The MSP That Asked the Right Question

A couple of weeks ago I had a call with Paul Cohen, the president of Reveal Technology, an MSP out of the Chicago suburbs. He wanted to talk about AI — but not in the way most people want to talk about AI.

He didn't ask me what tool to resell. If he had, I'd have ended the conversation pretty quickly.

What Paul actually asked was: how do I stay relevant to my clients when they're starting to ask me questions about AI and I'm not sure I have the answers yet?

That's the question that tells me someone gets it.

Software Became Free. Now What?

The price of off-the-shelf packaged software is dropping fast. I tend toward hyperbole, so I'll say it's heading asymptotically toward zero — but the direction is unmistakable. Products that used to cost thousands of dollars and take months to deploy? For an SMB, you can replicate a surprising amount of that with a Claude account and a weekend.

That's the backdrop to every conversation I'm having right now. The economics of selling technology shifted under people's feet, and a lot of them haven't looked down yet.

For MSPs specifically, the old model — I control your infrastructure, therefore you need me — is done. It's walking around, but it's done. The model that works is more like a Sherpa. You guide people through the process. You help them do things the right way. That's a harder sell for some folks because it requires you to actually know things and stay current, as opposed to sitting on a contract and hoping nobody asks questions.

Paul already understood this, which is why the call was worth having.

"Do I Need a Tool?"

Paul had clients coming to him asking some version of: should we be using AI? What are the guardrails? Do you have a policy template? Can you train our people not to leak data everywhere?

One client had locked everything down to a single GPT instance and blocked the rest. That's a reasonable first instinct, but there are a million AI tools out there and more showing up every week. You're not going to block them all. At some point, the only real option is to provide something better.

Paul also asked me what tools he should look at. I get this question constantly, and my answer is almost always the same: you don't need one.

Here's how I explain it. If someone walks up and asks "do I need a socket wrench?" — the answer is no, because the question itself proves you don't know what you're fixing. If you knew, you'd ask for the specific thing. "I have a car in pieces and I need to get the alternator bolts off" — now we're talking, and maybe you need a socket wrench, or maybe you need something else entirely.

When someone asks "which AI tool should I use," they haven't identified the problem yet. They're shopping for wrenches.

Paul had Claude Pro, ChatGPT, Microsoft Copilot deployed across clients, and Perplexity for research. He had plenty of tools. What he didn't have was a workflow.

We Built It Live

So I shared my screen and we just did it. Right there on the call.

Paul's clients mostly run CIS Controls v8.1 — it maps to NIST but it's more practical for SMBs. The CIS framework breaks things into tiers (IG1, IG2, IG3); most of his clients sit in the lower tier. His security baseline is MFA, conditional access, EDR, SIEM — pretty standard managed services stack. The stuff keeping him up at night: shadow AI everywhere, and the data leakage that comes with it.

I opened Claude and typed something close to: I'm an MSP serving SMBs, my clients use CIS security controls v8.1, I need an AI governance framework that includes a readiness assessment, a policy template, and a checklist. My clients' typical baseline is MFA, EDR, SIEM, conditional access.

We went back and forth with it a few times — refining the context, answering its follow-up questions, narrowing the scope. Within a few minutes it had laid out data classification levels, control mappings to NIST AI RMF 1.0 and 800-53, a maturity scoring model, and a phased rollout timeline. Paul could see the whole thing building on screen.

The point wasn't that this output was done. It wasn't. The point was that Paul could see the process — ask the AI, give it your real context, let it ask you questions back, iterate. He'd take this and keep refining it, adapting it to specific clients, layering in his own experience. What we built in fifteen minutes was a starting point and a demonstration of how to get there, not the deliverable itself.

Then I fed it Paul's actual situation — he's advisory right now, no monetization plan for AI services, his clients trust him but he doesn't have formal AI policies. It ran a readiness assessment and came back with: ready to move, with specific gaps. No acceptable use policy. No vendor evaluation process for AI tools.

That vendor evaluation thing matters. Paul mentioned he uses Perplexity for research — and only research. He wasn't putting client data in there, which turned out to be smart, because Perplexity recently got caught sharing data that was supposed to be private. But not every client is going to be that careful. These are new companies. Many of them are newer than some of the leftovers in your work fridge. You want your clients handing them their crown jewels and hoping for the best?

