Most MSPs serving small and mid-market clients can't afford enterprise PAM contracts — and shouldn't. CyberArk and BeyondTrust price for hundred-million-dollar MSPs, not for a 5-engineer team running 20 client networks. Innovexus is built for that scale: per-tenant dedicated pods give each client genuine isolation, the price stays under $500/month at the Professional tier, and the audit trail is auditor-ready for client compliance reviews.
MSPs serving SMB and mid-market clients face a structural problem: enterprise PAM is priced for the customer's spend, not the MSP's margin. The economics force compromises that hurt clients and the MSP.
CyberArk or BeyondTrust at $30K+/yr per client deployment is impossible at MSP margins. The math doesn't work for clients paying $5K–$30K/yr for managed services. Most MSPs end up using shared internal credentials across clients — a compliance disaster the moment one client is audited.
Some MSP-edition PAM products use shared infrastructure with logical tenant separation. For regulated clients (healthcare, finance, government-adjacent), this is an audit problem — clients want to know their credentials live on isolated infrastructure, not in a shared vault that other MSP customers can access if a tenancy boundary fails.
Most MSPs have engineers come and go every 12–18 months. Without a real PAM tool, departing engineers retain knowledge of client credentials in personal notes, password managers, and memory. The cleanup is manual and rarely complete.
When a client passes through a SOC 2 audit, the auditor asks "how does your MSP attribute privileged access into your environment?" — a question the MSP's spreadsheet-and-1Password setup cannot answer. The MSP loses the engagement or scrambles for emergency tooling.
Innovexus's per-tenant pod model fits MSPs naturally: each client gets a dedicated pod with isolated credentials, isolated audit, isolated infrastructure. The MSP licenses one Innovexus subscription per client (typically Operations $199/mo or Professional $499/mo depending on client size). Each pod's audit trail stays with the client — when the engagement ends, the client retains evidence; when a new engagement starts, the pod starts clean.
Each MSP client gets a separate per-tenant pod with isolated compute, vault, and audit infrastructure. No shared storage, no logical-only tenancy boundaries, no risk of cross-client data exposure. Clients in regulated sectors get audit-ready isolation evidence on day one.
Operations tier $199/mo covers up to 10 devices — perfect for SMB clients. Professional tier $499/mo covers up to 50 devices and adds on-prem option — covers most mid-market clients. Enterprise tier $999/mo covers up to 250 devices for the larger ones. MSPs typically blend tiers across the client portfolio.
MSP engineers carry one set of FIDO2 hardware keys. Per-client pods authorise the engineer's identity for the assets they're permitted to reach. The MSP's engineer roster is centrally managed; per-client access scopes are enforced at the pod. One engineer offboard removes access across every client pod simultaneously.
When the MSP engagement ends, the client receives the full audit trail for the engagement period — every session, every credential access, every config change. The pod can be transferred to the client's direct ownership or decommissioned. The handover is itself an audit artefact for the client's SOC 2 / ISO 27001 review.
Each client pod includes the NOC and SOC workspaces alongside PAM. For MSPs that also provide network monitoring or security operations, this consolidates three vendor relationships into one. The MSP's service offering tightens; the client's vendor count shrinks.
Most MSPs onboard their first 5 clients within the first month. Here's the actual sequence and where the operational discipline matters.
Inventory each client's device count and feature needs. Most SMB clients fit Operations tier ($199/mo, ≤10 devices). Mid-market clients fit Professional ($499/mo, ≤50 devices, on-prem available). The MSP's billing per client typically marks up the Innovexus tier by 1.5–3× depending on the bundled service.
Each client gets their own pod, provisioned in the MSP's account. Pods are administratively separated — engineer access is granted per-client based on the engagement scope. The MSP can manage 5 or 50 client pods from one engineer console.
MSP engineers receive FIDO2 hardware keys (YubiKeys typically) at hire. Their identity is enrolled once in the MSP's identity provider, then mapped to per-client pods based on the engagement assignment. New client signed = engineer added to that pod's access scope; engineer departs = access removed across every pod simultaneously.
For each new client, vault their device credentials, configure baseline collection on their network gear, set drift alert thresholds appropriate to the client's change cadence. Most client onboardings take 2–4 hours of engineer time; some need a week for larger fleets.
