStrike's managed SOC, you need Falcon Complete, which is a significantly more expensive product aimed at mid-market and enterprise. For a small reseller, this means Falcon Go gives you strong detection but leaves the monitoring and response to you — or to an additional MDR service you layer on top.
The BT partnership is interesting for UK resellers because it wraps Falcon Go in a locally supported package with BT's service desk behind it. But if you are a reseller trying to build your own managed security offering, BT is your competitor in this model, not your enabler. You would be reselling a product that your client can buy directly from BT with BT support included.
The Commercial Reality: Margin, Billing, and Client Expectations
Platform Comparison: What Is Included at Base Price
Comparing what each platform includes at its base licence cost on a scale of 0 to 5, where 5 means fully included and 0 means not available without additional cost.
Source: CTC editorial assessment based on vendor documentation and UK channel feedback, February 2026
The financial model for a small reseller offering managed security sits on three variables: the per-endpoint cost from the vendor, the margin you can charge the client, and the support cost of delivering the service.
Huntress's model is the simplest. You buy per agent at your partner rate, mark it up to the client (typical channel markup runs 30 to 50 per cent depending on volume and contract terms), and your delivery cost is low because the SOC is included. Your team handles agent deployment, client communication, and remediation execution — but not the 24/7 monitoring.
SentinelOne with Vigilance MDR has a higher base cost but lets you position a more technically advanced offering. If your clients are in regulated sectors — legal, financial services, healthcare — the platform's deeper visibility and compliance reporting features justify a higher price point. Margin is similar in percentage terms, but you are marking up a larger number.
CrowdStrike Falcon Go is the lowest-cost entry point at under $5 per device per month, but without SOC coverage included, your delivery cost is higher because your team absorbs more of the monitoring and response burden. Unless you add a separate MDR layer, you are selling detection without response — which is a harder proposition to defend when a client asks what happens when something is detected at 2 AM on a Saturday.
Billing flexibility matters for small resellers. Huntress bills monthly in arrears. SentinelOne typically requires annual commits through distribution. CrowdStrike Falcon Go requires annual payment upfront. If your cash flow is tight — and for a sub-ten-person reseller it usually is — the monthly billing model is more manageable.
Client expectations are the hidden cost. Once you offer managed security, clients expect you to be the expert. They will ask questions about threats, want explanations of alerts, and hold you accountable for outcomes. Make sure your team can confidently explain what the platform is doing, what it is not doing, and where the boundaries of the service lie. Selling security you do not understand is worse than not selling it at all.
Readiness Checklist: Can You Credibly Sell Managed Security?
Before you sign a partner agreement with any of these vendors, answer these questions honestly.
Does at least one person on your team hold a current security credential — CompTIA Security+, Cyber Essentials assessor, or vendor-specific certification? Can your team explain the difference between antivirus, EDR, and MDR to a non-technical client in plain language? Do you have a documented incident response process — even a simple one — that defines what happens when the platform flags a threat? Can you commit to checking the management console daily, or do you need the vendor's SOC to handle monitoring entirely? Are your current support contracts structured to include security response, or will you need to renegotiate terms? Do you have cyber insurance that covers managed security services, or do you need to update your policy?
If the answer to three or more of these is no, start with Huntress. Its SOC coverage fills the gaps in your capability while you build your team's skills. If you answered yes to all and want deeper technical control, SentinelOne with Vigilance is a stronger fit. If you want to offer basic endpoint protection at the lowest possible cost and your clients do not need 24/7 SOC coverage, Falcon Go is viable — but be honest with clients about what it does and does not include.
