CatalystShift
Back to blog
AI Strategy7 min read

Your QBRs Are Slipping. Be Careful How You Fix It.

The quarterly review is your most reliable retention and upsell engine. Automating it is the right instinct — but the moment you connect a tool to your RMM, you've made a security decision, not an operational one.

Catalyst Shift

June 16, 2026

Every owner-led MSP I talk to has the same quiet story. The quarterly business review started as the thing that set you apart. You'd sit across from a client, walk them through what you'd done, where their risk was, what to plan for next. It was the meeting where you stopped being the company that fixes the printer and became the company they couldn't run without.

And then you grew. Fifteen managed clients became twenty-five. The team got busier. The QBR — the one that takes hours to prepare because the data lives in four different systems — became the thing that slips when the week gets full. Not because you stopped caring. Because preparing it by hand stopped scaling.

This isn't a failure of discipline. It's what success looks like before the infrastructure catches up. But it's worth being honest about what a slipped QBR actually costs, because the cost is invisible until it isn't.

What a missed QBR really costs

A QBR is not a status update. It's the one structured moment each quarter where you do three things that are hard to do any other way.

You justify your value. Clients forget what they pay you for. The tickets you closed, the patches you pushed, the breach that didn't happen — none of it is visible to the owner who signs the check. The QBR is where invisible work becomes visible. Skip it for two quarters and you become a line item someone eventually questions.

You catch retention risk early. The signals that a client is drifting — rising ticket friction, aging hardware, a security posture quietly degrading, a champion who's gone quiet — show up in your data long before they show up in a cancellation email. The QBR is the cadence that forces you to look. Without it, the first time you notice a client is unhappy is the day they tell you.

You earn the next sale. The hardware refresh, the security upgrade, the project work — those conversations land far better inside a structured review where you've already shown the client where they stand. The QBR is your most reliable, lowest-pressure upsell engine. When it slips, that pipeline slips with it.

None of this is dramatic. That's the problem. A missed QBR doesn't set off an alarm. It just slightly raises the odds of a churn you won't trace back to its cause and slightly lowers the odds of an expansion you'll never know you missed. Multiply that across your book, across a year, and the number is real even though you can never put your finger on it.

So the instinct to fix it — to automate the prep, to pull the data together so the review happens on schedule whether the week is calm or not — is the right instinct. The QBR should run like infrastructure, not like heroics.

But here's where founders need to slow down for a second.

The moment automation becomes a security decision

To prepare a QBR automatically, a tool needs your data. That means connecting it to your PSA for tickets and SLAs, your RMM for patch status and endpoint health, probably your Microsoft 365 tenant, maybe your security stack. The pitch is operational — save hours, never miss a review. But the moment you hand a third party a credential into your RMM, you have made a security decision, not an operational one.

It's worth being precise about why the RMM is the one to worry about. Your RMM doesn't just read your clients' environments — it can act on them. It can run scripts, push software, execute commands across every endpoint you manage. That power is the entire reason the RMM is useful, and it's also the entire reason it's dangerous in the wrong hands. The industry already lived through the worst version of this. In 2021, attackers reached a widely used RMM platform and used its legitimate, built-in ability to push code in order to deploy ransomware downstream — to the managed service providers' clients, at scale, in a single stroke. The lesson wasn't "RMMs are bad." The lesson was that anything holding RMM-level access is a supply-chain risk, and a breach of that thing is categorically worse than a breach of an ordinary app.

So when you connect a QBR tool — or any tool — to your stack, the question is not just "will this save me time?" It's "what happens to my clients if this vendor gets compromised?" If the answer is "they could reach my RMM's ability to execute," you haven't bought an efficiency. You've concentrated your entire client base's risk into one more vendor's security posture.

A QBR tool has no legitimate reason to touch your RMM's ability to act. Preparing a review is a reading job — which means the danger is almost entirely avoidable, if you know what to ask.

How to vet anything you'd connect to your stack

Here's the checklist I'd hand any founder before they wire a tool into their PSA or RMM. It applies to QBR automation, but honestly it applies to any vendor that wants a credential into the systems that run your clients.

  1. Does it ask for read-only access, or can it write and execute? A reporting tool should request read scopes and nothing else. If a vendor wants write or execute permissions "for flexibility," treat that as a red flag until they can explain exactly why a QBR needs to change anything in your environment. The tightest, most boring answer — "we only read" — is the one you want.

