Channel partners, MSP, Data Security, Network Security, SOC, Vulnerability Management, Threat Management

AWS Security Hub Extended Delivers Full-Stack Security Through Curated Partner Integrations

AWS has expanded Security Hub into a single place where organizations can buy, activate, and operate a multi-vendor security stack. The Extended plan brings together AWS services and a curated group of partners across endpoint, identity, data, network, email, browser, AI, and cloud security. All of it sits inside the existing AWS commercial model, with one bill, consumption pricing, and Private Pricing eligibility.

This changes how security programs scale. Instead of running separate sourcing cycles and integrations for every control, teams can turn on coverage from the same console where they already manage cloud risk. Deployment moves faster because procurement, onboarding and metering follow an existing AWS motion.

What the billing model means for MSPs

The shift to AWS as the seller of record will raise concerns about who owns the customer relationship. AWS is positioning the change as a way to remove friction while leaving service revenue in partner hands.

Michael Fuller, Director of Security Services, AWS, told ChannelE2E, “AWS Security Hub Extended simplifies procurement - it doesn't replace the MSP relationship. Consolidating billing into a single AWS bill reduces friction for customers, while MSPs continue to deliver what matters most: managed detection and response of risks, customer-specific tuning, incident response, and ongoing advisory services. MSPs operating through the AWS Partner Network can continue to resell and manage AWS services through established channel mechanisms. The Extended plan gives MSPs a stronger foundation - a pre-integrated, pre-negotiated solution they can build managed services on top of, rather than spending months on procurement and integration work."

The implication is that procurement becomes standardized, while differentiation shifts to operations, response and risk advisory.

One data model for cross-domain detection and response

All findings from AWS services and participating partners are normalized into the Open Cybersecurity Schema Framework and aggregated inside Security Hub. That directly affects how SOC teams work day to day.

“Security Hub aggregates findings from AWS detection services and curated partner solutions in OCSF format, with standardized fields. This reduces the per-vendor data conversion work that consumes SOC team capacity today. With security findings in one place and one format, consistent filtering and automated response actions work across the full dataset, no custom pipelines required. The real productivity gain is that security analysts can finally ask cross-domain questions - correlating identity, endpoint, and cloud signals together, without building custom integrations first. That's where alert fatigue decreases and response speed improves,” Fuller said.

The value is less about dashboard consolidation and more about faster correlation and consistent automation across control domains.

A broad foundation, not a closed platform

Security Hub Extended brings multiple control categories into one console, but AWS is framing it as a modular starting point rather than a full replacement for security teams and external tools.

“Security Hub Extended brings together AWS detection services and curated partner solutions across key security categories - endpoint, identity, email, network, data, browser, cloud, AI security, and security operations. That's a broad foundation. Customers will still need skilled security practitioners to investigate and respond to security events. On dependence, the Extended plan is modular and opt-in, with pay-as-you-go pricing and no long-term commitments. Customers select only the solutions they need. The goal is to reduce operational dependence on fragmented tools. Customer choice is the design principle,” Fuller said.

Customers still own the investigation and response. The platform reduces integration work and tool sprawl rather than replacing security expertise.

Where non-curated partners fit

Vendors that are not part of the curated bundle can still feed data into Security Hub and remain visible to customers. Their position depends on the depth of telemetry and the services built around it.

“Partners outside of the curated list continue to send findings into Security Hub and remain visible to customers. The curated partner list reflects demand signals from customers. More broadly, the Security Hub Extended plan solves procurement friction - it doesn't replace depth of capability, domain expertise, or services,” Fuller said.

That keeps the focus on outcomes. Procurement and data ingestion move into the platform, while value shifts to managed operations, customization, and measurable risk reduction.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds