rejigg

Selling a Cybersecurity Business

Based on hundreds of real buyer-seller diligence conversations we’ve helped happen on Rejigg. These are the cybersecurity questions that move price and terms because they tell a buyer whether your SOC coverage, contracts, and tool access will stay stable on Day 1 after close.

Get a Free ValuationSchedule a CallRead the Guide

What buyers ask and how to be ready

Each topic below comes from real buyer-seller conversations. Here's what they ask, what they're really evaluating, and how to prepare.

SOC Coverage

Which customers rely on you for 24/7 coverage, and what are the service promises?

Buyers want to know if you can handle a 2:00 a.m. incident without one exhausted hero holding the whole thing together. They’re looking for real shift coverage, a clear escalation path, and proof your staffing can meet the response times you’ve promised in customer contracts.

How to prepare

  • Document your on-call rotation, shift coverage, and escalation path with named roles
  • Pull response commitments from contracts and map them to actual shift staffing
  • Show how you handle two high-severity incidents at once, including who can approve containment
  • Write down your plan for vacations, sick time, and surge events

Great Answer

About 70% of revenue includes 24/7 coverage with a 15-minute acknowledgment for critical alerts. We run a weekly on-call rotation with two tiers, plus an escalation manager who can approve containment if Tier 1 is tied up. We track pages per shift and backlog weekly, and we use surge playbooks for major vulnerabilities so we don’t miss SLA clocks.

Okay

We have an on-call rotation, and we generally hit response times, but we haven’t mapped each contract’s commitments to staffing by shift in a buyer-ready way.

Gives Pause

Our lead analyst keeps their phone on all the time and we figure it out. The contract says “best effort,” so it’s fine.

How Rejigg helps: Rejigg gives you a secure data room to share your coverage model, on-call schedule, and contract service promises without endless email threads. Learn more in the guide

Key People

Who are the key people the customer trusts, and why would they stay?

In cybersecurity, client trust often sits with the people who answer the phone during an incident. Buyers are trying to understand whether relationships, decision-making, and technical context live in the business or live in one or two people who could walk after close.

How to prepare

  • Map each top customer to the real relationships: account owner, escalation lead, and executive sponsor
  • Name backups for incident escalation, detection ownership, and tool administration
  • Move incident knowledge out of Slack and into runbooks used during live events
  • Build a retention plan for key staff, including market pay fixes where needed

Great Answer

For our top 15 accounts, clients know the account owner and the SOC escalation lead, not just me. Every critical client has a named backup and a client-specific runbook the team uses during incidents. We did a comp review last quarter, fixed two senior roles that were below market, and we can show who owns detections, response, and client comms today.

Okay

We know who the key people are, and we think they’ll stay, but backups and runbooks aren’t fully standardized across clients yet.

Gives Pause

Clients mostly call me because I’m the technical voice. If something happens, I jump in.

How Rejigg helps: Rejigg’s deal workspace lets you share org charts, role ownership, and runbook libraries in stages so buyers can evaluate transferability without getting everything on day one. Learn more in the guide

Revenue Quality

What exactly are you selling: MSSP, MDR (Managed Detection and Response), projects, or resale?

Buyers split your revenue into “repeatable and contracted” versus “one-off and easy to lose.” They also want to see whether margins come from your service delivery or from pass-through tools that can get repriced by a vendor or renegotiated by a customer.

How to prepare

  • Break revenue into managed services, one-time projects, and pass-through licenses or hardware
  • Show gross margin by bucket and explain what’s normal for your model
  • List your core offers in plain language and identify your most repeatable offer
  • Call out bundled invoices and explain what portion is tool cost versus service margin

Great Answer

Last year was 62% MDR retainers, 21% compliance and assessment projects, and 17% pass-through licensing we bundle for convenience. Managed services run at about 48% gross margin, projects are lumpier but higher margin, and pass-through sits in its own bucket with low margin by design. We can show this by customer and by month so you can see what’s truly recurring.

Okay

Most of our revenue is recurring managed services, but our reporting doesn’t cleanly separate pass-through tool fees from service fees yet.

Gives Pause

It’s all cybersecurity services. We just invoice what the client wants and keep it simple.

How Rejigg helps: Rejigg’s QuickBooks integration helps you import financials and build a buyer-friendly revenue breakdown in the data room without rebuilding everything in spreadsheets. Learn more in the guide

Contract Risk

Are SLAs and liability terms a hidden bomb in your MSAs?

Cybersecurity contracts can create real downside that never shows up on the P&L until a bad day. Buyers are looking for response promises you can’t staff, service credits that can stack, and liability language that could turn a single incident into a big financial hit.

How to prepare

  • Gather your standard MSA and statement of work templates, plus the top negotiated exceptions
  • Summarize response commitments, service credits paid historically, and how you prevent scope creep
  • Flag contracts with unusual liability, audit rights, breach notice obligations, or aggressive SLAs
  • Quantify revenue under non-standard terms so buyers can size the exposure

Great Answer

We use one standard MSA for about 80% of clients with a clear limitation of liability and defined response commitments. Three enterprise clients negotiated service credits and tighter SLAs, and they represent 14% of revenue. We can show the exact clauses, the operational playbook we use to meet them, and we’ve only paid service credits once in the past 24 months, with the cause and fix documented.

Okay

We have templates, and we know a few clients have special terms, but we haven’t summarized the sharp edges and revenue exposure in one place yet.

Gives Pause

We’ve never had a problem with contracts. They’re pretty standard. I’m not sure what the SLAs say exactly.

How Rejigg helps: Rejigg’s built-in data room lets you share contract templates and exceptions safely under NDA and control which buyers see sensitive terms and when. Learn more in the guide

Incident History

What’s your incident history, and what did you learn from it?

Security firms get targeted, so buyers won’t panic just because you have an incident story. They’re testing whether you disclose cleanly, whether any clients were impacted, and whether you fixed root causes in a way that reduces the chance of a repeat.

How to prepare

  • Write a plain-language timeline for any material incidents, including impact, investigation, and remediation
  • Document customer communication templates and who leads client updates during an incident
  • List the control changes you made afterward with owners and dates
  • Be ready to explain how you’d detect and investigate an internal compromise

Great Answer

We had one internal security event 18 months ago involving a compromised admin credential. We contained it the same day, confirmed no customer environments were accessed, and documented the investigation with third-party support. Afterward, we enforced hardware-based multi-factor authentication for admin accounts, tightened log retention, and changed our privilege model. We can share the timeline and the post-incident control checklist we run quarterly.

Okay

We’ve helped a couple customers through incidents, and we haven’t had a major internal event, but our documentation is more narrative than a clean timeline with owners and dates.

Gives Pause

No incidents. We’re a security company, so that doesn’t happen here.

How Rejigg helps: Rejigg helps you store incident timelines and remediation evidence in one place so you answer consistently instead of improvising on every call. Learn more in the guide

Tooling Control

Do you control the tool stack, or are you reselling someone else’s permissions?

Tool access and contract assignability kill cyber deals quietly. Buyers need confidence that they will keep admin control of tenants, logs, integrations, and billing after close and that partner pricing will not disappear the moment ownership changes.

How to prepare

  • List core tools, contracting entities, and whether agreements transfer on a change of control
  • Document provisioning and administration, including shared versus per-client setups
  • Call out partner tiers, special pricing, and which people or certifications keep them active
  • Quantify where tooling margin meaningfully supports services margin

Great Answer

Our SIEM, endpoint, and ticketing tools are contracted under the company entity, with admin access held by two platform admins and reviewed quarterly. About 85% of clients are on the standard stack in a multi-tenant setup with tenant separation, and exceptions are documented with the reason. We confirmed with our two largest vendors that contracts are assignable, and we can show what partner pricing depends on so there are no surprises post-close.

