Service Leadership Inc., a ConnectWise company, has released the findings of the 2026 Annual IT Solution Provider Compensation (Remuneration) Report, the industry's leading global resource for compensation benchmarks and best practices for IT solution providers.

This Service Leadership report uniquely correlates compensation data with IT solution provider profitability. The analysis provides clear insight into how compensation strategies differ between top-performing and lower-performing organizations. Unlike broader compensation reports, this research focuses exclusively on roles and structures specific to the IT solution provider business model.

As IT solution providers work to meet growing demand for IT services while managing limited resources, the report delivers critical insights into compensation benchmarks, effective pay structures and incentive strategies designed to support sustainable growth.

In addition to detailed W2 compensation data (T4 in Canada, P60 in the United Kingdom, Income Statement in Australia and Gross Earnings in New Zealand) for more than 60 service delivery, sales and management roles, the report also provides insight into variable incentive compensation, average billable rates and annual compensation growth trends.

All data is segmented by region, city tier and, where available, metropolitan area.

New in the 2026 report are insights by ownership type (privately owned versus private-equity-backed), as well as analysis of the number of full-time consultant employees and average consultant costs. These additions provide a clearer view into workforce composition, cost structures and organizational performance.

The report also introduces data on the number of digital workers — AI agents and automation bots — currently used by IT solution providers, highlighting the industry's growing shift toward automation-enabled operations.

Key findings from the report include:

• Wage inflation peaked in 2022 and has improved significantly since then
• Top-performing IT solution providers awarded fewer large pay increases in 2025
• Hybrid work remains the dominant model in the industry
• Demand for advanced technical roles continues to grow globally

Using global compensation data from IT solution providers, the report highlights regional differences in workforce and pay trends. These insights offer context on how organizations across markets are responding to similar economic and operational pressures.

"This report provides IT solution providers with a clear view of the real costs associated with recruiting and retaining talent in today's market," said Peter Kujawa, executive vice president and general manager, Service Leadership and IT Nation, ConnectWise. "As labor remains the largest expense for most firms, understanding how top-performing organizations structure compensation and improve operational efficiency is critical to maintaining profitability and long-term growth."

Kujawa also noted the positive shift in wage inflation trends following its peak in 2022. While easing wage pressure is encouraging for solution providers, he emphasized that improving operational efficiency remains critical. As providers look to scale efficiently, solutions such as zofiQ, built on the ConnectWise platform, can help automate routine tasks and augment service teams, enabling MSPs to improve productivity while better managing overall labor costs.To receive a complimentary executive summary and learn how to purchase the full Service Leadership Index 2026 Annual IT Solution Provider Compensation Report, click here.

In other news, ConnectWise has announced the release of its 2026 MSP Threat Report, delivering global threat intelligence and actionable guidance for managed service providers (MSPs) navigating one of the most complex cybersecurity landscapes to date. The report details the most significant threats observed throughout 2025 and reflects ConnectWise's continued evolution in helping customers secure and strengthen their businesses as identity, access and trust relationships become the primary battleground in modern cyberattacks.

Drawing from real-world incident response investigations, ConnectWise customer telemetry, ransomware leak site monitoring and malicious infrastructure tracking, the 2026 report reveals a decisive shift in attacker strategy: adversaries are no longer relying primarily on novel exploits. Instead, they are exploiting trusted identities, legitimate system tools, remote access infrastructure and software supply chains to gain faster, more scalable access to MSP-managed environments worldwide.

"The defining theme of 2025 was the abuse of trust," said Patrick Beggs, chief information security officer, ConnectWise. "Attackers are exploiting valid credentials, misconfigured VPNs, trusted updates and even user behavior to gain access to systems and data. For MSPs, this means identity security, privileged access governance and early behavioral detection must be foundational. At ConnectWise, we're continuously evolving our platform to help customers ensure trust and transparency across the environments they manage."

Global threat landscape demands platform-level defense

The 2026 MSP Threat Report highlights trends observed across North America, Europe, and Asia-Pacific (APAC), reinforcing that while regional nuances exist, the underlying risks are consistent worldwide.

Ransomware prioritized speed and access reliability — Rather than innovating encryption techniques, ransomware operators refined how they gained access. Groups such as Akira demonstrated rapid "scan, steal, encrypt" life cycles, often targeting backup infrastructure early to prevent recovery. Attackers also bypassed OTP-based multifactor authentication (MFA) by exploiting inherited VPN configuration artifacts or retained appliance secrets.

Key regional ransomware trends include:

• In North America, ransomware operators prioritized speed and early backup disruption in midsized business environments.
• European manufacturing and supply chain ecosystems saw increased targeting through credential and remote access abuse.
• Growing SMB markets in APAC experienced expanding exposure of perimeter infrastructure and credential-stuffing campaigns.

VPN infrastructure became a consistent entry point — Publicly exposed SSL VPN interfaces were repeatedly targeted through credential stuffing, inherited secrets and critical vulnerabilities affecting major vendors. In multiple cases, organizations experienced full domain compromise within hours of successful VPN authentication.

Software supply chain compromise expanded downstream risk — Supply chain attacks intensified in both scale and automation. Campaigns such as "Shai-Hulud" compromised npm maintainer accounts and propagated trojanized updates across thousands of downstream environments. Other ecosystems, such as PyPI, NuGet, RubyGems and Rust, faced phishing and malicious package injection campaigns that turned routine dependency updates into execution paths.

ClickFix and user-mediated execution matured — ClickFix-style social engineering attacks, in which users are manipulated into copying and pasting malicious commands into legitimate utilities, emerged as a repeatable and adaptable intrusion method. The tactic bypasses traditional defenses by shifting execution responsibility to the user.

AI increased attacker scale and realism — Although AI's direct artifacts are often invisible in forensic telemetry, its impact was evident through increases in deepfake-enabled fraud, LLM-generated phishing campaigns, AI-assisted malware development and automation that lowered barriers to entry for threat actors globally. Rather than creating new attack categories, AI made established tactics faster, more scalable and more convincing.

ConnectWise: Evolving with the threat landscape

The 2026 MSP Threat Report underscores a critical reality: reactive security models are no longer sufficient. Defenders must move earlier in the attack life cycle, focusing on identity, privilege, execution context and resilience.

ConnectWise is addressing this shift by continuing to strengthen and integrate cybersecurity and data protection capabilities across the ConnectWise Platform, including:

• Privileged Access Management (PAM) to enforce least-privilege and reduce blast radius from credential compromise.
• Managed Endpoint Detection and Response (Managed EDR) to provide continuous, behavior-based monitoring and rapid containment.
• Security Information and Event Management (SIEM) to correlate identity, endpoint and network telemetry across multitenant environments.
• Business Continuity and Disaster Recovery (BCDR) with immutable backup capabilities designed to resist tampering — even in ransomware scenarios.

The 2026 MSP Threat report is made possible by the ConnectWise Cyber Research Unit (CRU), an elite team of threat hunters and cybersecurity professionals who gather intelligence 24/7 from real-world incidents, customer environments, ransomware leak sites and malicious infrastructure monitoring.