Skip to main content
AirGapNetPhysical network isolation
← BlogIndustryMarch 20266 min read

MSPs: sell physical isolation as a feature, not a footnote

MSPs spend QBRs explaining how vendor access is controlled. Per-tenant physical isolation, scheduled from the NOC, is a feature you can put on the one-pager — not an apology in the footnotes.

Per-tenant physical isolation, scheduled from the NOC, is a product feature MSPs can sell — not a one-off engineering project per customer.

In this article

Section 01

The conversation MSPs keep having

Quarterly business reviews with an MSP customer almost always include a slide about vendor access controls. The slide explains how the MSP enforces least privilege on the tenant's behalf: VPN scoping, jump hosts, EDR allowlists, segmentation policies. Everyone nods. Six months later, an incident at another customer prompts the same conversation about why the access was still up between maintenance windows.

The shape of the conversation is: software controls are doing what they can, but the path was up the whole time. The MSP is selling diligence; the customer wants assurance.

Section 02

Packaging the physical break

An MSP that deploys AGN1 on the maintenance lines of its tenants — vendor access points, backup target lines, admin tunnels to financial gateways — changes the conversation. The path exists only during the maintenance window the MSP scheduled. The NOC operates the windows. The customer sees the audit log from their tenant view in the next QBR.

This becomes a feature in the customer-facing one-pager, not a footnote. 'Physical isolation per service path, scheduled from our NOC' is a product claim that nobody else in the procurement bake-off makes the same way.

  • Per-tenant relays

    Each tenant gets a small fleet of AGN1 on the paths the MSP manages. The MSP scheduler manages windows across tenants from one console.

  • NOC handoff

    The NOC opens windows in response to ticket flow: vendor maintenance window approved → schedule the line open → close when the technician disconnects.

  • Audit per tenant

    Each customer sees their own audit log. The MSP sees the aggregate.

  • Renewal anchor

    The relay log is the receipts. Every QBR the customer can see exactly when the vendor reached PLC-04 last quarter — and when they did not.

Section 03

Operational pattern that works

The MSPs we have worked with run this pattern alongside their existing ticketing system. A vendor maintenance request becomes a window-schedule entry; the NOC's scheduling tool emits the SMS that opens the line; the relay closes itself on the documented end time. The integration is intentionally lightweight — the MSP's runbook is the source of truth, not the device's UI.

Where it is heaviest is the first tenant rollout: mapping which lines should have AGN1, which should not, and what the window cadence looks like. After that the per-tenant pattern is repeatable; the MSP rolls the same pattern to the next account with a price-per-line that includes the hardware, the scheduling, and the audit feed.

Section 04

What MSP customers say after a quarter

Two things, repeatedly. First, the QBRs are shorter, because the access-controls discussion is replaced by a relay-state report. Second, internal champions surface on the customer side — the customer's own security team starts asking for the same pattern on lines the MSP does not yet manage. That is the selling motion the feature unlocks: it is something the customer's own security team wants to see more of, not less.

Go from reading to running

See AirGapNet on your network.

We bring a real AGN1 to your bench and run one maintenance window on your equipment. 30 minutes on the call.

Book a demoMore articles