#CyberWeekly

The MSP audit-prep loop is end-to-end: a self-resetting /demo to show your clients, an integration marketplace that lights up what they already run, a sharper audit-readiness page that tells you the next click in plain English, and a recalibrated 5-tier MSP price with a new Studio tier for the 50-99 client middle band.

• Audit-readiness cockpit: per-failure-mode CTAs that open the right modal pre-filled, a Top-5 Quickwins panel showing the highest-lift fixes ranked by points-to-green, per-control AI action hints in plain English, and a bulk doc-to-control linker so a stack of policies maps to controls in one pass
• Integration marketplace: a single page that auto-detects what your client already runs (M365, EDR, Aikido, Google Workspace, NinjaOne Backup) and lights up the matching adapter. Two new adapters this week: Google Workspace and NinjaOne Backup
• Self-resetting /demo: one click into a fully populated MSP profile with mock connectors, click around for real, resets every night. Use it on a partner call without burning your own org
• 5-tier MSP pricing (recalibrated based on MSP feedback this week): Starter 399 euro one-off setup with no monthly base for solo consultants and vCISOs under 10 clients. Practice 499 euro/month (10-49 clients). Studio 999 euro/month (50-99 clients, new mid-tier). Firm 1,999 euro/month (100-999 clients). Enterprise off the public table. Per-client brackets uniform: S 75 euro, M 250 euro, L 750 euro

The throughline since the MSP pivot: the partner does not want a compliance product, they want a way to look ready for the audit on Monday. Kick the tyres at /demo.

SafePay added ETTP, a Belgian technology-consulting and training firm, to its leak site on May 6 — the fourth named Belgian victim in five weeks (Fountain, Anderlues, Van Heyghen + ISoSL, now ETTP). Different gangs each week, same target profile.

• SafePay's stated target: small and mid-sized businesses, MSPs, and organisations with downstream partner networks across the US and Western Europe. 400+ claimed victims since September 2024
• The MSP multiplier: a compromised MSP cascades into every client whose remote-access tunnel terminates back at it. Segmented PSA/RMM access and aggressive credential rotation on integration accounts are the table stakes
• The cadence is now weekly. Belgian SMEs and regional gemeentes are the 2026 sweet spot, not the exception

If you run an MSP: assume the question is when, not if. Our ransomware basics and incident response guides cover the defensive baseline.

Belgium's Centre for Cybersecurity issued a fresh "patch immediately" advisory every weekday from May 4 to May 7. Four products, four critical-class flaws, three already exploited or trivially exploitable pre-authentication.

• MOVEit Automation — CVE-2026-4670 (CVSS 9.8): auth bypass → admin on the file-transfer scheduler. Same product family as the Clop campaign of 2023. 1,400+ instances exposed on the public internet
• Ivanti EPMM — authenticated RCE, actively exploited: on-prem MDM. Used in the wild for web-shell drops, reverse shells, persistent backdoors
• n8n + Apache HTTP Server: critical RCE on the workflow-automation platform many MSPs use to glue PSA + ticketing + monitoring, and on the world's most-deployed web server

Priority for MSPs: MOVEit and Ivanti EPMM first. Our patch-management guide covers the cadence — the harder discipline is proving the patch happened, which is what an evidence-linked control is built for.

On May 5, the Centre for Cybersecurity Belgium published a practical Network Device Logging Recommendations guide — exactly what switches, routers, firewalls and load balancers should log, where the logs should go, and how long to keep them. The control that quietly fails most CyFun and NIS2 audits just got a free playbook.

• What it covers: interface state, ACL hits, config changes, auth events, route changes, plus the syslog/SNMP plumbing. Maps directly to multiple CyFun PR.PT and DE.CM controls
• Why it matters now: post-April-18, audits begin. Either the device is configured to log or it is not, and the gap is visible in two minutes. Most SMBs have firewall logs but nothing on switches or routers
• How to use it: walk the document once per device class (one core switch, one access switch, one firewall), capture the running-config diff as evidence. The auditor sees a representative pattern, not a marathon

Belgian SMBs over-invest in the loud controls (MFA, EDR) and skip the quiet ones (logging, config hygiene). One quiet hour. Pair with our 8-week audit-preparation guide.