Okay

We have a standard stack, and we manage most tenants centrally, but we haven’t checked assignment language and partner repricing risk across every key vendor agreement.

Gives Pause

Tools are in vendor portals, and a couple accounts are under my email from when we set them up. We can sort it out later.

How Rejigg helps: Rejigg lets you share vendor agreements, partner terms, and tooling diagrams under NDA while keeping sensitive access details out of email. Learn more in the guide

Compliance Gates

If you do cleared or regulated work, what exactly makes it performable after close?

With cleared or regulated cyber work, the risk is a pause in billable work after a change of control. Buyers are checking what approvals get triggered, whether clearance coverage stays intact, and whether eligibility advantages can disappear immediately at close.

How to prepare

  • Identify contracts gated by clearance or eligibility requirements and quantify revenue tied to them
  • Name who owns security officer responsibilities and document a real backup
  • List cleared headcount by role and the impact if a key cleared person leaves
  • Write down change-of-control steps and realistic timelines you’ve experienced

Great Answer

Two contracts require facility clearance coverage and represent 28% of revenue. Security officer responsibilities sit with a named employee, and we have a trained backup. We have seven cleared staff who can perform the work today, and we mapped which tasks are restricted so we don’t break requirements during transition. We can walk you through the change-of-control plan and the timeline assumptions we’ve seen in practice.

Okay

We have some cleared and regulated work, and we know it affects timelines, but we haven’t packaged the contract-by-contract gating details and continuity plan for a buyer.

Gives Pause

We do some government work, but it should transfer. I’m not sure what approvals are needed.

How Rejigg helps: Rejigg’s process and data room help you present clearance and eligibility constraints clearly so qualified buyers can underwrite timeline risk without guessing. Learn more in the guide

Delivery Proof

How do you prove detection quality beyond ‘we’re good at security’?

Two cyber firms can look similar financially but feel very different operationally. Buyers want proof you run the SOC with discipline, including how you tune detections, manage cases, escalate, and turn incidents into measurable improvements.

How to prepare

  • Build a sanitized monthly ops review with a few metrics you actually use
  • Summarize common alert and incident types and how you reduce noisy detections
  • Document who owns detection engineering and how improvements get shipped after incidents
  • Prepare a clear explanation of your severity model and containment decision process

Great Answer

We review SOC operations monthly and track alert volume trends, investigation backlog, and time to acknowledge for critical cases. We also track what percentage of investigations become confirmed incidents so we can see whether tuning is improving. After each high-severity incident, we do a short post-incident review, assign owners to rule changes, and we can show examples of what changed and why.

Okay

We can talk through outcomes and typical response timelines, but we don’t have a consistent monthly review pack that’s ready to share.

Gives Pause

Our analysts are talented. Customers like us. We don’t track metrics because every incident is different.

How Rejigg helps: Rejigg helps you organize and share sanitized SOC proof points with serious buyers under NDA without exposing client-sensitive details. Learn more in the guide

Growth Engine

Where does new business really come from: referrals, channels, compliance deadlines, or incidents?

Buyers want to know if growth survives when the founder is less involved. Referral-heavy can work well in cybersecurity, but it underwrites differently depending on whether referrals come from consistent delivery, a real partner channel, or the founder’s personal reputation.

How to prepare

  • Break down leads by source and summarize the last 10 wins with what they replaced
  • Define your easiest-to-deliver offers that avoid custom contract exceptions
  • Document typical deal size, sales cycle length, and why clients cancel or don’t renew
  • Show how customer relationships are handled when the founder is not on calls

Great Answer

About half our wins come from referrals, a quarter from two channel partners, and the rest from compliance-driven inbound. We can walk through the last 10 deals, what each customer bought, what they replaced, and the typical 45–60-day sales cycle. The cleanest offer is our MDR package plus an incident response retainer, and onboarding is standardized so it doesn’t require our top engineer every time.

