The "Lift and Shift" Discount is Real
In 2022, you could sell a generalist AWS consultancy—one focused on basic migrations and infrastructure management—for 10x EBITDA. In 2026, that same firm trades at 7.5x to 8.5x. The market has spoken: basic cloud migration is a commodity.
For Private Equity Operating Partners managing IT services portfolios, this compression is a crisis. You bought these assets on a thesis of "cloud adoption tailwinds," but the wind has shifted. The hyperscalers themselves (AWS, Azure, Google) have automated the easy work. The "Lift and Shift" era is over; we are now in the era of "Secure and Optimize."
The data is unforgiving. Generalist MSPs with less than 50% recurring revenue are seeing valuation multiples compress as acquirers scrutinize revenue quality. If your portfolio company is still billing by the hour for manual migrations, you aren't building equity value—you're just managing cash flow. To restore the multiple to double digits, you must pivot from infrastructure utility to security assurance.
The 4-Turn Security Premium
While generalists struggle, AWS partners with deep security specialization—specifically those with the Level 1 MSSP Competency or Security Competency—are commanding valuations of 11x to 13x EBITDA. This is what we call the "Security Premium."
Why the disparity? It comes down to revenue quality and defensive moats. A security-led relationship is stickier. When a partner manages a client's risk posture (MDR, compliance automation, identity management), the cost of switching becomes prohibitive for the customer. This creates the high-quality, recurring revenue (ARR) that PE buyers covet.
The Valuation Bridge
Our analysis of 2025-2026 transaction data highlights the specific attributes that drive this multiple expansion:
- Generalist Cloud Shop: 8x EBITDA. Revenue is 60% project, 40% resale. Churn is 12%.
- Security-First Cloud Partner: 12x EBITDA. Revenue is 50% Managed Security Services (MDR), 30% Compliance/Advisory, 20% Resale. Churn is <5%.
The market is paying a premium for predictability. As noted in our guide on MSP Valuation Factors, the convergence of Managed Services and Security is the single biggest driver of multiple expansion in the current vintage.
The Pivot: From "Available" to "Secure"
You cannot simply slap a "Security" badge on your website and expect a 12x exit. Due diligence will expose a "paper tiger" in days. To capture the security premium, you must operationalize security as your primary value proposition.
1. The Competency Moat: Force the accreditation. Achieving the AWS Security Competency isn't just a badge; it's an operational bootcamp that forces your delivery teams to adopt rigorous standards. It separates you from the 100,000+ registered partners who just resell instances.
2. Productize Compliance: Move away from hourly consulting. Package your services as "Compliance-as-a-Service" for frameworks like SOC 2 or HIPAA. As we discuss in The Portfolio Company Playbook, automated compliance monitoring creates high-margin recurring revenue that buyers love.
3. Eliminate Technical Debt: You cannot sell security if your own house is messy. Buyers are now conducting deep-dive code and infrastructure audits. As highlighted in The $350M Horror Story, hidden security debt is the fastest way to kill a deal. Clean your own core before you try to sell protection to others.
The path to a premium exit involves fewer generic certifications and more specialized, defensive IP. Stop selling "cloud" and start selling "risk reduction."
