Threat briefings, not statistical talks: ESET’s Cameron Tousley and Pedro Kertzman on making CTI work for MSPs

Cameron Tousley, director of MSP channels for ESET North America For most MSPs, the quarterly client conversation looks something like this: here are the alerts we handled, here is your uptime number, here is a dashboard of things we blocked. Useful, certainly – but not exactly the stuff of trusted advisor relationships. Cameron Tousley, director of MSP channels for ESET North America, has a phrase for the upgrade: move from statistical talks to threat briefings. In this episode of In The Channel , he and Pedro Kertzman, threat intelligence specialist at ESET, join host Robert Dutt to explain what that actually looks like in practice – and why the window for MSPs to make that transition may be narrowing. Pedro Kertzman, threat intelligence specialist at ESET The occasion is ESET’s eCrime Reports , a threat intelligence offering that tracks cybercriminal activity at the affiliate level – the individuals buying malware-as-a-service and executing the actual attacks. Kertzman explains why that granularity matters: affiliates signal tactical shifts before attacks scale, giving security-forward MSPs a genuine early-warning advantage. Tousley adds the client conversation layer: knowing that a specific threat group is targeting your customer’s vertical via a specific attack method is a meaningfully different conversation than “we blocked 4,000 threats this month.” There’s also an uncomfortable wrinkle for MSPs specifically: as Pedro notes, affiliates increasingly exploit MSP tooling itself as a vector – compromising credentials to access managed environments quietly, hitting dozens of small clients while staying well below the radar of law enforcement attention focused on high-profile infrastructure targets. For the smaller MSP without a dedicated analyst, the entry point is more accessible than it sounds. Indicators of compromise can be automated directly into client firewalls without a full threat intelligence platform. WeLiveSecurity and the live threat feed built into ESET Protect offer a low-barrier starting point for shops that are earlier in their security maturity journey. Tousley’s closing frame is the one worth sitting with: the Canadian MSP market is being reshaped by consolidation at a pace that isn’t slowing. The independents that survive will be the ones having more sophisticated conversations with their clients. Evolve or sell. Read Full Transcript Robert Dutt: Hello and welcome to In The Channel from ChannelBuzz.ca, bringing news and information to the Canadian IT channel community for the last 16 years. I’m Robert Dutt, editor of ChannelBuzz.ca, and your host for the show. Cyber Threat Intelligence, CTI, has long been framed as an enterprise discipline. Dedicated team, security operations center, analysts who live in the data. But the threat landscape doesn’t really respect that boundary anymore. The tooling is getting more accessible, the attacks are getting more targeted at smaller organizations, and as we’ve talked about on the show before, the MSP stack itself has become a threat vector. So the question for the typical Canadian MSP isn’t really “Is threat intelligence relevant to me?” It’s “What do I actually do with it?” To dig into that, I sat down with two people from ESET. Cameron Tousley is director of MSP channels for ESET North America, and he lives squarely in the business conversation around what MSPs need to grow and differentiate. Pedro Kertzman is ESET’s resident CTI subject matter expert, and I’ll note that Pedro usually sits on the other side of the interview chair as the host of his own podcast on threat intelligence. So this was a bit of a role reversal for him. We talked about ESET’s eCrime reports, the idea of tracking cyber criminal activity at the affiliate level rather than just the group level, what proactive threat intelligence actually looks like for a 15-person MSP shop, and what Cameron described as the “evolve or sell” reality facing the MSP market right now. Let’s get right into it. Cameron, Pedro, thanks for joining us. I appreciate it. Cameron Tousley: Thanks for having us. Pedro Kertzman: Great to be here. Robert Dutt: Before we get into what ESET is specifically bringing to market, Cameron, can you give our listeners a sense for where the threat intelligence conversation is right now in the channel? Is this still primarily an enterprise kind of discussion or has something really shifted in terms of how MSPs and MSSPs are thinking about and talking about CTI? Cameron Tousley: I think that the market is evolving as a whole, no matter if you’re in the SMB segment or enterprise. I mean, it’s evolving everywhere. The beautiful thing is technology is getting cheaper, it’s getting more accessible. People are able with the advent of AI to kind of do more with less staff and things like that, and then allow their staff to kind of become more specialized. Enter in the topic of CTI. I just think that there’s an appetite from certain, and probably more evolving larger MSPs, to start incorporating more for their clients. I think they’ve always probably wanted to educate them, but it’s always that, “Hey man, just make sure I have uptime and the help desk is active when I need it.” And that’s the conversation. Fast forward to now and it’s becoming a little bit more relevant to want to consume CTI. So I’ll kind of start there and I’ll take a pause. I don’t know if Pedro’s got any other comments on that. Pedro Kertzman: No, I 100% agree. I think the threat landscape now with the maturity of the CTI offerings, MSPs