When an MSP engagement ends, the per-client audit trail belongs to the client. Export the full audit bundle, transfer pod ownership to the client (or decommission). The handover is documented and itself an audit artefact for both parties.
MSP PAM has a few common patterns. Honest read on each.
BeyondTrust PRA is widely used by MSPs for privileged remote access into client environments. Capability is strong, especially for vendor-style remote support. Trade-offs: enterprise pricing typically lands at $20K+/yr starting; multi-year contracts; built primarily for the larger end of the MSP market. Best fit at MSPs with 50+ clients and the budget for enterprise PAM tooling.
Delinea (Secret Server MSP edition) and ManageEngine PAM360 MSP edition use shared-infrastructure multi-tenancy with logical client separation. They scale to MSPs serving hundreds of clients more efficiently than per-tenant pod models. Trade-offs: shared infrastructure is harder to evidence to regulated clients; pricing varies. Better fit at very large MSPs (200+ clients) where per-tenant pods become operationally heavy.
A shared password manager with team folders per client. Free or cheap, fast to set up. Trade-offs: no session recording, no automated rotation, weak attribution, no client-owned audit trail at engagement end. Compliance review by any client of any sophistication finds gaps immediately. Works for small MSPs with low-compliance clients; doesn't scale to regulated clients.
Some RMM platforms include credential vaulting. Capability is limited compared to dedicated PAM tools. Convenient if the MSP already runs the RMM. Trade-offs: no dedicated session recording, weaker audit trail, multi-tenant with logical separation. Acceptable for low-stakes engagements; insufficient for regulated client work.
Direct answers — written so each passage stands alone for AI-engine citation.
Operationally, the per-tenant pod model is clean up to ~50 client pods managed by one MSP. Above 50, the operational overhead of pod-by-pod administration starts to compete with shared-infrastructure MSP editions of Delinea or ManageEngine. Most MSPs in our customer base run 5–30 client pods. We have a few running 40–50 efficiently. If you're running 100+ clients today, BeyondTrust or Delinea's MSP editions are likely the better operational fit and we'll say so on a discovery call.
Yes. The MSP carries one engineer identity (one FIDO2 hardware key) that authorises across every pod the engineer is assigned to. The console shows all assigned client pods with per-client device discovery, session brokering, and audit. There is no per-pod login dance — the hardware key authenticates once and the role policy at each pod controls access scope.
Twenty clients on a mix of tiers (say 12 SMB on Operations $199/mo, 8 mid-market on Professional $499/mo) totals roughly $2,400 + $4,000 = $6,400/mo or $76,800/yr in Innovexus licensing. The MSP's blended cost per client is under $400/mo. For comparison, a single CyberArk MSP deployment for one similar-sized client typically runs $30K+/yr — meaning Innovexus across all 20 clients costs less than CyberArk for two-and-a-half clients.
The audit trail belongs to the client, not the MSP. At engagement end, the MSP runs a documented handover: full audit export delivered to the client, pod transferred to the client's direct billing or decommissioned per the client's preference. The handover is itself an audit artefact (signed by the pod's identity key) that proves the engagement boundary cleanly. Both parties retain the export for their own records.
White-labelling at the platform UI level is on the roadmap but not currently shipped. What we do support today: clients see a per-client subdomain at their pod, the MSP's name appears on engineer attribution in the audit trail, and the MSP's logo can be added to exported audit bundles. For full UI rebranding ("Innovexus" replaced with the MSP's product name), reach out — this is achievable on Enterprise tier with a custom engagement.
Co-existence is fine. Many MSPs serve clients where the client owns their PAM (e.g., the client runs CyberArk for their internal team and the MSP needs privileged access into a subset of systems). The MSP's Innovexus pod handles MSP-engineer access; the client's PAM continues to handle their internal team. The boundary is clear: MSP audit trail in Innovexus, client audit trail in their tool, both can be reconciled for compliance reviews.
Start with one client on the trial, see if the per-tenant pod model fits how your team actually works. Add more clients as you go; cancel anytime. No per-engineer lock-in, no enterprise contract.