Okay

We grow mostly through referrals and some partners, and we have a sense of deal size and cycle, but we haven’t summarized wins and lead sources in a buyer-ready way.

Gives Pause

Business comes from word of mouth. We don’t track it. It just happens.

How Rejigg helps: Rejigg connects you with pre-vetted buyers already looking for cybersecurity firms, so you can pressure-test your growth story in direct conversations. Learn more in the guide

Ready to Take the Next Step?

Whether you're just exploring or ready to list, we can help.

Get a Free Valuation

See what your cybersecurity business could be worth based on real transaction data.

Try the Calculator

Talk to an Expert

Schedule a free consultation. We'll answer your questions and help you plan your exit.

Schedule a Call

Read the Full Guide

Our 6-step owner's guide covers everything from deciding to sell through post-sale transition.

Start the Guide

Questions Cybersecurity Owners Ask Us

A cybersecurity services firm is usually valued on how durable the managed service revenue is and how transferable delivery looks without the founder. Buyers tend to pay more when MDR or MSSP revenue is under contract, gross margin is clear after tool costs, and the SOC runs on documented process. For a starting point, use Rejigg’s free valuation calculator, then pressure-test it against your revenue mix and customer concentration.

Add-backs are expenses you ran through the business that a buyer will not need after the sale, so they get added back to profit for valuation. In cybersecurity, common examples are an owner salary above market, one-time legal spend from a client dispute, or a non-recurring tool proof-of-concept. Buyers usually disagree with add-backs that will continue, like paying below market for senior on-call coverage. Rejigg’s QuickBooks import and data room make it easier to document add-backs with receipts and context.

Often yes, if the revenue is steady and a lender believes the business will survive a handoff. Contracted managed services, clean financials, and a realistic transition plan usually help. Lenders get cautious when revenue is mostly one-time projects, customer concentration is high, or delivery depends on one key engineer with admin access to everything. You can model payments and down payment scenarios with Rejigg’s SBA loan calculator before negotiating price and seller financing.

No. Brokers typically charge 5–10% of the sale price for a process you can run yourself with the right structure and tools. Rejigg gives you pre-vetted buyers, digital NDAs, direct messaging, a secure data room, and offer tracking, so you can run a clean process without a middleman. Start with the prepare-to-sell guide, then list once your diligence materials are organized.

Many deals close within a few months from the first serious call, but cybersecurity timelines can stretch when you have clearance approvals, heavily negotiated MSAs, or vendor contracts that are hard to assign. Faster processes usually come from having a ready data room, a clean recurring-versus-project revenue breakdown, and a credible Day 1 SOC coverage plan. Rejigg keeps diligence materials, buyer conversations, and next steps in one secure workspace so momentum doesn’t get lost.

An LOI is a short document that lays out the main deal terms before deep diligence, including price, how you get paid, the timeline, and key conditions. In cybersecurity, buyers often add conditions tied to customer contract review, vendor agreement assignment, incident disclosures, and key employee retention. Push for LOI language that matches how your SOC and vendor stack actually work, so you do less renegotiating later. Rejigg’s negotiation guide covers what to lock down early.

Working capital is the cash the business needs to cover day-to-day timing gaps, like payroll and vendor bills before customers pay invoices. In an MSSP, it depends a lot on billing terms, annual prepayments, and when tool vendors draft payments. Buyers often expect a “normal” level of working capital to stay in the business at close so service does not wobble. A practical approach is to calculate a baseline from the last 12 months and agree on it in the LOI, with support in Rejigg’s data room.

Buyers will discount your value if they think margins rely on fragile partner tiers or discounts that can vanish after a change of control. You can reduce that discount by showing what pricing is locked in contractually, how you’ve handled vendor increases in the past, and whether tooling costs are separated cleanly from service fees. If customer contracts allow you to pass through vendor price changes, pull those clauses and highlight them. Rejigg’s data room is a clean place to store vendor agreements and partner program terms under NDA.