can see that the things they’re trying to protect their customers against are more clearly explained and delivered in a way that they can see through CTI offerings now. So I think it’s just a natural evolution within the cybersecurity space to start leveraging that expertise as well. Robert Dutt: Without getting too far into pure positioning, how would you characterize what differentiates your approach to threat intelligence, sort of at the methodology level? What’s the philosophy behind how you’re researching and tracking threats and what you’re bringing to market with this CTI package? Cameron Tousley: Yeah, I’d say first off, our reach. We’re a global company. We have a product line, yeah, but we have 11 threat intel centers and those are also R&D centers too. So it’s a wealth of knowledge. Then we have researchers outside of that that are just remote, and so our tentacles are everywhere and that means something for somebody choosing a cybersecurity vendor or a platform because our researchers, they’re looking at a bunch of different avenues. They’re looking at the major threat acting groups. We have an offering we’ll talk about here in a few minutes, that centers on tracking affiliates because malicious activity, malware-as-a-service, is just like MSPs provide a service. So if I’m an affiliate—and I’ll define that real quick, an affiliate being the people that are buying the malware service and then going and distributing it and causing zero-day attacks—those are affiliates. So the real key part is what they do, not necessarily always the major malware-as-a-service group because that’s just one large avenue, but then you can’t predict what your customers are going to go and do on the black market. So yeah, I think we have a really exciting offering on our threat intelligence called eCrime and it comes in a feed and reports and it’s amazing. It really centers on the affiliate level and that is going to help get the conversations to be more quality with customers. It’s going to help an MSP who provides more, let’s call it reactive security at best, generalized services—which no knock against them, that’s just the model—and that’s going to help propel them into the more proactive security and having more quality cybersecurity-forward conversations with their customers of all sizes. Robert Dutt: Let’s delve a little bit more into that. Can you walk me through a scenario, even hypothetical or composite, where that affiliate-level insight would practically change the outcome for an MSP or one of their customers? How does this show up for an MSP basically? Pedro Kertzman: Yeah. So basically, I’ll take a step back a little bit just to explain how this threat ecosystem works. So the affiliates will be the ones really on the end of the line bringing that malware they got from a quote-unquote threat actor market or affiliate programs, more technically speaking per se, but they will be the ones delivering or sending that payload forward to whatever companies that they are trying to attack. So knowing how these guys work is basically going to give the companies, and the MSPs of course working for their security, the ability to stop the attack in the early stages, because the affiliates will be the ones trying to break in, acquire through whatever methods—credentials stolen or compromised credentials. So they are responsible, quote-unquote, within these affiliate programs to get the foot inside the door. So if you’re knowledgeable about how they act, what kind of techniques they use to get that foot in, you’re basically stopping the attacks before they actually become super massive, widespread attacks or super dangerous attacks. It’s kind of the proactive security instead of the reactive security. Cameron Tousley: Yeah, that’s a good comment. And then I’ll just throw one more little thing on that. I was talking about the conversations you can have with your clients, everything Pedro said, plus it’s like, you could have a specific conversation about, “Hey, this is what we blocked this month, but these are the threat acting groups, and here are the patterns, here’s the kind of malware that’s out there right now. By the way, you’re in the healthcare vertical, this threat acting group is targeting healthcare and doing this specific type of attack—happens to be phishing or fileless or whatever the complex attack is.” So they got to get really granular in the conversation. It can’t just be a super high-level one, because then your user’s not going to know what to do with that information. But if you coach them on the end-of-the-line issue and where it’s sourcing from, to Pedro’s point, you get ahead of that attack early, you might even prevent stuff that would have normally been a real headache. Robert Dutt: And you need to position yourself at least somewhat as the hero in so much as you’re saying, “Here’s the people who are attacking you, here’s what they’re doing, here’s what we’re doing proactively to counter that.” Cameron Tousley: Absolutely. Yeah, that’s a huge value to your end customer. The one that normally would have not cared about security and it’s more of an annoyance, now they’re paranoid about it, just like the MSP, just like the vendors, we’re all trying to get ahead of it. So I think that that provides a lot of value, and the average MSP is probably not going to do that. So you don’t necessarily have to go spend a ton of money, you just have to consume the information that’s out there maybe for free, and then maybe some of the paid services like the eCrime reports without buying our full threat intelligence platform, you can just do that. And that is