  2. What, specifically, could an attacker do if you were breached? Ask the vendor to walk you through their own worst case. A serious answer sounds like: "Even in a full compromise, we can't execute code on your endpoints, because we never hold that access." A weak answer is hand-waving about how secure they are. You're looking for a blast radius small enough that a breach is recoverable rather than catastrophic.

  3. Where do my credentials live, and in what form? Your API keys and tokens should be encrypted at rest, held in a dedicated secrets manager, and never sitting in plain text in someone's database or code. Ask directly. "Encrypted with per-customer keys in a key-management service" is a real answer. Vagueness is its own answer.

  4. Is my data isolated from every other customer's? A multi-tenant tool holds many MSPs' data — and therefore many MSPs' clients' data. Ask whether isolation is enforced at the database level, not just in application code, so a bug in their software can't leak one customer's data into another's view.

  5. Can I revoke their access myself, instantly, from my side? You should never need to email a vendor and wait in order to cut them off. The credential you provision should be one you control and can kill in seconds — a restricted, read-only API identity created on your terms.

  6. Will they put the security model in writing before you connect anything? Not a marketing page — the actual scopes they request, how data is handled, how it's isolated, what their incident response looks like. A vendor who's thought about this will have it ready. A vendor who hasn't will improvise.

  7. Where are they on third-party validation — and are they honest about it? Ask about penetration testing and SOC 2. Plenty of good, early tools don't have a finished SOC 2 report yet, and that's fine — what you're testing is honesty. "We're entering the program now, here's our architecture and a recent third-party pen-test result" is credible. "We're totally secure, don't worry about it" is not.

Fix the QBR. Don't trade one problem for another.

The QBR is worth automating. A review that happens on schedule — prepared and ready whether you're paying attention that week or not — is one of the highest-leverage systems an owner-led MSP can put in place. It protects retention, surfaces risk early, and feeds your expansion pipeline without depending on anyone's free afternoon.

Just don't solve a retention problem by quietly creating a security one. The tool that prepares your QBRs will, by definition, have a window into your clients' environments. Make sure that window is read-only, that the blast radius of a breach is small, that your credentials are protected, that your data is isolated, that you hold the kill switch, and that the people building it will tell you the truth about where their security stands.

Run that checklist, and automating your QBRs becomes what it should be: a way to get a critical part of your business off of willpower and onto infrastructure — without handing anyone the keys to the part of your stack that could hurt your clients most.

Signal Fusion · how it works

Six systems. One line of reasoning per client.

Catalyst doesn't read one system. It fuses every signal an MSP already generates into one line of reasoning per client.

PSA Tickets · time entries 1,284 RMM Device telemetry 38.2k M365 Email · calendar 612 CONTRACTS Renewals · MRR 47 EDR Security posture 156 CRM Relationship history 289 SIX SYSTEMS · ONE INTELLIGENCE CATALYST SYNTHESIS CORE 2,340SIG/MIN 5 QBRS DRAFTED 2 NEED YOUR REVIEW
catalyst os · qbr automation SIGNAL FUSION

Catalyst OS · Signal Fusion

The QBR, fused from the signals already in your stack — read-only by design.

Signal Fusion reads — and only reads — your PSA, RMM, security tooling, and Microsoft 365, then fuses the signals already sitting there into a client-ready QBR: ticket and SLA trends, patch and endpoint health, posture, and the upsell and risk flags worth raising. The review lands on schedule. The part of your stack that can act on endpoints stays untouched.

It's built to pass the checklist above: read scopes only — it can't write, can't execute, can't reach an endpoint. A full compromise exposes read-only metadata, never the ability to act on your clients.

Read-only scopes Per-tenant isolation You hold the kill switch Security model in writing
Book a 30-minute listen → Founding cohort now forming · catalystshift.ai
From the build

Want this kind of operator math on your business?

Catalyst OS runs the operations and revenue workflows MSPs lose money on every quarter — bundled like a hire, sold like infrastructure.

Book onboarding callSee the modules
More field notesAll posts →
Growth Systems6 min read

Competitive Intelligence Without Spy Tools: What Your Competitors’ Websites Tell You

You don’t need expensive tools to understand your competition. Their website, pricing page, and job postings tell you everything.

June 16, 2026
Founder Insights4 min read

Why Adding More Stops Working

A pattern I've watched play out across a lot of MSPs: when growth stalls, the instinct is to add. The owners who break through the plateau tend to do something different.

June 15, 2026
Growth Systems9 min read

5 Warning Signs Your MSP Operations Are Holding Back Growth

Five signs your MSP's business operations — not its service delivery — are the thing capping growth, why each happens, and what to do about it.

June 9, 2026