Again — none of this was finished work. Paul would go back and refine the assessment, tune it to each client's situation, build out the policy templates in his own voice. The call was about showing him the process so he could own it going forward.

Paul watched all this happen and said something that stuck with me: "I've never thought about having the AI ask me more questions."

That's the whole technique. Stop typing prompts and hoping for magic. Ask the AI to interview you. Give it your situation, your constraints, who your clients are. Let it pull the relevant stuff out of you. I wrote an article about this exact approach — Paul had actually listened to the audio version, which is part of what prompted him to reach out.

Your Blog Looks Like Everyone Else's

While we were at it I pulled up Paul's website. He has a blog. Every MSP has a blog. They all look identical — stock images that don't match the content, generic security articles with titles like "The Hidden Danger of Phishing" and "Unified Security."

I asked Paul: what does "unified security" mean to your client on Monday morning? What do they do with that? The answer is nothing, because the article doesn't say anything. It says words in English that have the approximate shape of a thought but don't land anywhere specific.

Paul pays a marketing company to produce this. So does every other MSP in his market. They all look identical, and the SEO value of this kind of content is dropping just as fast as the price of the software it's supposed to market.

Here's what I told Paul to do instead. Take one of those topics — insider threats, phishing, breach detection, whatever — open Claude, and say: interview me about this for my blog. My clients are SMBs in this size range. I want them to understand why this matters and what to do about it. Ask me questions until we have something good.

Then just talk. Paul's a patient guy who explains things well. I know he has real stories — like the client with two sites where a stale domain controller got too stale for too long, poisoned the Active Directory replication, and took hours to untangle. That's a story. "The Hidden Danger of Phishing" is not a story. It's wallpaper.

I write all my articles this way. The first ones took me about two hours. Now it's about an hour each. I have a backlog of seven or eight. Nobody's going to read them and think they came off a content assembly line, because they didn't.

Everybody Has an Elf Now

Here's where it gets interesting for MSPs.

Your clients' CEOs are going to vibe code. Some already have. They're going to sit down with an AI, build something that sort of works, put it somewhere it probably shouldn't be, and then call you when it catches fire.

Forget that it's AI for a second. Pretend smart elves showed up at every client and they write code like crazy. How would you manage that?

Well, you probably weren't writing code for them before, and you're not going to start now. But you'd want to know: where does this thing live? What does it connect to? How do we back it up? Where's the data going? How do we restore it if something breaks?

That's still the MSP's job. The elf doesn't change that. What the elf changes is that now there's a lot more code to manage and none of it went through any kind of review process.

So you get ahead of it. Offer a safe environment. Set up a VM, get them on a framework, put it in Firebase or something contained, show them Git so their work is tracked. Because if you don't provide that, they'll do it on their own, and I can tell you from experience — what they produce unsupervised would get someone fired at any company with standards.

The Actual Advantage

I told Paul: the AI isn't going to take your job. Somebody using it is going to take your job. I'm pretty sure Jensen Huang said that first, and he probably stole it from someone else, but it's accurate.

Paul doesn't need a training program. He doesn't need a certification. Some of those programs are decent, and a few are genuinely good. But a lot of what's being sold as AI training is 3,000 words of surface-level prompting that most of us could reproduce in an afternoon. The knowledge isn't behind a paywall anymore — it's in the same tool you're learning to use. If a structured program helps you stay accountable, fine, go pay for it. But understand what you're buying: the discipline, not the content.

What Paul needs to do — and what I think he will do, because he showed up with the right question — is use the tools himself until he's fluent, and then turn that fluency into guidance for his clients. The self-improvement is the product. In the process of getting better with AI for his own operations, he learns exactly how to shepherd clients through the same thing.

We didn't use any special software on that call. Claude. Cursor. GitHub. That's it. No proprietary AI platform, no wrapper, no middleman taking a cut for packaging up what's already available. When someone asks me which AI tool they need, that's why my answer is almost always none. Because we just did a security policy framework, a readiness assessment, a full website rebuild, and a content strategy walkthrough — with one subscription.

Paul gave me permission to use his name and his company. By the end of our call, his site had a React prototype running on localhost that he could keep iterating on — and it already looked about ten times better than his WordPress.