like a huge value on its own to track exactly what we’re talking about right now. Robert Dutt: So taking a step back, I think some of this certainly informs and colors the question we go to ask, but I’m a 15-person MSP somewhere. I’ve got solid endpoint protection, an RMM stack I like, maybe managed SOC coverage, that kind of model. What’s the case, in addition to what we’ve already discussed, for why threat intelligence should be on my radar as a distinct capability I need to think about, bring to my customers and offer? Pedro Kertzman: Yeah, I think especially because again, talking specifically about the eCrime reports, we’re talking about the ones that are really perpetrating the attacks or executing the attacks. When you understand how your adversaries really act, you don’t need to always rely on the expertise of a super senior CTI analyst. There are ways that also, depending on your vendor, you can automate the expertise to just be pumping, let’s say, IOCs or IP addresses into your existing end users’ firewalls. If you manage a bunch of other firewalls for your end users, you can pump that eCrime knowledge into those firewalls in the form of IP addresses, domains, and things like that. But understanding that it’s going to be a proactive approach so they don’t get a foot in the door first, it’s kind of that decision beforehand that will give the MSPs, or MSSPs with 15 or so employees, that kind of extra leverage against those frontline attackers. Robert Dutt: I’m really interested in the idea of using intelligence and these eCrime reports as a client-facing tool, not just something that’s consumed internally, especially for that smaller MSP—something that you’re using in your QBR or whatever business review you have with customers to show your value. I’m curious, is that something you’re seeing happening today or is it a realistic use case, or is it a stretch for most MSPs right now? Cameron Tousley: I think it’s realistic. Now, let’s set the tone here. An MSP, they may not have the budget nor the expertise nor the staff to be buying a full-blown threat intelligence offering even like ours, but they can use certain parts of it like the eCrime reports. So that’s a good jumping-in point for the MSPs that are growing, or if you have 15 people on staff and there’s a good deal of them on the technical side, you may want to run your SOC in-house. Maybe that’s something you want to do. I think for them, the maturing MSP and definitely the MSSP, a threat intelligence offering is something that you will probably want to consume if you’re doing everything in-house. Now, I think there’s an argument for even if you’re going to go out-of-house and use the vendor, I still think there are free sources. We have customers that are using free platforms but running a paid feed through it. This is really dynamic. It’s flexible. It can fit to every different audience for the most part, except for the ones who are just not staffed for it and they’re probably outsourcing everything and they just don’t want to do it. They know that they are never going to be able to staff a 24×7 team and they’re also never going to be able to consume as much information as is coming in. But there are also other free resources, like I said, associated with our threat intelligence platform, like the eCrime reports, but there’s white papers that we produce. There are periodic threat reports. We do all kinds of analysis. And then on our welivesecurity.com blog, we publish all kinds of free information. And the really cool thing for existing ESET customers is through our ESET security platform, ESET Protect, we run a live feed through there and it shows you like, “Hey, here’s the latest news on WeLiveSecurity. Here is something you need to be aware of, there’s a vulnerability in the wild.” So we run some of the security stuff and this news right through a window inside of our platform, which I think is really big value added. Pedro Kertzman: Awesome. Yeah, I would add, if I can, Rob, we do have monthly digests as well on the CTI offerings, even for not super deep-down technical people. Let’s say more executives or CSMs, let’s say account managers on the MSSP or MSP side. It’s kind of an executive-ready type of report. So it’s more about the threat landscape overview. I think it helps them show that they are expanding their offerings on the security side and they’re knowledgeable about it as well. Again, doesn’t need to go in the nitty-gritty like in the weeds of IOCs and all that, but understanding, for example, that now the ecosystem on the other side is somebody providing the malware, somebody going and executing it. So just to show how they see these movements, I think it’s sometimes important enough to show that they are expanding their coverage for their end users. Robert Dutt: The reports, the eCrime reports, have been in the market about a month now, I guess. I’m curious what you’re actually hearing from MSPs and MSSPs as they’re digging

You can listen to Threat briefings, not statistical talks: ESET’s Cameron Tousley and Pedro Kertzman on making CTI work for MSPs online on Radio and Podcast. Open the player on this page to stream the available audio.

Threat briefings, not statistical talks: ESET’s Cameron Tousley and Pedro Kertzman on making CTI work for MSPs is an episode from ChannelBuzz.ca by ChannelBuzz.ca.

This episode is 30:12 long.

This episode was published on May 14, 2026.

Yes. Use the heart button on the episode page to add it to your favorite episodes list.

Yes. This page shows related episodes from ChannelBuzz.ca when more episodes are available from the podcast feed.