An earnout pays part of the price later if the business hits targets, usually revenue or profit. In cybersecurity, earnouts can get messy because results swing with incident volume, tooling migrations, and integration decisions that the buyer controls. If you consider one, get specific about what revenue counts, how pass-through tools are treated, and what happens if the buyer changes pricing or delivery. Rejigg’s offer comparison dashboard helps you line up earnout terms side-by-side instead of guessing.

Start with what you actually get at closing, then compare the risk in the rest of the structure. Look at seller financing requirements, how earnouts are measured, what has to happen for holdbacks to get released, and how long you’re expected to stay involved. In cybersecurity, also weigh who is most credible on Day 1 tool admin control, SOC continuity, and key staff retention. Rejigg’s deal tracking and offer comparison view puts terms next to each other so details don’t get lost across calls and email.

Most buyers want financial statements, a clear revenue breakdown (managed services, projects, pass-through), customer contracts with renewal terms, vendor agreements for your security stack, and an org chart that shows who owns detection engineering, incident response, and platform admin. Expect requests for incident history timelines, examples of SOC reporting you share with clients, and any requirements tied to cleared or regulated work. Rejigg includes a secure built-in data room so you can control access by buyer and by stage instead of emailing attachments.

A non-compete limits your ability to start or join a competing firm for a set time period. In cybersecurity, buyers often care more about client solicitation and employee poaching than about you working “somewhere in the same city,” since work is often remote. What’s reasonable depends on what you sold, what your role is after close, and how client relationships are structured. Get the scope written clearly so you avoid a vague dispute later. Rejigg’s deal negotiation guide covers the trade-offs.

Yes, but buyers will treat month-to-month as higher churn risk and often ask for protection in the structure, like holdbacks, seller financing, or an earnout. You can still build confidence with long customer tenure, evidence clients renew after QBRs (Quarterly Business Reviews), and sticky integrations like managed endpoint and identity monitoring. If you try to push annual terms right before a sale, do it carefully so it does not feel forced to customers. Rejigg can help you present tenure and renewal patterns clearly in your listing and data room.

Most sellers share anonymized customer details early, then disclose names only once a buyer is serious and under NDA. In cybersecurity, you also need to avoid sharing anything that exposes client environments, log data, detection logic, or access methods during marketing. Rejigg supports this with pre-vetted buyers, digital NDAs before sensitive materials are unlocked, and staged access inside the data room so you control exactly what each buyer can see and when.

Expect buyers to probe whether the SOC works in real life, not just on paper. They usually dig into on-call coverage, who approves containment actions, what your contracts promise during an incident, whether vendor agreements and admin access transfer cleanly, and what your incident history looks like. They will also test whether clients trust the company or one person. Sellers who do well come with specific numbers, named owners, and documents ready to share. Rejigg keeps those materials organized and easy to permission under NDA.

Taxes depend on how the deal is structured, such as selling the company itself versus selling the assets, and how the purchase price gets allocated. Cybersecurity firms often have value tied up in customer contracts, configured tooling, and goodwill, which can affect the allocation discussion. A tax advisor should model outcomes early so you understand what you keep after tax, not just the headline price. Rejigg helps on the process side by keeping offers, deal structures, and key terms organized while you and your advisors evaluate scenarios.

Seller financing means you get part of the price over time, like you’re lending money to the buyer. In cybersecurity, it shows up more when revenue is month-to-month, customer concentration is high, or the buyer wants proof the SOC and tool access will stay stable after close. If you agree to it, negotiate the interest rate, repayment schedule, and what happens in a default. Rejigg’s offer comparison tools help you see the real risk-adjusted value of financing-heavy offers, not just the top-line number.

Most buyers want you around long enough to reassure customers and stabilize operations through at least the first real incident after close. For an MSSP or MDR provider, a good transition plan covers escalation coverage, tool admin handoff, customer communication ownership, and recurring reporting like QBRs. A clear plan often improves buyer confidence and can protect price. Rejigg’s transition planning guide helps you map the first 30–90 days.