What to Ask Your MSP Before the Next Supply Chain Attack

In 2026, the operating story of supply chain attacks has shifted in a way that should change how every business buys managed services. Group-IB, Huntress, and Acronis have all published research this year describing the same trend. Managed service providers, including managed backup and recovery providers, are no longer collateral damage in supply chain incidents. They are the primary attack vector.

The math is straightforward from the attacker side. A single MSP often holds privileged credentials and operational access to hundreds of customer networks. One successful compromise unlocks hundreds of downstream targets, without the attacker having to spend time on each one individually. The Vercel incident in early 2026, where a Lumma Stealer infection at Context.ai pivoted via OAuth tokens through Google Workspace into a downstream supply chain breach, illustrates the dynamic at the SaaS layer. The same pattern is playing out in the MSP layer with backup, monitoring, and remote management providers.

For any business that has outsourced part of its IT or security operation, the practical question this year is whether your provider has the operational discipline to remain a safe partner under the new threat profile. The outsourcing model itself still works.

Why MSPs Became the Bullseye

A few structural realities explain the shift.

MSPs have access. By definition, a managed service provider holds keys to its customers’ environments. RMM tools, backup repositories, identity systems, and ticketing platforms all run on credentials that, if compromised, give an attacker reach into multiple customer networks at once.

MSPs are uneven. The category includes mature, security-disciplined operations and small shops with shared admin passwords and unsegmented infrastructure. An attacker scanning for a target naturally finds the second group first.

MSPs are trusted. Customer environments often allow MSP traffic by default, with broad permissions and minimal logging on the management plane. The trust relationship that makes the service useful also makes it harder for the customer to detect a problem when one of their providers has been compromised.

The combination has produced a 2026 threat landscape in which the soft underbelly of an MSP is the soft underbelly of every customer downstream. Buying decisions need to reflect that reality.

A Buyer’s Guide for the New Threat Profile

If you are evaluating a backup, recovery, or managed service provider this year, a handful of operational questions are more useful than any feature list. Each one targets a real failure mode that has shown up in 2026 incidents.

Isolation between customer environments. How does the provider segment your data and credentials from those of other customers? In a multi-tenant architecture, what is the blast radius if another tenant is compromised? A resilient provider will be able to describe specific technical and operational controls, instead of policy language. The honest answer is rarely “zero blast radius,” but the answer should be specific.

Credential protection on the provider side. Where are your administrative credentials stored, who has access, and what protections sit around the privileged accounts that touch your data? MSPs that store customer credentials in shared password managers or in unencrypted backup configurations are common, and they are a known attack surface.

Independence of the recovery copy. Does the recovery copy of your data live in the same infrastructure as the production copy? Does it use the same identity provider? If a single credential compromise at the provider could reach both copies, the recovery plan is theoretical.

Multi-tenant breach playbook. What does the provider do if one of their customers is compromised in a way that could implicate the rest? A mature provider will have a documented playbook that includes notification timelines, isolation procedures, and customer communications. An immature provider will have a marketing document that says “security is our top priority.”

Recovery orchestration that has been rehearsed. Has the provider actually run a multi-customer recovery scenario in the last twelve months? The first time a recovery process is tested at scale should never be during a real incident.

Application credential protection. Many MSPs hold OAuth tokens, API keys, and service account credentials that connect to customer SaaS environments. The protection of those tokens is now a primary security concern, given how the 2026 supply chain attacks have unfolded.

What “Resilient by Design” Actually Means

The phrase “resilient by design” appears on a lot of MSP marketing pages. The version that earns the label has a few specific properties.

The architecture is isolated, not just multi-tenant. Customer data, customer credentials, and recovery infrastructure live in separate logical domains, with controls that prevent a compromise of one tenant from spreading to others.

The retention is immutable. Backup copies cannot be altered or deleted by an attacker who has compromised the production environment, the management plane, or both. Write-once-read-many storage in geo-separated vaults is the baseline.

The operational posture is auditable. The provider can show, with logs and documentation, what happened during a real or simulated incident. The customer can verify the answer rather than taking it on faith.

The on-call coverage is staffed. Recovery support is available on the same clock as the attacker. A provider that operates business hours from a single time zone is not an after-hours partner.

How CyberFortress Approaches Provider-Side Resilience

CyberFortress was built around the assumption that the provider has to be at least as hard a target as the customer environment it protects. Application credential protection, immutable retention, and isolated air-gapped architecture are part of the core architecture rather than features bolted on later. The Trinity Platform brings managed detection, response, and recovery under one accountable team, with 24/7 U.S.-based recovery specialists who can run a customer through a real incident on any day of the year.

The point that matters here is operational. Buying a backup or recovery service in 2026 is also buying the security posture of the provider, and the two have stopped being separable.

Three Questions to Take Into Your Next Provider Conversation

Whether you are considering a new MSP or revisiting an existing relationship, three questions are worth asking directly.

If your environment were compromised tomorrow, what is the documented blast radius into ours, and how would we know within the first hour?

Where does the recovery copy of our data live, who has access to it, and would a single compromised credential at your end reach both the production copy and the recovery copy?

Walk us through the last multi-customer incident you simulated. What did you find, what did you change, and how recent was the exercise?

The MSP relationship is now a security relationship. The providers worth keeping in 2026 are the ones who can answer those questions without needing time to prepare.